Filebeat field name collision with external prospectors?

ceekay · July 6, 2018, 1:36am

After working through issues with the new host object in Logstash errors after upgrading to filebeat-6.3.0 we've decided to go down the long road of namespacing our critical fields away from anything libbeat might put in the root in future.

However we've run in to an issue where nested fields with the same parent can't exist in both the main filebeat config and external prospector fragments.

E.g., using test_namespace as the parent object:

/etc/filebeat/filebeat.yml

filebeat:
  registry_file: /var/lib/filebeat/registry
  config.prospectors:
    enabled: true
    path: /etc/filebeat/conf.d/*.yml
fields:
  test_namespace.fqdn: civet.fqdn.xxxx
fields_under_root: true
output:
[...]

/etc/filebeat/conf.d/authlog.yml

- paths:
    - /var/log/auth.log
  type: log
  fields:
    test_namespace.container: syslog
  fields_under_root: true

Output

{
  "@timestamp": "2018-07-06T01:29:46.484Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "doc",
    "version": "6.3.0"
  },
  "prospector": {
    "type": "log"
  },
  "input": {
    "type": "log"
  },
  "test_namespace": {
    "container": "syslog"
  },
  "beat": {
    "hostname": "civet",
    "version": "6.3.0",
    "name": "civet"
  },
  "host": {
    "name": "civet"
  },
  "source": "/var/log/auth.log",
  "offset": 67832,
  "message": "[redacted]"
}

Note that test_namespace.fqdn from filebeat.yml is missing from the output. If I rename the parent object in either of the configs, filebeat outputs both fields.

Is there any way to solve this, or is this a bug?

adrisr · July 6, 2018, 10:17am

It does look like a bug to me, I will raise the issue.

I've found an ugly workaround, but probably not scalable if you have a lot of external prospectors.

in your prospector (same as before):

fields:
  test_namespace.container: syslog
  fields_under_root: true

in the main fields filebeat.yml use a different name:

fields:
  test_namespace_fqdn: civet.fqdn.xxxx # note the _ instead of .
  fields_under_root: true

then use a rename processor to move it into the required namespace:

processors:
- rename:
    fields:
     - from: 'test_namespace_fqdn'
       to: 'test_namespace.fqdn'
    ignore_missing: false
    fail_on_error: true

ceekay · July 6, 2018, 12:06pm

Thanks for the workaround, but if there's a fix coming, I'd rather wait. This is going to be packaged and automated so it all needs to be as clean as possible.

Do you have a link to the issue so I can subscribe to it?

adrisr · July 6, 2018, 12:51pm

Here's the issue https://github.com/elastic/beats/issues/7528

We are working on a fix, thanks for your report

system · August 3, 2018, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem deleting fields or renaming (from filebeat) Logstash	7	2112	July 6, 2017
Beats Field Data Beats	9	1465	July 5, 2017
Problem to define multiples propsector with filebeat Beats filebeat	7	1686	July 5, 2017
Getting error unpacking config data: more than one namespace configured accessing 'output' (source:'/usr/local/etc/filebeat/filebeat.yml') Beats filebeat	3	2594	January 28, 2020
Prospector "fields" values being overwritten Beats filebeat	5	505	March 5, 2018

Filebeat field name collision with external prospectors?

Related topics