From 071873c3738888585ca003ab8cfc2056b02b70cd Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Wed, 22 Oct 2025 23:25:24 +0200 Subject: [PATCH 01/11] feat: add Agentless Hello World integration --- .github/CODEOWNERS | 1 + .../_dev/build/build.yml | 3 + packages/agentless_hello_world/changelog.yml | 5 ++ .../generic/agent/stream/cel.yml.hbs | 36 ++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 72 +++++++++++++++++++ .../generic/fields/base-fields.yml | 20 ++++++ .../data_stream/generic/fields/fields.yml | 10 +++ .../data_stream/generic/manifest.yml | 7 ++ .../data_stream/generic/sample_event.json | 4 ++ packages/agentless_hello_world/docs/README.md | 55 ++++++++++++++ packages/agentless_hello_world/img/icon.svg | 4 ++ packages/agentless_hello_world/manifest.yml | 39 ++++++++++ 12 files changed, 256 insertions(+) create mode 100644 packages/agentless_hello_world/_dev/build/build.yml create mode 100644 packages/agentless_hello_world/changelog.yml create mode 100644 packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs create mode 100644 packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml create mode 100644 packages/agentless_hello_world/data_stream/generic/fields/fields.yml create mode 100644 packages/agentless_hello_world/data_stream/generic/manifest.yml create mode 100644 packages/agentless_hello_world/data_stream/generic/sample_event.json create mode 100644 packages/agentless_hello_world/docs/README.md create mode 100644 packages/agentless_hello_world/img/icon.svg create mode 100644 packages/agentless_hello_world/manifest.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 64162c95c46..48a7c5626e5 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -13,6 +13,7 @@ /packages/abnormal_security @elastic/security-service-integrations /packages/activemq @elastic/obs-infraobs-integrations /packages/admin_by_request_epm @elastic/security-service-integrations +/packages/agentless_hello_world @elastic/agentless-team /packages/airflow @elastic/obs-infraobs-integrations /packages/airlock_digital @elastic/security-service-integrations /packages/akamai @elastic/security-service-integrations diff --git a/packages/agentless_hello_world/_dev/build/build.yml b/packages/agentless_hello_world/_dev/build/build.yml new file mode 100644 index 00000000000..ccab51f7b80 --- /dev/null +++ b/packages/agentless_hello_world/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.11.0 diff --git a/packages/agentless_hello_world/changelog.yml b/packages/agentless_hello_world/changelog.yml new file mode 100644 index 00000000000..8315f3761c1 --- /dev/null +++ b/packages/agentless_hello_world/changelog.yml @@ -0,0 +1,5 @@ +- version: "0.1.0" + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/xxxxx diff --git a/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs b/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..594344b6cdb --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs @@ -0,0 +1,36 @@ +config_version: 2 +interval: 1m +resource.url: https://epr.elastic.co +program: | + request("GET", "https://epr.elastic.co") + .do_request() + .as(resp, resp.StatusCode == 200 ? + { + "events": [{ + "message": { + "state": "ok", + "result": bytes(resp.Body).decode_json() + }.encode_json() + }] + } + : + { + "events": [{ + "message": { + "state": "error", + "error": { + "code": string(resp.StatusCode), + "message": "GET: https://epr.elastic.co - " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ) + } + }.encode_json() + }] + } + ) +tags: + - agentless-hello-world +publisher_pipeline.disable_host: true diff --git a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..0090bd6ac75 --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,72 @@ +--- +description: Pipeline for processing Agentless Hello World generic logs. +processors: + - set: + field: ecs.version + value: '8.11.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: json + ignore_failure: true + - rename: + field: json.state + target_field: agentless_hello_world.generic.state + ignore_missing: true + - rename: + field: json.result + target_field: agentless_hello_world.generic.result + ignore_missing: true + - set: + field: event.kind + value: event + - set: + field: event.type + value: [info] + - set: + field: event.category + value: [web] + - remove: + field: json + ignore_missing: true + - remove: + field: message + if: ctx.event?.original != null + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml b/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml new file mode 100644 index 00000000000..beadce477ee --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: agentless_hello_world +- name: event.dataset + type: