Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[filebeat][websocket] - Add support for passing cursor value as query parameter in Websocket URL #39858

Closed
brijesh-elastic opened this issue Jun 11, 2024 · 3 comments · Fixed by #39997
Closed

[filebeat][websocket] - Add support for passing cursor value as query parameter in Websocket URL #39858

brijesh-elastic opened this issue Jun 11, 2024 · 3 comments · Fixed by #39997
Assignees
@ShourieG
Labels
Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team

Comments

@brijesh-elastic
Copy link

brijesh-elastic commented Jun 11, 2024
edited
Loading

Enhancement: The enhancement should enable the use of a cursor value as a query parameter, along with the support of time library functions, to allow for dynamic updates to the URL.

Use case: This feature will be beneficial for integrations like Proofpoint On Demand, where it will facilitate the retrieval of historical data by leveraging the 'sinceTime' query parameter.

Example:

filebeat.inputs:
- type: websocket
  url: wss://logstream.proofpoint.com/v1/stream?cid=abc&type=message&sinceTime={sinceTime}
  program: |
    bytes(state.response).decode_json().as(body,{
      "events": {
        "message":  body.encode_json(),
      },
      "cursor": {
        "last_timestamp": body.map(e, e.ts).max()
      }
    })

In above, when data collection first runs, the sinceTime should be set to (now-duration(initial_interval)) to collect historical data. Whenever the WebSocket connection is interrupted or closes unexpectedly, the next time it restarts, the sinceTime should be taken from state.cursor.last_timestamp to continue collecting data from where it left off.

The ideal condition for the {sinceTime} is: has(state.cursor) && has(state.cursor.last_timestamp) ? state.cursor.last_timestamp : (now-duration(initial_interval)).
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 11, 2024
@kcreddy kcreddy added the Team:Security-Service Integrations Security Service Integrations Team label Jun 11, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 11, 2024
@kcreddy kcreddy added Filebeat Filebeat needs_team Indicates that the issue/PR needs a Team:* label labels Jun 11, 2024
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 11, 2024
@botelastic
Copy link

botelastic bot commented Jun 11, 2024

This issue doesn't have a Team:<team> label.

@brijesh-elastic brijesh-elastic changed the title [filebeat][websocket] - Add support for passing query parameter in Websocket URL [filebeat][websocket] - Add support for passing cursor value as query parameter in Websocket URL Jun 12, 2024
@ShourieG
Copy link
Contributor

Hi @brijesh-elastic, can you please expand upon the description of this enhancement request with the help of an example, it would make this feature request more descriptive for keeping track of.

@ShourieG ShourieG mentioned this issue Jun 24, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ShourieG ShourieG

Labels
Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
4 participants
@kcreddy @elasticmachine @ShourieG @brijesh-elastic