Add breaking change about host namespace causing mapping issues

[dedemorton]

Fixes #7368

I found the original document hard to follow (had to read it through multiple times), so I tried to rewrite it my own words based on what I understood after reading the document. We need to connect more of the dots for users who aren't familiar with this problem.

We don't have enough section levels in asciidoc to properly format this, so I've fudged some sections (don't tell the other writers).

Not sure it's 100% there, but here you go.

UPDATE: Please make sure you respond to the questions I've raised for reviewers.

[dedemorton]

Hmmm...the formatting here looks OK in the built docs, but not so good in GitHub, so I might change it.

[karenzone]

I see what you mean about formatting being weird in GitHub. That threw me off at first. Interesting that it builds correctly in the book.

[dedemorton]

Well the docs use our CSS to control the size of things. GitHub shouldn't make bolded text into a big section header, but it does.

[dedemorton]

I hope it's OK to call this the host object because saying host field doesn't convey the idea that the type is different.

[dedemorton]

@karenzone If you have the time, can you take a look at this and offer suggestions for places where the language is confusing? Once you understand the problem, the details are easy to follow...but otherwise it is a confusing situation.

[ruflin]

Left a few minor comments.

In general LGTM.

[ruflin]

I like mapping conflict as it is a mapping conflict :-)

[ph]

It's a mapping conflict.

[ruflin]

beat.hostname is going to disappear in 7.0. So I would prefer to stear people in the direction of host.name if possible so they have to change it only once.

[dedemorton]

OK, then I'll remove mention of this field.

[ruflin]

The above should work but if someone has only 1 search based on the host field I would rather recommend to directly edit it in Kibana instead of exporting / importing it. The above might be better if there are lots of queries dependening on it but I think it requires more knowledge as the files have to be edited manually.

I would propose both options.

@ppf2 WDYT?

[ruflin]

Long term I think the host field will disappear for the beats-input-plugin in Logstash. I wonder if we should make a recommendation here to start thinking about how to migrate long term to host.name.

[ruflin]

++

@ph Could you provide one?

There is a bit a difference if host.* is dropped by Beats or LS. If it is dropped by Beats, LS will add host field. If it's dropped by LS, there will be no host field at all in the final event. I wonder if we should mention that difference.

[ph]

@ruflin @dedemorton Yes, the following example will bring it to pre 6.3.0.

mutate {
  remove_field => [ "[host]" ]
}
# or
mutate {
  add_field => {
    "host" => "%{[beat][hostname]}"
   }
}

[ph]

@ruflin but taking the content of [beat][hostname] for host will result in the same behavior as the input had. WDYT?

[ph]

I will do a check, but the add_field should replace the original value.

[dedemorton]

@ruflin mentioned earlier that beat.hostname will disappear in 7.0, so I think maybe we shouldn't show this in the example. Maybe it's worth mentioning that you can use a mutate filter rather than removing the field...and leave it up to the user to decide where to take the value from. I wonder if they can use the value in host.name instead. Would that work? Not sure if mutate allows you to take a value from a field that you are mutating.

[dedemorton]

@ph See my comment ^^

[ph]

@dedemorton this is perfectly valid, thanks for that :)

mutate {
  add_field => {
    "host" => "%{[host][name]}"
   }
}```

[dedemorton]

I think this config might be valid, but I don't think it fixes the mapping conflict. If you have multiple versions of Beats writing to the index (Beats 6.2 and 6.3), I think you need to drop the field in LS, or you will still end up with mapping conflicts because the index template defines host as an object.

[ph]

It's a mapping conflict.

[ph]

And users using their own template.

[dedemorton]

@ph You're saying that this issue applies to Beats users who use a custom template and aren't using Logstash, correct? If they have host field defined in their custom template, they'll run into mapping errors, no?

[ph]

@dedemorton
It applies to the following use cases:

• FB -> LS, using the default logstash-output-elasticsearch template.
• FB -> LS, using their own template templates with the host defined.

[dedemorton]

@ph The change might not be breaking for all Beats -> LS users, but they should probably read this topic anyhow so they know that they might need to update any searches/visualizations they've created. I'm concerned that if I make the statement too generic, they might skip reading it.

[ph]

@dedemorton Yes this is true, so let's keep it more specific we can adjust if people are posting on discuss.

[karenzone]

Makes sense to me! I left a few comments.

[karenzone]

The first sentence in the parentheses doesn't say anything new, so consider deleting it, and adding host to remaining sentence.

+(We don't want the plugin to add the host field because it causes a mapping
+conflict with the host object defined in the index template.)

