x-pack/filebeat/input/cel: add data stream identification to status updates

[efd6]

Proposed commit message

See title.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[chemamartinez]

It looks good to me but I am missing something, is this data stream name expected to come from user config? I don't see it as an available option when configuring the input.

[efd6]

The config fields are populated by fleet. You can see this in this test diagnostic bundle pre-config snippet.

inputs:
    - data_stream:
        namespace: "91406"
      id: tcp-symantec-e5d6b11c-d85b-4344-83d5-3d981d2e1ebb
      meta:
        package:
            name: symantec_endpoint
            version: 2.20.0
      name: symantec_endpoint-log-91406
      package_policy_id: e5d6b11c-d85b-4344-83d5-3d981d2e1ebb
      revision: 1
      streams:
        - data_stream:
            dataset: symantec_endpoint.log
            type: logs
          fields:
            _conf:
                remove_mapped_fields: false
                tz_offset: UTC
          fields_under_root: true
          host: 0.0.0.0:9514
          id: tcp-symantec_endpoint.log-e5d6b11c-d85b-4344-83d5-3d981d2e1ebb
          max_message_size: 1 MiB
          publisher_pipeline:
            disable_host: true
          tags:
            - preserve_original_event
            - symantec-endpoint-log
            - forwarded
      type: tcp
      use_output: default

We are getting the value from inputs[0].streams[0].data_stream.dataset.

[github-actions]

@Mergifyio backport 8.19 9.1 9.2

[mergify]

backport 8.19 9.1 9.2

✅ Backports have been created

Details

• #47406 [8.19](backport #47229) x-pack/filebeat/input/cel: add data stream identification to status updates has been created for branch 8.19 but encountered conflicts
• #47407 [9.1](backport #47229) x-pack/filebeat/input/cel: add data stream identification to status updates has been created for branch 9.1 but encountered conflicts
• #47408 [9.2](backport #47229) x-pack/filebeat/input/cel: add data stream identification to status updates has been created for branch 9.2