x-pack/filebeat/input/streaming: fix crowdstrike cursor handling#44548
Merged
efd6 merged 3 commits intoelastic:mainfrom Jun 12, 2025
Merged
x-pack/filebeat/input/streaming: fix crowdstrike cursor handling#44548efd6 merged 3 commits intoelastic:mainfrom
efd6 merged 3 commits intoelastic:mainfrom
Conversation
efd6
added
Filebeat
botelastic
bot
added
needs_team
Contributor
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
efd6
force-pushed
the
44364-streaming_crowdstrike
branch
from
c717bfa to
1f5b338
Compare
Contributor
|
This pull request is now in conflicts. Could you fix it? 🙏 |
efd6
force-pushed
the
44364-streaming_crowdstrike
branch
from
1f5b338 to
32eaf5c
Compare
Contributor
|
This pull request is now in conflicts. Could you fix it? 🙏 |
efd6
force-pushed
the
44364-streaming_crowdstrike
branch
2 times, most recently
from
3888c60 to
0d534c1
Compare
Contributor
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
Contributor
|
This pull request is now in conflicts. Could you fix it? 🙏 |
bmorelli25
approved these changes
Jun 10, 2025
efd6
force-pushed
the
44364-streaming_crowdstrike
branch
from
8554d3b to
4674bdc
Compare
Contributor
|
This pull request is now in conflicts. Could you fix it? 🙏 |
efd6
force-pushed
the
44364-streaming_crowdstrike
branch
from
4674bdc to
e05f7de
Compare
Contributor
|
This pull request is now in conflicts. Could you fix it? 🙏 |
When the follower is given a non-singular set of resource descriptions, it incorrectly uses the offset obtained from the registry across all of the resources, and each of those resources' work loops writes their cursor updates to the same (incorrectly) shared offset. This results in cursor offset confusion. The fix here is to retain cursors for each of the resources, keyed on the dataFeedURL for each resource.
Previously we were mutating the name to include the query; keep the URL and use the retained version for the feed name. Otherwise we have unbounded dead feed cursors stored.
efd6
force-pushed
the
44364-streaming_crowdstrike
branch
from
e05f7de to
fcdc64a
Compare
andrewkroh
approved these changes
Jun 12, 2025
mergify bot
pushed a commit
that referenced
this pull request
Jun 12, 2025
) When the follower is given a non-singular set of resource descriptions, it incorrectly uses the offset obtained from the registry across all of the resources, and each of those resources' work loops writes their cursor updates to the same (incorrectly) shared offset. This results in cursor offset confusion. The fix here is to retain cursors for each of the resources, keyed on the dataFeedURL for each resource. (cherry picked from commit cdf2355) # Conflicts: # x-pack/filebeat/docs/inputs/input-streaming.asciidoc
Merged
6 tasks
mergify bot
pushed a commit
that referenced
this pull request
Jun 12, 2025
) When the follower is given a non-singular set of resource descriptions, it incorrectly uses the offset obtained from the registry across all of the resources, and each of those resources' work loops writes their cursor updates to the same (incorrectly) shared offset. This results in cursor offset confusion. The fix here is to retain cursors for each of the resources, keyed on the dataFeedURL for each resource. (cherry picked from commit cdf2355) # Conflicts: # x-pack/filebeat/docs/inputs/input-streaming.asciidoc
mergify bot
pushed a commit
that referenced
this pull request
Jun 12, 2025
) When the follower is given a non-singular set of resource descriptions, it incorrectly uses the offset obtained from the registry across all of the resources, and each of those resources' work loops writes their cursor updates to the same (incorrectly) shared offset. This results in cursor offset confusion. The fix here is to retain cursors for each of the resources, keyed on the dataFeedURL for each resource. (cherry picked from commit cdf2355)
This was referenced Jun 12, 2025
Merged
efd6
added a commit
to efd6/integrations
that referenced
this pull request
Jun 12, 2025
elastic/beats#44548 added support for multi-resource stream. This updates the CEL program that processes the events provided by the stream so that it is able to handle the new cursor structure. It is able to distinguish old agents from the new multi-resource aware agents by the presence of the feed field in state. When the agent is upgrade from the old state form to the new form, it is expected that the integration will recollect the existing data since the cursors are not compatible with each other.
efd6
added a commit
to efd6/integrations
that referenced
this pull request
Jun 12, 2025
elastic/beats#44548 added support for multi-resource stream. This updates the CEL program that processes the events provided by the stream so that it is able to handle the new cursor structure. It is able to distinguish old agents from the new multi-resource aware agents by the presence of the feed field in state. When the agent is upgrade from the old state form to the new form, it is expected that the integration will recollect the existing data since the cursors are not compatible with each other.
efd6
added a commit
that referenced
this pull request
Jun 12, 2025
) (#44768) When the follower is given a non-singular set of resource descriptions, it incorrectly uses the offset obtained from the registry across all of the resources, and each of those resources' work loops writes their cursor updates to the same (incorrectly) shared offset. This results in cursor offset confusion. The fix here is to retain cursors for each of the resources, keyed on the dataFeedURL for each resource. (cherry picked from commit cdf2355) Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
efd6
added a commit
that referenced
this pull request
Jun 12, 2025
…ike cursor handling (#44767) * x-pack/filebeat/input/streaming: fix crowdstrike cursor handling (#44548) When the follower is given a non-singular set of resource descriptions, it incorrectly uses the offset obtained from the registry across all of the resources, and each of those resources' work loops writes their cursor updates to the same (incorrectly) shared offset. This results in cursor offset confusion. The fix here is to retain cursors for each of the resources, keyed on the dataFeedURL for each resource. (cherry picked from commit cdf2355) # Conflicts: # x-pack/filebeat/docs/inputs/input-streaming.asciidoc * revert doc change for conflict resolution * reapply doc change to resolve conflict --------- Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
efd6
added a commit
that referenced
this pull request
Jun 12, 2025
…ike cursor handling (#44766) * x-pack/filebeat/input/streaming: fix crowdstrike cursor handling (#44548) When the follower is given a non-singular set of resource descriptions, it incorrectly uses the offset obtained from the registry across all of the resources, and each of those resources' work loops writes their cursor updates to the same (incorrectly) shared offset. This results in cursor offset confusion. The fix here is to retain cursors for each of the resources, keyed on the dataFeedURL for each resource. (cherry picked from commit cdf2355) # Conflicts: # x-pack/filebeat/docs/inputs/input-streaming.asciidoc * revert doc change for conflict resolution * reapply doc change to resolve conflict --------- Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
5 tasks
efd6
added a commit
to elastic/integrations
that referenced
this pull request
Jun 15, 2025
elastic/beats#44548 added support for multi-resource stream. This updates the CEL program that processes the events provided by the stream so that it is able to handle the new cursor structure. It is able to distinguish old agents from the new multi-resource aware agents by the presence of the feed field in state. When the agent is upgrade from the old state form to the new form, it is expected that the integration will recollect the existing data since the cursors are not compatible with each other.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Disruptive User Impact
Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs