Fix httpjson split issue on empty root array

[kcreddy]

What does this PR do?

Fix httpjson split issue on empty root array. This fix publishes the event with key in case of empty root array

Why is it important?

This is a bug fix on filebeat httpjson input where no event is being published when splitting empty root array. The desired outcome is to publish event with array.

Checklist

• My code follows the style guidelines of this project
• [ ] I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding change to the default configuration files
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

cd x-pack/filebeat/input/httpjson; go test -v -run TestSplit

=== RUN   TestSplit
=== RUN   TestSplit/Two_nested_Split_Arrays_with_keep_parent
=== RUN   TestSplit/A_nested_array_with_a_nested_map
=== RUN   TestSplit/A_nested_array_with_a_nested_map_with_transforms
=== RUN   TestSplit/A_nested_array_with_a_nested_array_in_an_object
=== RUN   TestSplit/A_nested_array_with_an_empty_nested_array_in_an_object_publishes_without_the_key
=== RUN   TestSplit/First_level_split_publishes_with_key_if_no_events
=== RUN   TestSplit/Changes_must_be_local_to_parent_when_nested_splits
=== RUN   TestSplit/Split_string
=== RUN   TestSplit/An_empty_array_in_an_object
=== RUN   TestSplit/A_missing_array_in_an_object
=== RUN   TestSplit/An_empty_map_in_an_object
=== RUN   TestSplit/A_missing_map_in_an_object
=== RUN   TestSplit/An_empty_string
=== RUN   TestSplit/A_missing_string
--- PASS: TestSplit (0.00s)
    --- PASS: TestSplit/Two_nested_Split_Arrays_with_keep_parent (0.00s)
    --- PASS: TestSplit/A_nested_array_with_a_nested_map (0.00s)
    --- PASS: TestSplit/A_nested_array_with_a_nested_map_with_transforms (0.00s)
    --- PASS: TestSplit/A_nested_array_with_a_nested_array_in_an_object (0.00s)
    --- PASS: TestSplit/A_nested_array_with_an_empty_nested_array_in_an_object_publishes_without_the_key (0.00s)
    --- PASS: TestSplit/First_level_split_publishes_with_key_if_no_events (0.00s)
    --- PASS: TestSplit/Changes_must_be_local_to_parent_when_nested_splits (0.00s)
    --- PASS: TestSplit/Split_string (0.00s)
    --- PASS: TestSplit/An_empty_array_in_an_object (0.00s)
    --- PASS: TestSplit/A_missing_array_in_an_object (0.00s)
    --- PASS: TestSplit/An_empty_map_in_an_object (0.00s)
    --- PASS: TestSplit/A_missing_map_in_an_object (0.00s)
    --- PASS: TestSplit/An_empty_string (0.00s)
    --- PASS: TestSplit/A_missing_string (0.00s)
PASS
ok      github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson      0.289s

Related issues

• Closes Filebeat httpjson cursor not saved when splitting on empty array. #28221

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-09-15T08:57:39.478+0000

• Duration: 72 min 37 sec

Test stats 🧪

Test	Results
Failed	0
Passed	2237
Skipped	166
Total	2403

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[efd6]

This should have a line in CHANGELOG.next.asciidoc and probably wants a backport to the relevant versions.

[P1llus]

@marc-gr does this only need to be applied for split on Array, or also on map/string?

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b httpjson_split_empty_root_arr upstream/httpjson_split_empty_root_arr
git merge upstream/main
git push upstream httpjson_split_empty_root_arr

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b httpjson_split_empty_root_arr upstream/httpjson_split_empty_root_arr
git merge upstream/main
git push upstream httpjson_split_empty_root_arr

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b httpjson_split_empty_root_arr upstream/httpjson_split_empty_root_arr
git merge upstream/main
git push upstream httpjson_split_empty_root_arr

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b httpjson_split_empty_root_arr upstream/httpjson_split_empty_root_arr
git merge upstream/main
git push upstream httpjson_split_empty_root_arr

[ShourieG]

@kcreddy , please resolve the conflict , otherwise LGTM

[efd6]

Suggested change

	- Do not emit error log when filestream reader reaches EOF and `close.reader.on_eof` is enabled. {pull}31109[31109]
	- sophos.xg: Update module to handle new log fields. {issue}31038[31038] {pull}31388[31388]
	- Fix MISP documentation for `var.filters` config option. {pull}31434[31434]
	- Fix type mapping of client.as.number in okta module. {pull}31676[31676]
	- Fix handling of empty array in httpjson input. {pull}32001[32001]
	- Fix last write pagination commit checkpoint on `aws-s3` input for s3 direct polling when using the same bucket and different list prefixes. {pull}31776[31776]
	- If a file is ignored by `filestream` because of ignore_older settings, when it is updated, only the new lines are shipped to the output. {issue}31924[31924] {pull}31972[31972]
	- Adding a fix for threatintel module where MISP was paginating forever. {pull}31784[31784]xs
	- Fix deduplication in Google workspace module by changing fingerprint processor target field from `@metadata.id` to `@metadata._id`. {pull}31898[31898]
	- Fix handling and mapping of syslog priority, facility and severity values in Cisco module. {pull}32025[32025]
	- Fix http_endpoint input TLS handshake failures. {pull}32105[32105]
	- Fix handling of empty array in httpjson input. {pull}32001[32001]

[kcreddy]

Added the line at the end

[andrewkroh]

Other than the changelog conflicts, does this need anything else before merging? @kcreddy

[kcreddy]

@andrewkroh Sorry my bad, I thought this was merged long back. Resolved merge conflicts. This can be merged once approved

[ShourieG]

LGTM

[efd6]

LGTM after changelog is fixed.