[filebeat] azure module: guard event.original rename to prevent duplicate field error#51271
Conversation
…te field error All four Azure module ingest pipelines (activitylogs, auditlogs, platformlogs, signinlogs) used an unconditional rename processor to move `message` to `event.original`. Elasticsearch's rename processor throws "field [event.original] already exists" when the target field is already populated. This happens when a global or base pipeline (e.g. Elastic Agent's managed pipeline, a custom @Custom pipeline, or a user-configured copy_fields processor) has already set event.original before the module pipeline runs, and also during re-indexing of already-processed documents. Fix: add `if: 'ctx.event?.original == null'` to each rename, and follow it with `remove: message, ignore_missing: true` so the message field is always cleaned up — whether it was renamed (no-op remove) or skipped (explicit remove). The latter is needed because activitylogs, platformlogs, and signinlogs all have subsequent processors that rename other fields into `message`, which would fail if the original message field were still present. Mirrors the fix applied to the Elastic Agent azure integration in elastic/integrations#5361. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughFour Azure Filebeat ingest pipelines ( 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🤖 GitHub commentsJust comment with:
|
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Pinging @elastic/obs-ds-hosted-services (Team:obs-ds-hosted-services) |
|
@Mergifyio backport 9.4 9.3 8.19 |
✅ Backports have been createdDetails
|
…cate field error (#51271) (#51284) * [filebeat] azure module: guard event.original rename to avoid duplicate field error All four Azure module ingest pipelines (activitylogs, auditlogs, platformlogs, signinlogs) used an unconditional rename processor to move `message` to `event.original`. Elasticsearch's rename processor throws "field [event.original] already exists" when the target field is already populated. This happens when a global or base pipeline (e.g. Elastic Agent's managed pipeline, a custom @Custom pipeline, or a user-configured copy_fields processor) has already set event.original before the module pipeline runs, and also during re-indexing of already-processed documents. Fix: add `if: 'ctx.event?.original == null'` to each rename, and follow it with `remove: message, ignore_missing: true` so the message field is always cleaned up — whether it was renamed (no-op remove) or skipped (explicit remove). The latter is needed because activitylogs, platformlogs, and signinlogs all have subsequent processors that rename other fields into `message`, which would fail if the original message field were still present. Mirrors the fix applied to the Elastic Agent azure integration in elastic/integrations#5361. * Add changelog fragment for azure module event.original guard fix --------- (cherry picked from commit 80129e8) Co-authored-by: Maurizio Branca <maurizio.branca@elastic.co> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…cate field error (#51271) (#51283) * [filebeat] azure module: guard event.original rename to avoid duplicate field error All four Azure module ingest pipelines (activitylogs, auditlogs, platformlogs, signinlogs) used an unconditional rename processor to move `message` to `event.original`. Elasticsearch's rename processor throws "field [event.original] already exists" when the target field is already populated. This happens when a global or base pipeline (e.g. Elastic Agent's managed pipeline, a custom @Custom pipeline, or a user-configured copy_fields processor) has already set event.original before the module pipeline runs, and also during re-indexing of already-processed documents. Fix: add `if: 'ctx.event?.original == null'` to each rename, and follow it with `remove: message, ignore_missing: true` so the message field is always cleaned up — whether it was renamed (no-op remove) or skipped (explicit remove). The latter is needed because activitylogs, platformlogs, and signinlogs all have subsequent processors that rename other fields into `message`, which would fail if the original message field were still present. Mirrors the fix applied to the Elastic Agent azure integration in elastic/integrations#5361. * Add changelog fragment for azure module event.original guard fix --------- (cherry picked from commit 80129e8) Co-authored-by: Maurizio Branca <maurizio.branca@elastic.co> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…cate field error (#51271) (#51285) * [filebeat] azure module: guard event.original rename to avoid duplicate field error All four Azure module ingest pipelines (activitylogs, auditlogs, platformlogs, signinlogs) used an unconditional rename processor to move `message` to `event.original`. Elasticsearch's rename processor throws "field [event.original] already exists" when the target field is already populated. This happens when a global or base pipeline (e.g. Elastic Agent's managed pipeline, a custom @Custom pipeline, or a user-configured copy_fields processor) has already set event.original before the module pipeline runs, and also during re-indexing of already-processed documents. Fix: add `if: 'ctx.event?.original == null'` to each rename, and follow it with `remove: message, ignore_missing: true` so the message field is always cleaned up — whether it was renamed (no-op remove) or skipped (explicit remove). The latter is needed because activitylogs, platformlogs, and signinlogs all have subsequent processors that rename other fields into `message`, which would fail if the original message field were still present. Mirrors the fix applied to the Elastic Agent azure integration in elastic/integrations#5361. * Add changelog fragment for azure module event.original guard fix --------- (cherry picked from commit 80129e8) Co-authored-by: Maurizio Branca <maurizio.branca@elastic.co> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Summary
activitylogs,auditlogs,platformlogs,signinlogs) had an unconditionalrename: message → event.originalprocessor.renameprocessor throws "field [event.original] already exists" when the field is already populated — e.g. when running under Elastic Agent (whose base pipeline pre-setsevent.original), when a custom@custompipeline runs first, or during re-indexing.if: 'ctx.event?.original == null'guard to each rename, plus a follow-upremove: message, ignore_missing: trueto ensuremessageis always cleaned up regardless of which path was taken (three of the four pipelines have subsequent processors that rename other fields intomessage, which would fail if the originalmessagefield remained).Mirrors the fix applied to the Elastic Agent azure integration in elastic/integrations#5361.
Test plan
mage -d x-pack/filebeat filebeatIntegTest(or the equivalent module test target for the azure module).log-expected.jsonfixtures should remain unchanged since the normal path —event.originalnot pre-set — is unaffected)event.originalbefore running the pipeline, confirming no error is thrownevent.originalset🤖 Generated with Claude Code