Fix up more code

* Move event to after some conditions are checked
* Use sync.OnceValues in time utils
* Add issue reference in comment

x-pack/auditbeat/processors/sessionmd/add_session_metadata.go

@@ -117,22 +117,22 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) {
 		return nil, fmt.Errorf("pid %v not found in db: %w", pid, err)
 	}
 
-	result := ev.Clone()
-
 	processMap := fullProcess.ToMap()
 
-	if b, err := result.Fields.HasKey("process"); !b || err != nil {
+	if b, err := ev.Fields.HasKey("process"); !b || err != nil {
 		return nil, fmt.Errorf("no process field in event")
 	}
-	m, ok := tryToMapStr(result.Fields["process"])
+	m, ok := tryToMapStr(ev.Fields["process"])
 	if !ok {
 		return nil, fmt.Errorf("process field type not supported")
 	}
 
+	result := ev.Clone()
 	err = mapstr.MergeFieldsDeep(m, processMap, true)
 	if err != nil {
 		return nil, fmt.Errorf("merging enriched fields with event: %w", err)
 	}
+	result.Fields["process"] = m
 
 	if p.config.ReplaceFields {
 		if err := p.replaceFields(result); err != nil {
@@ -173,7 +173,7 @@ func pidToUInt32(value interface{}) (pid uint32, err error) {
 // The current version of session view in Kibana expects different values than what are used by auditbeat
 // for some fields. This function converts these field to have values that will work with session view.
 //
-// This function is temporary, and can be removed when Kibana is updated to work with the auditbeat field values.
+// This function is temporary, and can be removed when this Kibana issue is completed: https://github.com/elastic/kibana/issues/179396.
 func (p *addSessionMetadata) replaceFields(ev *beat.Event) error {
 	kind, err := ev.Fields.GetValue("event.kind")
 	if err != nil {

x-pack/auditbeat/processors/sessionmd/timeutils/time.go

@@ -16,26 +16,10 @@ import (
 )
 
 var (
-	bootTime       time.Time
-	ticksPerSecond uint64
-	initError      error
-	once           sync.Once
+	getBootTimeOnce       = sync.OnceValues(getBootTime)
+	getTicksPerSecondOnce = sync.OnceValues(getTicksPerSecond)
 )
 
-func initialize() {
-	var err error
-	bootTime, err = getBootTime()
-	if err != nil {
-		initError = err
-		return
-	}
-
-	ticksPerSecond, err = getTicksPerSecond()
-	if err != nil {
-		initError = err
-	}
-}
-
 func getBootTime() (time.Time, error) {
 	fs, err := procfs.NewDefaultFS()
 	if err != nil {
@@ -58,17 +42,17 @@ func getTicksPerSecond() (uint64, error) {
 }
 
 func TicksToNs(ticks uint64) uint64 {
-	once.Do(initialize)
-	if initError != nil {
+	ticksPerSecond, err := getTicksPerSecondOnce()
+	if err != nil {
 		return 0
 	}
 	return ticks * uint64(time.Second.Nanoseconds()) / ticksPerSecond
 }
 
 func TimeFromNsSinceBoot(t time.Duration) *time.Time {
-	once.Do(initialize)
-	if initError != nil {
-		return &time.Time{}
+	bootTime, err := getBootTime()
+	if err != nil {
+		return nil
 	}
 	timestamp := bootTime.Add(t)
 	return &timestamp
@@ -85,8 +69,8 @@ func TimeFromNsSinceBoot(t time.Duration) *time.Time {
 //   - We store timestamps as nanoseconds, but reduce the precision to 1/100th
 //     second
 func ReduceTimestampPrecision(timeNs uint64) time.Duration {
-	once.Do(initialize)
-	if initError != nil {
+	ticksPerSecond, err := getTicksPerSecondOnce()
+	if err != nil {
 		return 0
 	}
 	return time.Duration(timeNs).Truncate(time.Second / time.Duration(ticksPerSecond))