Google_workspace poll loads of data

mkorayem · March 24, 2021, 6:44pm

Hi,
Using filebeat 7.12 and 7.11.2 google_workspace does not respect the var.initial_interval so it polls huge amount of data and also polls it multiple times confirmed from Google API dashboard too.

> |2021-03-24T20:32:54.452+0200|DEBUG|[input.httpjson-cursor]|v2/value_tpl.go:57|template execution failed: template: :1:9: executing  at <.cursor.last_execution_datetime>: map has no entry for key last_execution_datetime|{input_source: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin, input_url: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin}|
> |---|---|---|---|---|---|
> |2021-03-24T20:32:54.452+0200|DEBUG|[input.httpjson-cursor]|v2/value_tpl.go:60|template execution: falling back to default value|{input_source: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin, input_url: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin}|
> |2021-03-24T20:32:54.452+0200|DEBUG|[input.httpjson-cursor]|v2/value_tpl.go:57|template execution failed: template: :1:12: executing  at <now>: wrong type for value; expected string; got time.Time|{input_source: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin, input_url: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin}|
> |2021-03-24T20:32:54.452+0200|DEBUG|[input.httpjson-cursor]|v2/value_tpl.go:70|template execution: evaluated template |{input_source: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin, input_url: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin}|
> |2021-03-24T20:32:54.452+0200|DEBUG|[input.httpjson-cursor]|v2/value_tpl.go:70|template execution: evaluated template |{input_source: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin, input_url: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin}|
> |2021-03-24T20:32:54.452+0200|DEBUG|[input.httpjson-cursor]|v2/value_tpl.go:57|template execution failed: template: :1:16: executing  at <.last_response.body.nextPageToken>: map has no entry for key nextPageToken|{input_source: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin, input_url: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin}|
> |2021-03-24T20:32:54.452+0200|DEBUG|[input.httpjson-cursor]|v2/value_tpl.go:70|template execution: evaluated template |{input_source: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin, input_url: https://www.googleapis.com/admin/reports/v1/activity/users/USER_AT_DOMAIN/applications/admin}|

mkorayem · March 28, 2021, 5:23pm

I tried the http-json input separately and it does not save the cursor last_execution_datetime

danmcq · March 31, 2021, 9:40pm

I'm seeing the same behavior with a clean install of Filebeat 7.12 and the google_workspace module.

theherodied · April 1, 2021, 1:22pm

Seeing the same behaviour. Ingesting the same events thousands of times.
Had one event 16,000 times before I checked and killed the input.

charlatan · April 13, 2021, 8:19pm

We're aye seeing the same thing. If you have 100,000 accounts in your domain with hundreds of millions of events over the six-month period, it can take days for a single pass to finish. We use fingerprint against the Google event ID to drop duplicates so we don't have huge indexes but the run-time is massively problematic since it doesn't respect the interval value.

Marius_Iversen · April 13, 2021, 11:33pm

Hey all! Thanks for the report on the issue, I will check this tomorrow and come back with a possible workaround while we work on a fix if we are able to reproduce the issue, seeing as many people have reported it, that should be quite likely.

The debug messages reported by @mkorayem is mostly just debug however, I do wonder if you are only getting this error once or not?:

|2021-03-24T20:32:54.452+0200|DEBUG|[input.httpjson-cursor]|v2/value_tpl.go:57|template execution failed: template: :1:9: executing at <.cursor.last_execution_datetime>: map has no entry for key last_execution_datetime|

The first time the beat runs, last_execution_datetime does not exist, because it retrieves this from the first response, and will then default back to the value you specify on initial_interval, however it seems that it either does not pick up the correct timestamp on the first response, or that it is stuck paginating the same page(s), which would explain the duplicate entries.

Marius_Iversen · April 14, 2021, 11:06am

Hey all, just to confirm, the fixes for this has been merged for 7.12.1 and 7.13, if anyone would want I can also provide a snapshot build of 7.12.1 if needed to test.

The relevant PRs:

github.com/elastic/beats

[filebeat] Use fail_on_template_error on google_workspace and okta pagination (bp #24967)

This is an automatic backport of pull request #24967 done by [Mergify](https://mergify.io). --- <details> <summary>Mergify commands and options</summary> <br /> More conditions and actions can be found in the [documentation](https://docs.mergify.io/). You can also trigger Mergify actions by commenting on this pull request: - `@Mergifyio refresh` will re-evaluate the rules - `@Mergifyio rebase` will rebase this PR on its base branch - `@Mergifyio update` will merge the base branch into this PR - `@Mergifyio backport <destination>` will backport this PR on `<destination>` branch Additionally, on Mergify [dashboard](https://dashboard.mergify.io/) you can: - look at your merge queues - generate the Mergify configuration with the config editor. Finally, you can contact us on https://mergify.io/ </details>

elastic:7.x ← elastic:mergify/bp/7.x/pr-24967

opened 08:46AM - 12 Apr 21 UTC

mergify[bot]

+8 -0

github.com/elastic/beats

[filebeat] Use fail_on_template_error on google_workspace and okta pagination (bp #24967)

This is an automatic backport of pull request #24967 done by [Mergify](https://mergify.io). --- <details> <summary>Mergify commands and options</summary> <br /> More conditions and actions can be found in the [documentation](https://docs.mergify.io/). You can also trigger Mergify actions by commenting on this pull request: - `@Mergifyio refresh` will re-evaluate the rules - `@Mergifyio rebase` will rebase this PR on its base branch - `@Mergifyio update` will merge the base branch into this PR - `@Mergifyio backport <destination>` will backport this PR on `<destination>` branch Additionally, on Mergify [dashboard](https://dashboard.mergify.io/) you can: - look at your merge queues - generate the Mergify configuration with the config editor. Finally, you can contact us on https://mergify.io/ </details>

elastic:7.12 ← elastic:mergify/bp/7.12/pr-24967

opened 08:48AM - 12 Apr 21 UTC

mergify[bot]

+8 -0

LiamSennitt · April 21, 2021, 8:07am

Yes, a snapshot build of 7.12.1 would be great.

Unless there is an earlier version of filebeat which has both the google_workspace and okta modules without this issue?

Marius_Iversen · April 24, 2021, 8:29am

Hi @LiamSennitt, I think the official one shouldn't be too far away now, if that is okay

charlatan · April 30, 2021, 8:00pm

Just a follow-up to this: the official build is available as of the 27th.

It's still not quite working correctly for us, I'll open a report in a new thread.

theherodied · May 1, 2021, 7:41pm

Please let us know the link to the new thread so I can follow it. Haven't had a chance to try the new version yet.

system · May 29, 2021, 9:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.