APM capture body is broken after upgrading from 7.14.0 to 7.15.0

Ali_Nazemian · September 28, 2021, 4:49am

Since I have upgraded to APM server 7.15.0 (on Elastic cloud) when capture_body is enabled JSON body is stored in a single field. This is not different from the older versions. However, the value of JSON message stored is not normalized which means if there are any characters such as quotations in that field, it must be escaped. This is used to work in 7.14.x but seems to be broken after it's upgraded.

Example of an APM message in 7.14.0

{
  "http": {
    "request": {
      "method": "PUT",
      "body.original": "[{\"channel_id\":\"123456\",\"channel_name\":\"Test\",\"source_username\":null,\"url\":\"xyz.com\"}]"
    }
  }
}

Same message in 7.15.0:

{
  "http": {
    "request": {
      "method": "PUT",
      "body.original": """[{"channel_id":"123456","channel_name":"Test","source_username":null,"url":"xyz.com"}]"""
    }
  }
}

A workaround could be setting an ingest pipeline to process documents and escape all required characters but I am not sure which processor would give me that option.

P.S: I am using java-agent (1.26.0) with Spring boot 2.5.4

felixbarny · September 28, 2021, 6:13am

Where do you get that JSON from? Did you copy it from a query in Kibana?
I thing that's just a different way the JSON is quoted in the presentation layer to make it easier to ready or copy/paste. Note that in 7.15, the string starts with three quotes (""") this makes escaping the quotes in the JSON (\") unnecessary.
If you directly query Elasticsearch, I'd expect the same output as in 7.14.

Ali_Nazemian · September 28, 2021, 7:14am

I got JSON from query Elastic APM index directly (not using Kibana). The reason I am suspicious about this is that there is a separate ingest pipeline processor to parse JSON for body.original
, but that is not working so I thought this is because the String representation of that JSON field is not valid anymore.

PUT _ingest/pipeline/apm_parse_body
{
  "description": "Parse APM message body content",
  "processors": [
    {
      "json": {
        "if": "boolean originalIsMap = ctx.http?.request?.body?.original instanceof Map; ctx.http?.request?.body?.original != null  && ctx.http?.request?.body?.original != '[REDACTED]' && !originalIsMap",
        "field": "http.request.body.original"
      }
    }
  ]
}

felixbarny · September 28, 2021, 9:46am

I found out what the issue is.

In 7.15, there was a change (Consolidate model.HTTP and model.Http by axw · Pull Request #5764 · elastic/apm-server · GitHub) where the body.original field turned from a nested field to a dotted field.
This breaks ingest node pipelines where every field is expected to be nested. I'd consider this a bug in APM Server.

I have a workaround for you, though. You can use the dot_expander processor to convert the dotted field name into a nested one:

PUT _ingest/pipeline/apm_parse_body
{
  "description": "Parse APM message body content",
  "processors": [
    {
      "dot_expander": {
        "path": "http.request",
        "field": "body.original"
      }
    },
    {
      "json": {
        "if": "ctx.http?.request?.body?.original instanceof String && ctx.http?.request?.body?.original != '[REDACTED]'",
        "field": "http.request.body.original"
      }
    }
  ]
}
DELETE /apm-test?ignore_unavailable=true
POST /apm-test/_doc?pipeline=apm_parse_body&refresh=true
{
  "http": {
    "request": {
      "method": "PUT",
      "body": {
        "original": """[{"channel_id":"123456","channel_name":"Test","source_username":null,"url":"xyz.com"}]"""
      }
    }
  }
}
POST /apm-test/_doc?pipeline=apm_parse_body&refresh=true
{
  "http": {
    "request": {
      "method": "PUT",
      "body.original": """[{"channel_id":"123456","channel_name":"Test","source_username":null,"url":"xyz.com"}]"""
    }
  }
}
POST /apm-test/_search

felixbarny · September 28, 2021, 9:50am

I have created an APM Server issue for that: Dotted field `http.request.body.original` breaks ingest processors · Issue #6255 · elastic/apm-server · GitHub

Ali_Nazemian · September 28, 2021, 11:36am

Great. Thank you. I have checked the workaround and it's fine. I hope the main issue will be resolved soon so I can remove the dot_expander processor. Thanks for your help.

simitt · September 28, 2021, 2:45pm

Thanks for the investigation @felixbarny. I've put up a PR https://github.com/elastic/apm-server/pull/6256.

system · October 19, 2021, 10:46am

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Java apm agent doesn't capture text or json body APM java	6	550	February 20, 2023
Elastic APM sanitization on message body APM	8	1992	August 5, 2020
Apm Request Body Redacted APM java	3	323	April 15, 2024
Elastic APM is not displaying request.body for POST request for the content type-Application/JSON APM	4	3386	March 14, 2019
Capture_body is ignored APM	6	2665	August 14, 2018

APM capture body is broken after upgrading from 7.14.0 to 7.15.0

Related topics