[dedemorton]

I had it that way originally, but thought being explicit might be useful for users who don't understand that LS adds the field if there's not one. This behavior isn't consistent across input plugins, so it might be worth calling out. But I agree...it's a bit redundant--that's why I made it parenthetical even though I know people hate parens. If no one disagrees, I will remove the statement.

[karenzone]

I see what you mean about formatting being weird in GitHub. That threw me off at first. Interesting that it builds correctly in the book.

[karenzone]

+What does this mean to you?
See the info for your particular use case:

• <<link use case 1>>
• <<link use case 2>>
• <<link use case 3>>

You did a good job capturing the use case scenario in each title. The use cases are easier to read and parse without the surrounding text.

[karenzone]

"earlier" might be problematic. Linking to different use cases doesn't promote linear reading, but "earlier" seems to imply that you've read everything. Here, I think we can delete the reference to earlier and just say, "You cannot resolve the problem by dropping the host.* fields, because Logstash will add a default host field..."
Especially since what we're referencing isn't going to work in this situation anyway. :-)

[karenzone]

WRT "earlier". Same concern applies (this document isn't designed to be read linearly).

If we're referencing this: "In the Beats config file, configure Beats to drop all host.* fields: ", just say that instead of referencing it.

[dedemorton]

I'll add a link to the section because I want users to know that the topic describes how to do this.

[brandonmensing]

LGTM - nothing to add on top of the comments and todos already going on there. Thanks!

[dedemorton]

I've pushed some changes based on review feedback. There are a couple of sections that still need work pending a response from reviewers:

• @ppf2 - https://github.com/elastic/beats/pull/7398/files#r197348926

• @ph @ruflin Add breaking change about host namespace causing mapping issues #7398 (comment)

@tsg FYI...

Edit:

• @ph I need to resolve this one, too: Add breaking change about host namespace causing mapping issues #7398 (comment)

[ruflin]

@dedemorton LGTM. Ready to be merged?

[ruflin]

Want to resolve it as part of this PR?

[dedemorton]

@ruflin If you think it's good enough to merge, maybe we should merge and then iterate over it after it's merged. I think @tsg wanted to review this.

[ppf2]

For completeness, I think we will want to include headings for 6.1 and 6.2 as well since there were also breaking changes in these releases that are currently only documented in the release notes today.

https://www.elastic.co/guide/en/beats/libbeat/6.2/release-notes-6.1.0.html#_breaking_changes_3
https://www.elastic.co/guide/en/beats/libbeat/6.2/release-notes-6.2.0.html#_breaking_changes_2
https://www.elastic.co/guide/en/beats/libbeat/6.2/release-notes-6.2.3.html#_breaking_changes

[ruflin]

@ppf2 I think the difference with the aboves is that these we features which still were in beta.

[dedemorton]

I'll either add sections or make it clear that this section only covers the main breaking changes. We say that in a couple of places plus provide links to the relnotes, but maybe it's not clear enough.

[ppf2]

+1, let's clarify. Are we saying that the breaking changes guide will only cover breaking changes against the GA product? Or do we mean that it only covers the "main" breaking changes of GA product? If "main" is the keyword here, let's also confirm that this is consistent with the rest of the Elastic stack. Afaik, Elasticsearch documents all breaking changes against the GA product, not just the main ones.

If we are only covering breaking changes of the GA product, we can state that for breaking changes against pre-GA product releases, these are documented only in the release notes, etc..

thanks!

[dedemorton]

That's a good question, and I'm not sure about the answer. I'd like @tsg or @ruflin to weigh in here.

[ruflin]

Moving forward we should document here all breaking changes which happen for any GA features. In general no breaking changes in minor should happen, but there are exceptions.

For beta or experimental features, the breaking changes should only be in the changelog.

[ppf2]

I will send a separate note on this shortly to discuss. Somewhere in here, we will want to provide additional details on tackling the outcome of having multiple indices with different schemas for the Kibana use case given Kibana's inconsistent handling of conflicting field types today. Stay tuned. Just adding a comment here as something to refine.

[dedemorton]

I've created an issue to track the remaining work for this PR (just in case things get busy...I do plan to get this resolved asap): #7408

[ppf2]

@dedemorton @ruflin Can we merge this change to both 6.3 and 6.x branches? I only see it in master right now :)

[dedemorton]

@ppf2 I'll cherry-pick the changes today. Yesterday I was waiting for the doc build on master to be reflected in the published docs, but there was a problem with the site updating.