constant_keyword + description: Event dataset + value: agentless_hello_world.generic +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/agentless_hello_world/data_stream/generic/fields/fields.yml b/packages/agentless_hello_world/data_stream/generic/fields/fields.yml new file mode 100644 index 00000000000..e7f944a5030 --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/fields/fields.yml @@ -0,0 +1,10 @@ +- name: agentless_hello_world.generic + type: group + fields: + - name: state + type: keyword + description: State of the request (always "ok"). + - name: result + type: object + object_type: keyword + description: The JSON response from the EPR endpoint. diff --git a/packages/agentless_hello_world/data_stream/generic/manifest.yml b/packages/agentless_hello_world/data_stream/generic/manifest.yml new file mode 100644 index 00000000000..0f46f62a93e --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/manifest.yml @@ -0,0 +1,7 @@ +title: Generic logs +type: logs +streams: + - input: cel + title: Generic logs + description: Collect generic logs from EPR endpoint. + template_path: cel.yml.hbs diff --git a/packages/agentless_hello_world/data_stream/generic/sample_event.json b/packages/agentless_hello_world/data_stream/generic/sample_event.json new file mode 100644 index 00000000000..e2fd0e3cd85 --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/sample_event.json @@ -0,0 +1,4 @@ +{ + "message": "{\"state\":\"ok\",\"result\":{\"service\":\"package-registry\",\"version\":\"1.0.0\"}}", + "@timestamp": "2025-10-22T12:00:00.000Z" +} diff --git a/packages/agentless_hello_world/docs/README.md b/packages/agentless_hello_world/docs/README.md new file mode 100644 index 00000000000..739073fa7f1 --- /dev/null +++ b/packages/agentless_hello_world/docs/README.md @@ -0,0 +1,55 @@ +# Agentless Hello World + +This is a sample integration designed to exercise the Agentless infrastructure. It periodically fetches data from `https://epr.elastic.co` every minute to demonstrate basic agentless functionality. + +## Overview + +The Agentless Hello World integration is a minimal example that: +- Fetches data from the Elastic Package Registry (EPR) endpoint +- Runs every 1 minute +- Requires no user configuration + +## Configuration + +This integration requires no configuration from the user. All settings are pre-configured: +- **Endpoint**: `https://epr.elastic.co` +- **Interval**: 1 minute +- **Deployment mode**: Agentless by default + +## Data Collection + +The integration makes HTTP GET requests to `https://epr.elastic.co` and stores: +- **state**: Always set to "ok" for successful requests +- **result**: The JSON response body from the EPR endpoint + +## Requirements + +### Agentless-enabled integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +## Logs + +### Generic + +The generic data stream collects responses from the EPR endpoint. + +**ECS Field Reference** + +Please refer to the following document for detailed information on ECS fields: +- [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| agentless_hello_world.generic.result | The JSON response from the EPR endpoint. | object | +| agentless_hello_world.generic.state | State of the request (always "ok"). | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | diff --git a/packages/agentless_hello_world/img/icon.svg b/packages/agentless_hello_world/img/icon.svg new file mode 100644 index 00000000000..e8ba72b6c85 --- /dev/null +++ b/packages/agentless_hello_world/img/icon.svg @@ -0,0 +1,4 @@ + + + AH + diff --git a/packages/agentless_hello_world/manifest.yml b/packages/agentless_hello_world/manifest.yml new file mode 100644 index 00000000000..c2dfd9a8a88 --- /dev/null +++ b/packages/agentless_hello_world/manifest.yml @@ -0,0 +1,39 @@ +format_version: 3.3.2 +name: agentless_hello_world +title: Agentless Hello World +version: "0.1.0" +description: A sample integration to exercise the Agentless infrastructure by fetching https://epr.elastic.co every minute. +type: integration +categories: + - observability +conditions: + kibana: + version: "^8.18.0 || ^9.0.0" + elastic: + subscription: "basic" +icons: + - src: /img/icon.svg + title: Agentless Hello World + size: 32x32 + type: image/svg+xml +policy_templates: + - name: agentless_hello_world + title: Agentless Hello World + description: Collect data from EPR endpoint every minute. