From d15d3405a9863ae7866a751c58f27c825f0048f6 Mon Sep 17 00:00:00 2001 From: Maurizio Branca Date: Tue, 7 Feb 2023 15:44:49 +0100 Subject: [PATCH] [Azure Logs] Replace foreach+set combo with a script processor (#34478) * Replace foreach+set combo with a script processor The `set` processor expands the dots contained in the field name into subfield. Sometimes attributes contained in `authentication_processing_details` have dots, for example: # source {"key": "a.b.c", "value": true} In such cases, the `set` processor would turn it into: # this is a side-effect { "a": { "b": { "c": true } } } Instead of: # this is the expected result {"a.b.c": True} * Update changelog --- CHANGELOG.next.asciidoc | 1 + .../azure/signinlogs/ingest/pipeline.yml | 24 ++++++++----------- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3382cb2822fb..7b461c32d114 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -85,6 +85,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - [google_workspace] Fix pagination and cursor value update. {pull}34274[34274] - Fix handling of quoted values in auditd module. {issue}22587[22587] {pull}34069[34069] - Fixing system tests not returning expected content encoding for azure blob storage input. {pull}34412[34412] +- [Azure Logs] Fix authentication_processing_details parsing in sign-in logs. {issue}34330[34330] {pull}34478[34478] *Heartbeat* diff --git a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml index 04d614ed132d..3a34337f35a6 100644 --- a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml @@ -174,20 +174,16 @@ processors: field: - azure.signinlogs.properties.location ignore_missing: true - - foreach: - field: azure.signinlogs.properties.authentication_processing_details - ignore_missing: true - processor: - set: - field: '_tmp.{{{_ingest._value.key}}}' - copy_from: _ingest._value.value - - set: - if: ctx?._tmp != null - field: azure.signinlogs.properties.authentication_processing_details - copy_from: _tmp - - remove: - field: _tmp - ignore_missing: true + - script: + description: "Turns the authentication_processing_details array elements into key/value pairs. For example, the array element ``{key: 'key1', value: 'value1'}`` becomes ``{key1: 'value1'}``." + lang: painless + source: | + def tmp = [:]; + for (item in ctx.azure.signinlogs.properties.authentication_processing_details) { + tmp[item.key] = item.value; + } + ctx.azure.signinlogs.properties.authentication_processing_details = tmp; + if: ctx.azure?.signinlogs?.properties?.authentication_processing_details != null && ctx.azure.signinlogs.properties.authentication_processing_details instanceof List - set: field: event.kind value: event