Skip to content

[filebeat] azure module: guard event.original rename to prevent duplicate field error#51271

Merged
zmoog merged 2 commits into
mainfrom
worktree-fix+azure-module-event-original-guard
Jun 16, 2026
Merged

[filebeat] azure module: guard event.original rename to prevent duplicate field error#51271
zmoog merged 2 commits into
mainfrom
worktree-fix+azure-module-event-original-guard

Conversation

@zmoog

@zmoog zmoog commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • All four Azure module ingest pipelines (activitylogs, auditlogs, platformlogs, signinlogs) had an unconditional rename: message → event.original processor.
  • Elasticsearch's rename processor throws "field [event.original] already exists" when the field is already populated — e.g. when running under Elastic Agent (whose base pipeline pre-sets event.original), when a custom @custom pipeline runs first, or during re-indexing.
  • Fix: add if: 'ctx.event?.original == null' guard to each rename, plus a follow-up remove: message, ignore_missing: true to ensure message is always cleaned up regardless of which path was taken (three of the four pipelines have subsequent processors that rename other fields into message, which would fail if the original message field remained).

Mirrors the fix applied to the Elastic Agent azure integration in elastic/integrations#5361.

Test plan

  • Run existing pipeline unit tests: mage -d x-pack/filebeat filebeatIntegTest (or the equivalent module test target for the azure module)
  • Verify pipeline tests for all four sub-modules still pass (.log-expected.json fixtures should remain unchanged since the normal path — event.original not pre-set — is unaffected)
  • Manually verify with an Elasticsearch ingest pipeline simulate API call that sets event.original before running the pipeline, confirming no error is thrown
  • Verify the re-indexing scenario: run the pipeline on a document that already has event.original set

🤖 Generated with Claude Code

…te field error

All four Azure module ingest pipelines (activitylogs, auditlogs,
platformlogs, signinlogs) used an unconditional rename processor to move
`message` to `event.original`. Elasticsearch's rename processor throws
"field [event.original] already exists" when the target field is already
populated.

This happens when a global or base pipeline (e.g. Elastic Agent's managed
pipeline, a custom @Custom pipeline, or a user-configured copy_fields
processor) has already set event.original before the module pipeline runs,
and also during re-indexing of already-processed documents.

Fix: add `if: 'ctx.event?.original == null'` to each rename, and follow it
with `remove: message, ignore_missing: true` so the message field is always
cleaned up — whether it was renamed (no-op remove) or skipped (explicit
remove). The latter is needed because activitylogs, platformlogs, and
signinlogs all have subsequent processors that rename other fields into
`message`, which would fail if the original message field were still present.

Mirrors the fix applied to the Elastic Agent azure integration in
elastic/integrations#5361.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 15, 2026
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: c011f7c0-df28-48c3-ad9d-e371df45a885

📥 Commits

Reviewing files that changed from the base of the PR and between 3bc60cc and 11f7f82.

📒 Files selected for processing (5)
  • changelog/fragments/1781544098-filebeat-azure-event-original-guard.yaml
  • x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml
  • x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml
  • x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml
  • x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml

📝 Walkthrough

Walkthrough

Four Azure Filebeat ingest pipelines (activitylogs, auditlogs, platformlogs, signinlogs) are updated to guard the messageevent.original rename. In the first three pipelines, a conditional remove processor deletes message (with ignore_missing: true) when ctx.event?.original is null. In signinlogs, the existing rename processor gains an if guard for the same null check, plus a new remove processor cleans up message when event.original is already populated. A changelog fragment documenting this bug fix is also added.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch worktree-fix+azure-module-event-original-guard
  • 🛠️ Update Documentation

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /test : Run the Buildkite pipeline.
@mergify mergify Bot assigned zmoog Jun 15, 2026
@mergify

mergify Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @zmoog? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@zmoog zmoog added Team:obs-ds-hosted-services Label for the Observability Hosted Services team bugfix input:azure-eventhub labels Jun 15, 2026
@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 15, 2026
@zmoog zmoog added the backport-active-all Automated backport with mergify to all the active branches label Jun 15, 2026
@zmoog zmoog marked this pull request as ready for review June 15, 2026 17:35
@zmoog zmoog requested a review from a team as a code owner June 15, 2026 17:35
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/obs-ds-hosted-services (Team:obs-ds-hosted-services)

