Skip to content

fix(azure.eventhub): handles properties as string and drops empty fields #14959

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 19, 2025
Merged

fix(azure.eventhub): handles properties as string and drops empty fields #14959

merged 8 commits into from
Aug 19, 2025

Conversation

zmoog
Copy link
Contributor

@zmoog zmoog commented Aug 18, 2025
edited
Loading

Proposed commit message

WHAT

  • Drops empty/null fields
  • Renames azure.eventhub.properties as azure.eventhub.properties.raw when azure.eventhub.properties is a string instead of an object.

WHY

Drops empty/null fields

Sometimes Azure services emit log event like the following:

{
  "category": "NetworkSecurityGroupEvent",
  "operationName": "NetworkSecurityGroupEvents",
  "properties": {
    "conditions": {
      "": "",
      "destinationPortRange": "0-65535",
      "sourcePortRange": "0-65535"
    },
    "direction": "Out",
    "macAddress": "00-11-22-33-4444",
    "primaryIPv4Address": "10.0.4.6",
    "primaryIPv6Address": "ace:ace:dead:beef::9",
    "priority": 65000,
    "ruleName": "DefaultRule_AllowVnetOutBound",
    "subnetPrefix": "10.0.4.0/25",
    "type": "allow",
    "vnetResourceGuid": "{a08d316f-3c0a-428d-84ec-2977078852a5}"
  }
}

Elasticsearch cannot index "": "" field inside properties.condition, so we need to clean it up.

Renames azure.eventhub.properties as azure.eventhub.properties.raw when azure.eventhub.properties is a string instead of an object

Sometimes Azure sends azure.eventhub.properties as a string, this field should really be a an object instead, causing mapping errors like:

object mapping for [azure.eventhub.properties] tried to parse field [properties] as object, but found a concrete value

By renaming azure.eventhub.properties as azure.eventhub.properties.raw, we avoid the mapping error and give users the opportunity to handle the original value using a custom pipeline.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@zmoog zmoog self-assigned this Aug 18, 2025
@zmoog zmoog added Integration:azure Azure Logs bugfix Pull request that fixes a bug issue Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Aug 18, 2025
@zmoog zmoog marked this pull request as ready for review August 18, 2025 20:55
@zmoog zmoog requested a review from a team as a code owner August 18, 2025 20:55
@zmoog zmoog requested review from a team as code owners August 18, 2025 21:00
Kavindu-Dodan
Kavindu-Dodan reviewed Aug 18, 2025
View reviewed changes
packages/azure/data_stream/eventhub/elasticsearch/ingest_pipeline/parsed-message.yml Outdated
return (((Map) object).size() == 0);
} else if (object instanceof List) {
((List) object).removeIf(value -> dropEmptyFields(value));
return (((List) object).length == 0);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be (((List) object).size() == 0) isn't it ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see it works both ways:

CleanShot 2025-08-18 at 23 38 01@2x

However size() seems like the right approach since both List and Map extend Collection.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I thought painless is Java, but I think .length is an addon by painless.

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Aug 18, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

Kavindu-Dodan
Kavindu-Dodan approved these changes Aug 18, 2025
View reviewed changes
Copy link
Contributor

@Kavindu-Dodan Kavindu-Dodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Aug 19, 2025
@muthu-mps
Copy link
Contributor

The sample event here has the properties with fields and the conditions property has empty string and also fields with values. Can we include this format as well to the pipeline tests?

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @zmoog

muthu-mps
muthu-mps approved these changes Aug 19, 2025
View reviewed changes
Copy link
Contributor

@muthu-mps muthu-mps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a comment on adding additional events to the pipeline tests. Change looks good to me otherwise!

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate failed Quality Gate failed

Failed conditions
67.6% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

chemamartinez
chemamartinez approved these changes Aug 19, 2025
View reviewed changes
Copy link
Contributor

@chemamartinez chemamartinez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! In case it’s useful to know you can also apply subobjects: false to solve the conflict. Done for example at #13925.

@zmoog
Copy link
Contributor Author

zmoog commented Aug 19, 2025

The sample event here has the properties with fields and the conditions property has empty string and also fields with values. Can we include this format as well to the pipeline tests?

Yeah, but this would require to add mappings for these fields not to make test fail, which is something I am trying to avoid in a generic integration like azure.eventhub.

@zmoog
Copy link
Contributor Author

zmoog commented Aug 19, 2025

LGTM! In case it’s useful to know you can also apply subobjects: false to solve the conflict. Done for example at #13925.

Great point, I didn't think about using subobjects: false.

Since this is a generic integration, where users are supposed to customize pipeline and mapping, I'm trying to leave all the options on the table.

@zmoog zmoog merged commit 771a844 into elastic:main Aug 19, 2025
8 of 9 checks passed
@zmoog zmoog deleted the zmoog/fix/azure/eventhub/properties-as-string-and-empty-fields branch August 19, 2025 18:21
@elastic-vault-github-plugin-prod
Copy link

Package azure - 1.28.3 containing this change is available at https://epr.elastic.co/package/azure/1.28.3/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kavindu-Dodan Kavindu-Dodan Kavindu-Dodan approved these changes

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

@chemamartinez chemamartinez chemamartinez approved these changes

@muthu-mps muthu-mps muthu-mps approved these changes

Assignees

@zmoog zmoog

Labels
bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@zmoog @muthu-mps @elasticmachine @Kavindu-Dodan @kaiyan-sheng @chemamartinez @andrewkroh