From 52e2b6010911cb6d2fb2f241e9362050238f40f0 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Thu, 28 Mar 2024 16:53:56 -0700 Subject: [PATCH] Fix up more code * Move event to after some conditions are checked * Use sync.OnceValues in time utils * Add issue reference in comment --- .../sessionmd/add_session_metadata.go | 10 +++--- .../processors/sessionmd/timeutils/time.go | 34 +++++-------------- 2 files changed, 14 insertions(+), 30 deletions(-) diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go index 2143818ae830..50636f9d476c 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go @@ -117,22 +117,22 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { return nil, fmt.Errorf("pid %v not found in db: %w", pid, err) } - result := ev.Clone() - processMap := fullProcess.ToMap() - if b, err := result.Fields.HasKey("process"); !b || err != nil { + if b, err := ev.Fields.HasKey("process"); !b || err != nil { return nil, fmt.Errorf("no process field in event") } - m, ok := tryToMapStr(result.Fields["process"]) + m, ok := tryToMapStr(ev.Fields["process"]) if !ok { return nil, fmt.Errorf("process field type not supported") } + result := ev.Clone() err = mapstr.MergeFieldsDeep(m, processMap, true) if err != nil { return nil, fmt.Errorf("merging enriched fields with event: %w", err) } + result.Fields["process"] = m if p.config.ReplaceFields { if err := p.replaceFields(result); err != nil { @@ -173,7 +173,7 @@ func pidToUInt32(value interface{}) (pid uint32, err error) { // The current version of session view in Kibana expects different values than what are used by auditbeat // for some fields. This function converts these field to have values that will work with session view. // -// This function is temporary, and can be removed when Kibana is updated to work with the auditbeat field values. +// This function is temporary, and can be removed when this Kibana issue is completed: https://github.com/elastic/kibana/issues/179396. func (p *addSessionMetadata) replaceFields(ev *beat.Event) error { kind, err := ev.Fields.GetValue("event.kind") if err != nil { diff --git a/x-pack/auditbeat/processors/sessionmd/timeutils/time.go b/x-pack/auditbeat/processors/sessionmd/timeutils/time.go index 15c62be90084..232074b4b028 100644 --- a/x-pack/auditbeat/processors/sessionmd/timeutils/time.go +++ b/x-pack/auditbeat/processors/sessionmd/timeutils/time.go @@ -16,26 +16,10 @@ import ( ) var ( - bootTime time.Time - ticksPerSecond uint64 - initError error - once sync.Once + getBootTimeOnce = sync.OnceValues(getBootTime) + getTicksPerSecondOnce = sync.OnceValues(getTicksPerSecond) ) -func initialize() { - var err error - bootTime, err = getBootTime() - if err != nil { - initError = err - return - } - - ticksPerSecond, err = getTicksPerSecond() - if err != nil { - initError = err - } -} - func getBootTime() (time.Time, error) { fs, err := procfs.NewDefaultFS() if err != nil { @@ -58,17 +42,17 @@ func getTicksPerSecond() (uint64, error) { } func TicksToNs(ticks uint64) uint64 { - once.Do(initialize) - if initError != nil { + ticksPerSecond, err := getTicksPerSecondOnce() + if err != nil { return 0 } return ticks * uint64(time.Second.Nanoseconds()) / ticksPerSecond } func TimeFromNsSinceBoot(t time.Duration) *time.Time { - once.Do(initialize) - if initError != nil { - return &time.Time{} + bootTime, err := getBootTime() + if err != nil { + return nil } timestamp := bootTime.Add(t) return ×tamp @@ -85,8 +69,8 @@ func TimeFromNsSinceBoot(t time.Duration) *time.Time { // - We store timestamps as nanoseconds, but reduce the precision to 1/100th // second func ReduceTimestampPrecision(timeNs uint64) time.Duration { - once.Do(initialize) - if initError != nil { + ticksPerSecond, err := getTicksPerSecondOnce() + if err != nil { return 0 } return time.Duration(timeNs).Truncate(time.Second / time.Duration(ticksPerSecond))