@MichaelKatsoulis MichaelKatsoulis left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zmoog zmoog merged commit 80129e8 into main Jun 16, 2026
39 checks passed
@zmoog zmoog deleted the worktree-fix+azure-module-event-original-guard branch June 16, 2026 10:37
@github-actions

Copy link
Copy Markdown
Contributor

@Mergifyio backport 9.4 9.3 8.19

@mergify

mergify Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor
zmoog added a commit that referenced this pull request Jun 16, 2026
…cate field error (#51271) (#51284)

* [filebeat] azure module: guard event.original rename to avoid duplicate field error

All four Azure module ingest pipelines (activitylogs, auditlogs,
platformlogs, signinlogs) used an unconditional rename processor to move
`message` to `event.original`. Elasticsearch's rename processor throws
"field [event.original] already exists" when the target field is already
populated.

This happens when a global or base pipeline (e.g. Elastic Agent's managed
pipeline, a custom @Custom pipeline, or a user-configured copy_fields
processor) has already set event.original before the module pipeline runs,
and also during re-indexing of already-processed documents.

Fix: add `if: 'ctx.event?.original == null'` to each rename, and follow it
with `remove: message, ignore_missing: true` so the message field is always
cleaned up — whether it was renamed (no-op remove) or skipped (explicit
remove). The latter is needed because activitylogs, platformlogs, and
signinlogs all have subsequent processors that rename other fields into
`message`, which would fail if the original message field were still present.

Mirrors the fix applied to the Elastic Agent azure integration in
elastic/integrations#5361.



* Add changelog fragment for azure module event.original guard fix



---------


(cherry picked from commit 80129e8)

Co-authored-by: Maurizio Branca <maurizio.branca@elastic.co>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
zmoog added a commit that referenced this pull request Jun 16, 2026
…cate field error (#51271) (#51283)

* [filebeat] azure module: guard event.original rename to avoid duplicate field error

All four Azure module ingest pipelines (activitylogs, auditlogs,
platformlogs, signinlogs) used an unconditional rename processor to move
`message` to `event.original`. Elasticsearch's rename processor throws
"field [event.original] already exists" when the target field is already
populated.

This happens when a global or base pipeline (e.g. Elastic Agent's managed
pipeline, a custom @Custom pipeline, or a user-configured copy_fields
processor) has already set event.original before the module pipeline runs,
and also during re-indexing of already-processed documents.

Fix: add `if: 'ctx.event?.original == null'` to each rename, and follow it
with `remove: message, ignore_missing: true` so the message field is always
cleaned up — whether it was renamed (no-op remove) or skipped (explicit
remove). The latter is needed because activitylogs, platformlogs, and
signinlogs all have subsequent processors that rename other fields into
`message`, which would fail if the original message field were still present.

Mirrors the fix applied to the Elastic Agent azure integration in
elastic/integrations#5361.



* Add changelog fragment for azure module event.original guard fix



---------


(cherry picked from commit 80129e8)

Co-authored-by: Maurizio Branca <maurizio.branca@elastic.co>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
zmoog added a commit that referenced this pull request Jun 16, 2026
…cate field error (#51271) (#51285)

* [filebeat] azure module: guard event.original rename to avoid duplicate field error

All four Azure module ingest pipelines (activitylogs, auditlogs,
platformlogs, signinlogs) used an unconditional rename processor to move
`message` to `event.original`. Elasticsearch's rename processor throws
"field [event.original] already exists" when the target field is already
populated.

This happens when a global or base pipeline (e.g. Elastic Agent's managed
pipeline, a custom @Custom pipeline, or a user-configured copy_fields
processor) has already set event.original before the module pipeline runs,
and also during re-indexing of already-processed documents.

Fix: add `if: 'ctx.event?.original == null'` to each rename, and follow it
with `remove: message, ignore_missing: true` so the message field is always
cleaned up — whether it was renamed (no-op remove) or skipped (explicit
remove). The latter is needed because activitylogs, platformlogs, and
signinlogs all have subsequent processors that rename other fields into
`message`, which would fail if the original message field were still present.

Mirrors the fix applied to the Elastic Agent azure integration in
elastic/integrations#5361.



* Add changelog fragment for azure module event.original guard fix



---------


(cherry picked from commit 80129e8)

Co-authored-by: Maurizio Branca <maurizio.branca@elastic.co>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-active-all Automated backport with mergify to all the active branches bugfix input:azure-eventhub Team:obs-ds-hosted-services Label for the Observability Hosted Services team

2 participants