Elastic Agent failing to parse valid condition functions

BenB196 · December 18, 2023, 4:32pm

Hi,

I'm having an issue where if I try to run elastic-agent inspect with a policy that defines a condition with a function, I get an error, even if the function is valid.

Elastic Agent 8.11.3

Example:

Use the Kubernetes integration with the Container Logs enabled. Set the condition for that input to:

startsWith(${kubernetes.container.image}, 'docker.com') != true

Run elastic-agent inspect

Get the error:

Error: expected ',' when parsing 'startsWith(${kubernetes.container.image}, 'docker.com') != true' accessing 'inputs.6'
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.11/fleet-troubleshooting.html

Anyone have any ideas?

Note: The Elastic Agent does seem to parse and use the conditions correctly.

Priscilla_Parodi · January 9, 2024, 10:01pm

Hello @BenB196,

Have you debugged the generated config?

BenB196 · January 9, 2024, 11:37pm

HI @Priscilla_Parodi, yes, the config is valid. I ended up opening a support case for this issue. Support was able to reproduce and have escalated to the development team. I'm currently awaiting a response on the case regarding the dev team's finding.

stephenb · January 10, 2024, 1:00am

Hi @BenB196

Silly question Did you try "s

"docker.com"

Because I believe that condition gets embedded inside single quotes... So I think perhaps those single quotes are ending the condition prematurely

BenB196 · January 10, 2024, 11:17am

Hi @stephenb no such thing as a silly question, but yep, tried a few different ways:

startsWith(${kubernetes.container.image}, 'docker.com') != true
startsWith(${kubernetes.container.image}, "docker.com") != true
startsWith("${kubernetes.container.image}", 'docker.com') != true
startsWith("${kubernetes.container.image}", "docker.com") != true

All produced a similar error complaining about the ,.

stephenb · January 10, 2024, 3:54pm

@BenB196

1st Which / Where / What part are you adding the condition? Curious. can you show?

2nd, you can see the manifest pretty easily with the Preview API Request button at the bottom right of the Settings Screen

3rd Looking at the actual request, I think now think (sure) single quotes are correct.

So, this is working for me...as a simple test... It is filtering the pod logs as described.

startsWith(${kubernetes.pod.name}, 'my-otel-demo-c') == true

    "container-logs-filestream": {
      "enabled": true,
      "streams": {
        "kubernetes.container_logs": {
          "enabled": true,
          "vars": {
            "containerParserFormat": "auto",
            "condition": "startsWith(${kubernetes.pod.name}, 'my-otel-demo-c') == true",
            "paths": [
              "/var/log/containers/*${kubernetes.container.id}.log"
            ],

Can you show the preview of your request for that condition / part etc?

BenB196 · January 10, 2024, 6:05pm

Hi @stephenb your example is actually the same implementation as mine. The issue you'll run into is on that Elastic Agent which has that policy applied to it, try to run the command elastic-agent inspect, you will see that you get the error. The Elastic Agent is able to properly read/parse/use the condition and gather data as expected, however any sort of Elastic Agent CLI command inspect/uninstall/etc... all fail with the error.

stephenb · January 10, 2024, 6:27pm

@BenB196

Ahhh sorry I missed that .. I thought you meant it was not working at all... but you are saying inspect CLI commands do not work.

I see the same... interesting... definitely a bug....

BenB196 · January 12, 2024, 1:34am

Circling back here, Elastic support/devs were able to confirm that this was a bug and opened ucfg `Value` parses `.` in strings, breaking upstream Conditional statements in config · Issue #196 · elastic/go-ucfg · GitHub

system · February 9, 2024, 1:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.