Add filed to Elastic Agentedit

Crazyworlds · December 29, 2023, 8:12pm

I notice that Elastic Agent does not populate the ecs filed organization.name and for this, following the documentation I try to create a pipiline as this:

POST /_ingest/pipeline/_simulate
{
  "pipeline" :
{
  "processors": [
    {
      "set": {
        "if":"ctx.data_stream?.namespace == 'test01'",
        "field": "organization.name" ,
        "value": "TEST01",
        "override": true,
        "ignore_failure": true
      }
    },
    {
      "set": {
        "if":"ctx.data_stream?.namespace == 'test02'",
        "field": "organization.name",
        "value": "TEST02",
        "override": true,
        "ignore_failure": true
      }
    }
  ]
},
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "data_stream":
        {"namespace": "test01"
        },
        "organization.name": "no-one"
      }
    }
  ]
}

and thi is the result:

{
  "docs": [
    {
      "doc": {
        "_index": "index",
        "_version": "-3",
        "_id": "id",
        "_source": {
          "organization.name": "no-one",
          "data_stream": {
            "namespace": "test01"
          },
          "organization": {
            "name": "TEST01"
          }
        },
        "_ingest": {
          "timestamp": "2023-12-29T20:05:03.990779828Z"
        }
      }
    }
  ]
}

I have two value :

"organization.name": "no-one"

and

          "organization": {
            "name": "TEST01"
          }

I expected only one value "organization.name". How can I st, in the correct way, the value of "organization.name"

stephenb · December 30, 2023, 5:25pm

Hi @Crazyworlds Welcome to the community.

This is JSON stuff...

This is because these JSONs are not equivalent.
(What makes matters worse is typically, you can access fields with the short-hand dot but mostly, you need to write JSON with the subobject to get what you want)

POST discuss-test/_doc
{
  "organization.name": "soso-json-with-jsut-dot-in-field-name",
}

POST discuss-test/_doc
{
  "organization": {
    "name": "good-json-with-sub-object"
  }
}

What also makes this a bit more confusing that when you use ingest pipelines to set fields like

        "set": {
          "if": "ctx.data_stream?.namespace == 'test01'",
          "field": "organization.name",

Elastic will always create the sub-object version as that is what elasticsearch "likes" to work with

This will fix the issue ..,

POST /_ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "dot_expander": {
          "field": "organization.name"
        }
      },
      {
        "set": {
          "if": "ctx.data_stream?.namespace == 'test01'",
          "field": "organization.name",
          "value": "TEST01",
          "override": true,
          "ignore_failure": true
        }
      },
      {
        "set": {
          "if": "ctx.data_stream?.namespace == 'test02'",
          "field": "organization.name",
          "value": "TEST02",
          "override": true,
          "ignore_failure": true
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "data_stream": {
          "namespace": "test01"
        },
        "organization.name": "no-one"
      }
    }
  ]
}
# Result

{
  "docs": [
    {
      "doc": {
        "_index": "index",
        "_version": "-3",
        "_id": "id",
        "_source": {
          "data_stream": {
            "namespace": "test01"
          },
          "organization": {
            "name": "TEST01"
          }
        },
        "_ingest": {
          "timestamp": "2023-12-30T17:19:47.328570187Z"
        }
      }
    }
  ]
}

But your original should really be...

POST /_ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "set": {
          "if": "ctx.data_stream?.namespace == 'test01'",
          "field": "organization.name",
          "value": "TEST01",
          "override": true,
          "ignore_failure": true
        }
      },
      {
        "set": {
          "if": "ctx.data_stream?.namespace == 'test02'",
          "field": "organization.name",
          "value": "TEST02",
          "override": true,
          "ignore_failure": true
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "data_stream": {
          "namespace": "test01"
        },
        "organization": {
          "name": "no-one"
        }
      }
    }
  ]
}

# Result

{
  "docs": [
    {
      "doc": {
        "_index": "index",
        "_version": "-3",
        "_id": "id",
        "_source": {
          "data_stream": {
            "namespace": "test01"
          },
          "organization": {
            "name": "TEST01"
          }
        },
        "_ingest": {
          "timestamp": "2023-12-30T17:24:20.686858301Z"
        }
      }
    }
  ]
}

Crazyworlds · January 3, 2024, 2:03pm

Thanks, I attach the ingress pipeline to index template, via package, and now the "organization.name" is included on all docs.

system · January 31, 2024, 2:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.