Add filed to Elastic Agentedit

Crazyworlds · December 29, 2023, 8:12pm

I notice that Elastic Agent does not populate the ecs filed organization.name and for this, following the documentation I try to create a pipiline as this:

POST /_ingest/pipeline/_simulate
{
  "pipeline" :
{
  "processors": [
    {
      "set": {
        "if":"ctx.data_stream?.namespace == 'test01'",
        "field": "organization.name" ,
        "value": "TEST01",
        "override": true,
        "ignore_failure": true
      }
    },
    {
      "set": {
        "if":"ctx.data_stream?.namespace == 'test02'",
        "field": "organization.name",
        "value": "TEST02",
        "override": true,
        "ignore_failure": true
      }
    }
  ]
},
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "data_stream":
        {"namespace": "test01"
        },
        "organization.name": "no-one"
      }
    }
  ]
}

and thi is the result:

{
  "docs": [
    {
      "doc": {
        "_index": "index",
        "_version": "-3",
        "_id": "id",
        "_source": {
          "organization.name": "no-one",
          "data_stream": {
            "namespace": "test01"
          },
          "organization": {
            "name": "TEST01"
          }
        },
        "_ingest": {
          "timestamp": "2023-12-29T20:05:03.990779828Z"
        }
      }
    }
  ]
}

I have two value :

"organization.name": "no-one"

and

          "organization": {
            "name": "TEST01"
          }

I expected only one value "organization.name". How can I st, in the correct way, the value of "organization.name"

stephenb · December 30, 2023, 5:25pm

Hi @Crazyworlds Welcome to the community.

This is JSON stuff...

This is because these JSONs are not equivalent.
(What makes matters worse is typically, you can access fields with the short-hand dot but mostly, you need to write JSON with the subobject to get what you want)

POST discuss-test/_doc
{
  "organization.name": "soso-json-with-jsut-dot-in-field-name",
}

POST discuss-test/_doc
{
  "organization": {
    "name": "good-json-with-sub-object"
  }
}

What also makes this a bit more confusing that when you use ingest pipelines to set fields like

        "set": {
          "if": "ctx.data_stream?.namespace == 'test01'",
          "field": "organization.name",

Elastic will always create the sub-object version as that is what elasticsearch "likes" to work with

This will fix the issue ..,

POST /_ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "dot_expander": {
          "field": "organization.name"
        }
      },
      {
        "set": {
          "if": "ctx.data_stream?.namespace == 'test01'",
          "field": "organization.name",
          "value": "TEST01",
          "override": true,
          "ignore_failure": true
        }
      },
      {
        "set": {
          "if": "ctx.data_stream?.namespace == 'test02'",
          "field": "organization.name",
          "value": "TEST02",
          "override": true,
          "ignore_failure": true
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "data_stream": {
          "namespace": "test01"
        },
        "organization.name": "no-one"
      }
    }
  ]
}
# Result

{
  "docs": [
    {
      "doc": {
        "_index": "index",
        "_version": "-3",
        "_id": "id",
        "_source": {
          "data_stream": {
            "namespace": "test01"
          },
          "organization": {
            "name": "TEST01"
          }
        },
        "_ingest": {
          "timestamp": "2023-12-30T17:19:47.328570187Z"
        }
      }
    }
  ]
}

But your original should really be...

POST /_ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "set": {
          "if": "ctx.data_stream?.namespace == 'test01'",
          "field": "organization.name",
          "value": "TEST01",
          "override": true,
          "ignore_failure": true
        }
      },
      {
        "set": {
          "if": "ctx.data_stream?.namespace == 'test02'",
          "field": "organization.name",
          "value": "TEST02",
          "override": true,
          "ignore_failure": true
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "data_stream": {
          "namespace": "test01"
        },
        "organization": {
          "name": "no-one"
        }
      }
    }
  ]
}

# Result

{
  "docs": [
    {
      "doc": {
        "_index": "index",
        "_version": "-3",
        "_id": "id",
        "_source": {
          "data_stream": {
            "namespace": "test01"
          },
          "organization": {
            "name": "TEST01"
          }
        },
        "_ingest": {
          "timestamp": "2023-12-30T17:24:20.686858301Z"
        }
      }
    }
  ]
}

Crazyworlds · January 3, 2024, 2:03pm

Thanks, I attach the ingress pipeline to index template, via package, and now the "organization.name" is included on all docs.

system · January 31, 2024, 2:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with ingest pipeline Kibana painless	19	619	November 7, 2023
Elasticsearch ingest pipeline - on failure field removal problem Elasticsearch	1	365	February 18, 2020
Elasticsearch output for Elastic Agent - adding an ingest pipeline Beats elastic-agent , ingest-pipeline	5	2951	December 23, 2020
Elastic JSON Processor Error: `cannot add non-map fields to root of document` Elasticsearch ingest-pipeline	6	810	September 13, 2023
Ingestion pipeline dynamically creates empty object upon nested JSON Elasticsearch	3	335	January 3, 2023

Add filed to Elastic Agentedit

Related topics