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + is_default: true + organization: observability + division: engineering + team: agentless-team + inputs: + - type: cel + title: Collect data from EPR endpoint + description: Fetches https://epr.elastic.co every minute. + vars: [] +owner: + github: elastic/agentless-team + type: elastic From 062af80afe3f9469c5ded12af30b6b184c6f4251 Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Wed, 22 Oct 2025 23:26:34 +0200 Subject: [PATCH 02/11] fix: update pull request link in changelog for initial release --- packages/agentless_hello_world/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/agentless_hello_world/changelog.yml b/packages/agentless_hello_world/changelog.yml index 8315f3761c1..b6fa3dcc418 100644 --- a/packages/agentless_hello_world/changelog.yml +++ b/packages/agentless_hello_world/changelog.yml @@ -2,4 +2,4 @@ changes: - description: Initial release. type: enhancement - link: https://github.com/elastic/integrations/pull/xxxxx + link: https://github.com/elastic/integrations/pull/15729 From 48a3802c7560ac5d7d72d8f4a060bd9caea52ac7 Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Wed, 22 Oct 2025 23:48:16 +0200 Subject: [PATCH 03/11] fix ecs reference --- packages/agentless_hello_world/_dev/build/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/agentless_hello_world/_dev/build/build.yml b/packages/agentless_hello_world/_dev/build/build.yml index ccab51f7b80..e2b012548e0 100644 --- a/packages/agentless_hello_world/_dev/build/build.yml +++ b/packages/agentless_hello_world/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@8.11.0 + reference: git@v8.11.0 From c8daacfb1a066a9fff2abcba94915b6f55cb140f Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Thu, 23 Oct 2025 00:36:14 +0200 Subject: [PATCH 04/11] add pipeline test --- .../_dev/test/pipeline/test-hello-world.json | 13 +++++++++ .../test-hello-world.json-expected.json | 27 +++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 8 ++---- 3 files changed, 42 insertions(+), 6 deletions(-) create mode 100644 packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json create mode 100644 packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json new file mode 100644 index 00000000000..7d133572696 --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json @@ -0,0 +1,13 @@ +{ + "events": [ + { + "message": { + "state": "ok", + "result": { + "service": "package-registry", + "version": "1.0.0" + } + } + } + ] +} diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json new file mode 100644 index 00000000000..6effd85fe0f --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json @@ -0,0 +1,27 @@ +{ + "expected": [ + { + "agentless_hello_world": { + "generic": { + "result": { + "service": "package-registry", + "version": "1.0.0" + }, + "state": "ok" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web" + ], + "kind": "event", + "type": [ + "info" + ] + } + } + ] +} diff --git a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml index 0090bd6ac75..bdf4bbedf23 100644 --- a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml +++ b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml @@ -9,16 +9,12 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null - - json: - field: event.original - target_field: json - ignore_failure: true - rename: - field: json.state + field: event.original.state target_field: agentless_hello_world.generic.state ignore_missing: true - rename: - field: json.result + field: event.original.result target_field: agentless_hello_world.generic.result ignore_missing: true - set: From 0d69977114a0e3f6b46d02431ae1f47ce10d970e Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Thu, 23 Oct 2025 03:11:51 +0200 Subject: [PATCH 05/11] add pipeline and system tests --- .../_dev/deploy/docker/config.yml | 10 +++ .../_dev/deploy/docker/docker-compose.yml | 14 ++++ .../_dev/test/pipeline/test-hello-world.json | 8 +- .../pipeline/test-hello-world.json-config.yml | 1 + .../test-hello-world.json-expected.json | 4 +- .../_dev/test/system/test-default-config.yml | 7 ++ .../generic/agent/stream/cel.yml.hbs | 10 ++- .../elasticsearch/ingest_pipeline/default.yml | 30 +++++--- .../generic/fields/base-fields.yml | 3 + .../data_stream/generic/fields/fields.yml | 8 +- .../data_stream/generic/manifest.yml | 8 ++ .../data_stream/generic/sample_event.json | 77 ++++++++++++++++++- 12 files changed, 150 insertions(+), 30 deletions(-) create mode 100644 packages/agentless_hello_world/_dev/deploy/docker/config.yml create mode 100644 packages/agentless_hello_world/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-config.yml create mode 100644 packages/agentless_hello_world/data_stream/generic/_dev/test/system/test-default-config.yml diff --git a/packages/agentless_hello_world/_dev/deploy/docker/config.yml b/packages/agentless_hello_world/_dev/deploy/docker/config.yml new file mode 100644 index 00000000000..f002bb7da7f --- /dev/null +++ b/packages/agentless_hello_world/_dev/deploy/docker/config.yml @@ -0,0 +1,10 @@ +rules: + - path: / + methods: ["GET"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"service.name":"package-registry","service.version":"1.0.0"} diff --git a/packages/agentless_hello_world/_dev/deploy/docker/docker-compose.yml b/packages/agentless_hello_world/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..c8e15dfedfa --- /dev/null +++ b/packages/agentless_hello_world/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,14 @@ +services: + epr_mock: + image: docker.elastic.co/observability/stream:v0.18.0 + hostname: epr_mock + ports: + - 8080 + volumes: + - ./config.yml:/config.yml + environment: + PORT: "8080" + command: + - http-server + - --addr=:8080 + - --config=/config.yml diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json index 7d133572696..1a4514d5794 100644 --- a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json @@ -1,13 +1,7 @@ { "events": [ { - "message": { - "state": "ok", - "result": { - "service": "package-registry", - "version": "1.0.0" - } - } + "message": "{\"state\":\"ok\",\"result\":{\"service.name\":\"package-registry\",\"service.version\":\"1.0.0\"}}" } ] } diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-config.yml b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-config.yml new file mode 100644 index 00000000000..1a2c171ee45 --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-config.yml @@ -0,0 +1 @@ +fields: {} diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json index 6effd85fe0f..d43d07c8a98 100644 --- a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json @@ -4,8 +4,8 @@ "agentless_hello_world": { "generic": { "result": { - "service": "package-registry", - "version": "1.0.0" + "service.name": "package-registry", + "service.version": "1.0.0" }, "state": "ok" } diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/system/test-default-config.yml b/packages/agentless_hello_world/data_stream/generic/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..4fe2e5d14a0 --- /dev/null +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/system/test-default-config.yml @@ -0,0 +1,7 @@ +input: cel +service: epr_mock +data_stream: + vars: + url: http://{{Hostname}}:{{Port}} +assert: + hit_count: 1 diff --git a/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs b/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs index 594344b6cdb..c61dd5ef857 100644 --- a/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs +++ b/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs @@ -1,8 +1,11 @@ config_version: 2 interval: 1m -resource.url: https://epr.elastic.co +resource.timeout: 15 +resource.url: "{{url}}" +state: + url: "{{url}}" program: | - request("GET", "https://epr.elastic.co") + request("GET", state.url) .do_request() .as(resp, resp.StatusCode == 200 ? { @@ -20,7 +23,7 @@ program: | "state": "error", "error": { "code": string(resp.StatusCode), - "message": "GET: https://epr.elastic.co - " + ( + "message": "GET: " + state.url + " - " + ( size(resp.Body) != 0 ? string(resp.Body) : @@ -32,5 +35,6 @@ program: | } ) tags: + - preserve_original_event - agentless-hello-world publisher_pipeline.disable_host: true diff --git a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml index bdf4bbedf23..1b5fb3e1bfa 100644 --- a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml +++ b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml @@ -9,14 +9,16 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null - - rename: - field: event.original.state - target_field: agentless_hello_world.generic.state - ignore_missing: true - - rename: - field: event.original.result - target_field: agentless_hello_world.generic.result - ignore_missing: true + - json: + field: event.original + target_field: agentless_hello_world.generic + on_failure: + - set: + field: error.type + value: "json_parse_error" + - set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: event @@ -26,9 +28,6 @@ processors: - set: field: event.category value: [web] - - remove: - field: json - ignore_missing: true - remove: field: message if: ctx.event?.original != null @@ -64,5 +63,12 @@ processors: handleMap(ctx); on_failure: - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml b/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml index beadce477ee..d40ecbe868b 100644 --- a/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml +++ b/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml @@ -1,3 +1,6 @@ +- name: input.type + type: keyword + description: Input type - name: data_stream.type type: constant_keyword description: Data stream type. diff --git