Skip to content

o365: fix error propagation within cel program #15445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 24, 2025
Merged

o365: fix error propagation within cel program #15445

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/o365/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.29.2"
changes:
- description: Fix handling of error propagation within agent CEL program.
type: bugfix
link: https://github.com/elastic/integrations/pull/15445
- version: "2.29.1"
changes:
- description: Fix handling of error conditions when requesting work continuation.
Expand Down
59 changes: 32 additions & 27 deletions packages/o365/data_stream/audit/agent/stream/cel.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,15 +234,17 @@ program: |-
)
:
{
"error": {
"code": string(list_resp.StatusCode),
"id": string(list_resp.Status),
"message": "GET " + state.work.next_list + ": " + (
(size(list_resp.Body) != 0) ?
string(list_resp.Body)
:
string(list_resp.Status) + " (" + string(list_resp.StatusCode) + ")"
),
"events": {
"error": {
"code": string(list_resp.StatusCode),
"id": string(list_resp.Status),
"message": "GET " + state.work.next_list + ": " + (
(size(list_resp.Body) != 0) ?
string(list_resp.Body)
:
string(list_resp.Status) + " (" + string(list_resp.StatusCode) + ")"
),
},
},
}
)
Expand Down Expand Up @@ -314,9 +316,9 @@ program: |-
).as(state, !has(state.base) ?
// No current work item above, so finish.
{}
: has(state.error) ?
: has(state.?work.sub.error) ?
// Getting subscription detail failed.
state
state.work.sub.as(err, state.drop("work.sub").with({"events": err}))
:
(
// This exists purely to rewrite the cursor from the original
Expand Down Expand Up @@ -440,15 +442,17 @@ program: |-
)
:
{
"error": {
"code": string(list_resp.StatusCode),
"id": string(list_resp.Status),
"message": "GET /activity/feed/subscriptions/content?contentType=" + state.work.curr_type + ": " + (
(size(list_resp.Body) != 0) ?
string(list_resp.Body)
:
string(list_resp.Status) + " (" + string(list_resp.StatusCode) + ")"
),
"events": {
"error": {
"code": string(list_resp.StatusCode),
"id": string(list_resp.Status),
"message": "GET /activity/feed/subscriptions/content?contentType=" + state.work.curr_type + ": " + (
(size(list_resp.Body) != 0) ?
string(list_resp.Body)
:
string(list_resp.Status) + " (" + string(list_resp.StatusCode) + ")"
),
},
},
}
)
Expand All @@ -461,8 +465,12 @@ program: |-
(
// Ensure that we bring the current type up to the current time,
// even if we did not get any content for the query period.
has(state.?work.curr_type) && state.?cursor.last_for.optMap(l,
timestamp(l[state.work.curr_type.to_lower()]) < now - duration("1h")
has(state.?work.curr_type) && state.?cursor.last_for.optMap(last_for,
state.work.curr_type.to_lower().as(curr_type, curr_type in last_for ?
timestamp(last_for[curr_type]) < now - duration("1h")
:
false
)
Comment on lines +469 to +473
Copy link
Contributor

@kcreddy kcreddy Sep 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
state.work.curr_type.to_lower().as(curr_type, curr_type in last_for ?
timestamp(last_for[curr_type]) < now - duration("1h")
:
false
)
state.work.curr_type.to_lower().as(curr_type, curr_type in last_for && timestamp(last_for[curr_type]) < now - duration("1h"))

Can we do this?

Copy link
Contributor Author

@efd6 efd6 Sep 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer the clarity that is in the current version (not really significant here, but the current version is also more efficient since of !curr_type in last_for then the timestamp parsing is not done, while it is in the proposed version).

).orValue(false) && !state.work.todo_type.exists(t, t == state.work.curr_type)
) ?
state.with(
Expand All @@ -476,17 +484,14 @@ program: |-
state.with(
{
"want_more": state.work.as(w,
size(w.todo_type) != 0 || size(w.todo_content) != 0 || w.?next_list.orValue("") != ""
size(w.?todo_type.orValue([])) != 0 || size(w.?todo_content.orValue([])) != 0 || w.?next_list.orValue("") != ""
),
}
)
).as(state,
// Make sure we complete the remaining work if we got
// no events but the work lists are not empty.
// We do not need to put a dummy event in in the
// case that we have errored, since the error will
// be raised to an event by the input.
(state.want_more && !has(state.error) && type(state.events) == list && size(state.events) == 0) ?
(state.want_more && type(state.events) == list && size(state.events) == 0) ?
state.with(
{
"events": [{"retry": true}],
Expand Down
2 changes: 1 addition & 1 deletion packages/o365/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: o365
title: Microsoft Office 365
version: "2.29.1"
version: "2.29.2"
description: Collect logs from Microsoft Office 365 with Elastic Agent.
type: integration
format_version: "3.2.3"
Expand Down