Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[automation] update elastic stack version for testing 7.16.0-ef210289 #29278

Merged
merged 7 commits into from
Dec 8, 2021
Merged

[automation] update elastic stack version for testing 7.16.0-ef210289 #29278

merged 7 commits into from
Dec 8, 2021

Conversation

apmmachine
Copy link
Contributor

What

Bump stack version with the latest one.

Further details

[start_time:Sun, 5 Dec 2021 05:14:11 GMT, release_branch:7.16, prefix:, end_time:Sun, 5 Dec 2021 11:24:06 GMT, manifest_version:2.0.0, version:7.16.0-SNAPSHOT, branch:7.16, build_id:7.16.0-ef210289, build_duration_seconds:22195]

@apmmachine apmmachine added automation backport-skip Skip notification from the automated backport with mergify build-monitoring Issues created as part of Build Monitoring dependency Team:Beats-On-Call Label for the On Call team labels Dec 6, 2021
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Dec 6, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 6, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-12-08T09:25:39.079+0000

  • Duration: 44 min 47 sec

  • Commit: 8cd45af

Test stats 🧪

Test Results
Failed 0
Passed 345
Skipped 9
Total 354

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@jsoriano
Copy link
Member

jsoriano commented Dec 6, 2021

There seems to be some changes in timestamp formats with timezones, but the generated timestamps are equivalent. This might be related to elastic/elasticsearch#80450.

I am pushing updated files to fix this.

jsoriano
jsoriano reviewed Dec 6, 2021
View reviewed changes
filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json
@@ -1,6 +1,6 @@
[
{
"@timestamp": "2020-04-01T13:21:06.725Z",
"@timestamp": "2020-04-01T09:21:06.725Z",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like an actual fix, the timestamp in the logs is:

2020-04-01T11:21:06,725+0200

That converted to UTC should be 2020-04-01T09:21:06.725Z.

cc @sayden in case you want to confirm that the pipeline of this fileset is right.

mergify[bot]
mergify bot approved these changes Dec 7, 2021
View reviewed changes
Copy link
Contributor

@mergify mergify bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approving mergify

@jsoriano jsoriano self-assigned this Dec 7, 2021
@jsoriano
Copy link
Member

jsoriano commented Dec 7, 2021

/test

@jsoriano
Copy link
Member

jsoriano commented Dec 8, 2021

/test

@mergify mergify bot merged commit d1ccdc9 into 7.16 Dec 8, 2021
@mergify mergify bot deleted the update-stack-version-20211206050944-7.16 branch December 8, 2021 10:09
@jsoriano
Copy link
Member

jsoriano commented Dec 8, 2021

@nik9000 we have found in our test files that the format of some timestamps with timezones changed with a recent snapshot of ES, you can see the ones that changed in this PR. Do you think it could be related to elastic/elasticsearch#80450?

Most of the new timestamps are equivalent the old ones, but there is one that seems to be fixed now: #29278 (comment)

@nik9000
Copy link
Member

nik9000 commented Dec 8, 2021

Do you think it could be related to elastic/elasticsearch#80450?

I don't think it's related but I'm happy to help figure out what changed. What are you testing? It looks like it's importing some logs from https://github.com/elastic/beats/blob/7.16/x-pack/filebeat/module/cisco/asa/test/sample.log and then fetching them with, like, a scroll? Are the things in https://github.com/elastic/beats/blob/7.16/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json a fetched _source? If so I'd look at pipelines or even logstash. I don't really know what's going on here.

@jsoriano
Copy link
Member

jsoriano commented Dec 8, 2021

I don't think it's related but I'm happy to help figure out what changed.

No worries, I was asking more out of curiosity in case something came to mind.

What are you testing?

These tests install a pipeline, ingest some logs using filebeat and check that the indexed documents match what is in the expected files. They are used to test the pipelines included in filebeat modules.

The new timestamps seem to be ok because they represent the same time (for example the change from "2018-04-15T09:34:34.000-04:00" to "2018-04-15T11:34:34.000-02:00").

What intrigues me is this change from "2020-04-01T13:21:06.725Z" to "2020-04-01T09:21:06.725Z", these are not equivalent timestamps, but the new one seems to be correct. In the logs this one is represented as 2020-04-01T11:21:06,725+0200.

So I wonder if there has been some fix in Elasticsearch, or if we have something weird in this pipeline.

Looking at how this is parsed in the pipeline, it looks a bit tricky, first the timestamp is parsed with formats with and without the timestamp:

  - date:
      if: ctx.elasticsearch.audit['@timestamp'] != null && ctx.event.timezone != null
      field: elasticsearch.audit.@timestamp
      target_field: elasticsearch.audit.@timestamp
      formats:
        - yyyy-MM-dd'T'HH:mm:ss,SSS
        - yyyy-MM-dd'T'HH:mm:ss,SSSZ
      timezone: "{{ event.timezone }}"
      ignore_failure: true

And then it is parsed again as ISO8601:

  - date:
      field: elasticsearch.audit.@timestamp
      target_field: "@timestamp"
      formats:
        - ISO8601
      ignore_failure: true

@nik9000
Copy link
Member

nik9000 commented Dec 8, 2021

I'm guessing its actually elastic/elasticsearch#63876.

@nik9000
Copy link
Member

nik9000 commented Dec 8, 2021

For reference I got this by running git blame ./modules/ingest-common/src/main/java/org/elasticsearch/ingest/common/DateProcessor.java --ignore-revs-file .git-blame-ignore-revs and looking for recent changes. There weren't any but I saw that a lot happens in DateFormat so I ran git blame ./modules/ingest-common/src/main/java/org/elasticsearch/ingest/common/DateFormat.java --ignore-revs-file .git-blame-ignore-revs which pointed me to the commit from that PR.

@jsoriano
Copy link
Member

jsoriano commented Dec 9, 2021

Thanks Nik! This change looks more likely, yes. It could be then that something has been actually fixed for this tricky pipeline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsoriano jsoriano jsoriano left review comments

@mergify mergify[bot] mergify[bot] approved these changes

Assignees

@jsoriano jsoriano

Labels
automation backport-skip Skip notification from the automated backport with mergify build-monitoring Issues created as part of Build Monitoring dependency Team:Beats-On-Call Label for the On Call team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@apmmachine @elasticmachine @jsoriano @nik9000