fix(azure.eventhub): handles properties as string and drops empty fields (#14959)

### WHAT

- Drops empty/null fields
- Renames `azure.eventhub.properties` as `azure.eventhub.properties.raw` when `azure.eventhub.properties` is a string instead of an object.

### WHY

**Drops empty/null fields**

Sometimes Azure services emit log event like the following:

```json
{
  "category": "NetworkSecurityGroupEvent",
  "operationName": "NetworkSecurityGroupEvents",
  "properties": {
    "conditions": {
      "": "",
      "destinationPortRange": "0-65535",
      "sourcePortRange": "0-65535"
    },
    "direction": "Out",
    "macAddress": "00-11-22-33-4444",
    "primaryIPv4Address": "10.0.4.6",
    "primaryIPv6Address": "ace:ace:dead:beef::9",
    "priority": 65000,
    "ruleName": "DefaultRule_AllowVnetOutBound",
    "subnetPrefix": "10.0.4.0/25",
    "type": "allow",
    "vnetResourceGuid": "{a08d316f-3c0a-428d-84ec-2977078852a5}"
  }
}
```

Elasticsearch cannot index `"": ""` field inside `properties.condition`, so we need to clean it up.

**Renames `azure.eventhub.properties` as `azure.eventhub.properties.raw` when `azure.eventhub.properties` is a string instead of an object**

Sometimes Azure sends `azure.eventhub.properties` as a string, this field should really be a an `object` instead, causing mapping errors like:

```text
object mapping for [azure.eventhub.properties] tried to parse field [properties] as object, but found a concrete value
```

By renaming `azure.eventhub.properties` as `azure.eventhub.properties.raw`, we avoid the mapping error and give users the opportunity to handle the original value using a custom pipeline.

Author: zmoog

packages/azure/changelog.yml

@@ -1,3 +1,8 @@
+- version: "1.28.3"
+  changes:
+    - description: Handle invalid log events (empty fields and properties as string) from Azure services.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14959
 - version: "1.28.2"
   changes:
     - description: Fix Azure platformlogs ingest pipeline for function app logs

packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-dropemptyfields-raw.log

@@ -0,0 +1 @@
+{"time":"2025-08-18T22:29:56+02:00", "properties":{"":""}}

packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-dropemptyfields-raw.log-config.yml

@@ -0,0 +1,4 @@
+fields:
+  tags:
+    - preserve_original_event
+    - parse_message

packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-dropemptyfields-raw.log-expected.json

@@ -0,0 +1,21 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-08-18T20:29:56.000Z",
+            "cloud": {
+                "provider": "azure"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"time\":\"2025-08-18T22:29:56+02:00\", \"properties\":{\"\":\"\"}}"
+            },
+            "tags": [
+                "preserve_original_event",
+                "parse_message"
+            ]
+        }
+    ]
+}

packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-properties-raw.log

@@ -0,0 +1 @@
+{"time":"2025-08-18T22:29:56+02:00", "properties": "Usually I'm not a string"}

packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-properties-raw.log-config.yml

@@ -0,0 +1,4 @@
+fields:
+  tags:
+    - preserve_original_event
+    - parse_message

packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-properties-raw.log-expected.json

@@ -0,0 +1,28 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-08-18T20:29:56.000Z",
+            "azure": {
+                "eventhub": {
+                    "properties": {
+                        "raw": "Usually I'm not a string"
+                    }
+                }
+            },
+            "cloud": {
+                "provider": "azure"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"time\":\"2025-08-18T22:29:56+02:00\", \"properties\": \"Usually I'm not a string\"}"
+            },
+            "tags": [
+                "preserve_original_event",
+                "parse_message"
+            ]
+        }
+    ]
+}

packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json

@@ -13,4 +13,4 @@
             ]
         }
     ]
-}
+}

packages/azure/data_stream/eventhub/elasticsearch/ingest_pipeline/parsed-message.yml

@@ -15,6 +15,12 @@ processors:
   - json:
       field: event.original
       target_field: azure.eventhub
+  - rename:
+      field: azure.eventhub.properties
+      if: "ctx.azure?.eventhub?.properties instanceof String"
+      target_field: azure.eventhub.properties.raw
+      ignore_missing: true
+      description: Rename the field to `properties.raw` to avoid parse errors when `properties` is a string.       
   - date:
       field: azure.eventhub.time
       target_field: '@timestamp'
@@ -39,6 +45,23 @@ processors:
       params:
         param_nano: 1000000
       ignore_failure: true
+  - script:
+      description: Drops null/empty values recursively.
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).size() == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
   - pipeline:
       name: '{{ IngestPipeline "azure-shared-pipeline" }}'
       ignore_failure: true

packages/azure/data_stream/eventhub/fields/package-fields.yml

@@ -1,6 +1,16 @@
 - name: azure
   type: group
   fields:
+    - name: eventhub
+      type: group
+      fields:
+        - name: properties
+          type: group
+          fields:
+            - name: raw
+              type: keyword
+              description: |
+                Raw properties as a string, if the `properties` field is a string.
     - name: subscription_id
       type: keyword
       description: |