a/packages/agentless_hello_world/data_stream/generic/fields/fields.yml b/packages/agentless_hello_world/data_stream/generic/fields/fields.yml index e7f944a5030..43a3381bbd2 100644 --- a/packages/agentless_hello_world/data_stream/generic/fields/fields.yml +++ b/packages/agentless_hello_world/data_stream/generic/fields/fields.yml @@ -4,7 +4,7 @@ - name: state type: keyword description: State of the request (always "ok"). - - name: result - type: object - object_type: keyword - description: The JSON response from the EPR endpoint. + - name: result.service.name + type: keyword + - name: result.service.version + type: keyword \ No newline at end of file diff --git a/packages/agentless_hello_world/data_stream/generic/manifest.yml b/packages/agentless_hello_world/data_stream/generic/manifest.yml index 0f46f62a93e..81b14f4e916 100644 --- a/packages/agentless_hello_world/data_stream/generic/manifest.yml +++ b/packages/agentless_hello_world/data_stream/generic/manifest.yml @@ -5,3 +5,11 @@ streams: title: Generic logs description: Collect generic logs from EPR endpoint. template_path: cel.yml.hbs + vars: + - name: url + type: text + title: EPR URL + description: URL of the EPR endpoint (internal use only, for testing) + default: https://epr.elastic.co + required: false + show_user: false diff --git a/packages/agentless_hello_world/data_stream/generic/sample_event.json b/packages/agentless_hello_world/data_stream/generic/sample_event.json index e2fd0e3cd85..b6117b5c6dc 100644 --- a/packages/agentless_hello_world/data_stream/generic/sample_event.json +++ b/packages/agentless_hello_world/data_stream/generic/sample_event.json @@ -1,4 +1,77 @@ { - "message": "{\"state\":\"ok\",\"result\":{\"service\":\"package-registry\",\"version\":\"1.0.0\"}}", - "@timestamp": "2025-10-22T12:00:00.000Z" + "@timestamp": "2025-10-23T01:10:29.025Z", + "agent": { + "ephemeral_id": "c5f24e17-6df9-4064-a794-a0f44b8fa5f0", + "id": "32683580-4724-4c15-beac-63a6da97cbc1", + "name": "elastic-agent-57960", + "type": "filebeat", + "version": "9.1.3" + }, + "agentless_hello_world": { + "generic": { + "result": { + "service": { + "name": "package-registry", + "version": "1.0.0" + } + }, + "state": "ok" + } + }, + "data_stream": { + "dataset": "agentless_hello_world.generic", + "namespace": "55019", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "32683580-4724-4c15-beac-63a6da97cbc1", + "snapshot": false, + "version": "9.1.3" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "web" + ], + "dataset": "agentless_hello_world.generic", + "ingested": "2025-10-23T01:10:32Z", + "kind": "event", + "module": "agentless_hello_world", + "original": "{\"result\":{\"service.name\":\"package-registry\",\"service.version\":\"1.0.0\"},\"state\":\"ok\"}", + "type": [ + "info" + ] + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "elastic-agent-57960", + "ip": [ + "172.30.0.2", + "172.18.0.4" + ], + "mac": [ + "36-86-7D-0B-56-14", + "36-89-96-33-5A-DF" + ], + "name": "elastic-agent-57960", + "os": { + "family": "", + "kernel": "6.10.14-linuxkit", + "name": "Wolfi", + "platform": "wolfi", + "type": "linux", + "version": "20230201" + } + }, + "input": { + "type": "cel" + }, + "tags": [ + "preserve_original_event", + "agentless-hello-world" + ] } From 4a8bdf2c7d7e2c8b8bb7b8d48fc1c6abc8e43680 Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Thu, 23 Oct 2025 09:44:44 +0200 Subject: [PATCH 06/11] Update packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml Co-authored-by: Andrew Kroh --- .../generic/elasticsearch/ingest_pipeline/default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml index 1b5fb3e1bfa..601510a1dff 100644 --- a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml +++ b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for processing Agentless Hello World generic logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '9.1.0' - rename: field: message target_field: event.original From 8b39cac7cfd506753488e8766c189da19020e527 Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Thu, 23 Oct 2025 09:44:55 +0200 Subject: [PATCH 07/11] Update packages/agentless_hello_world/_dev/build/build.yml Co-authored-by: Andrew Kroh --- packages/agentless_hello_world/_dev/build/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/agentless_hello_world/_dev/build/build.yml b/packages/agentless_hello_world/_dev/build/build.yml index e2b012548e0..d9a27e2caef 100644 --- a/packages/agentless_hello_world/_dev/build/build.yml +++ b/packages/agentless_hello_world/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@v8.11.0 + reference: git@v9.1.0 From ac4b894027e42e9b083c1b3f987c96b9659b90a3 Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Thu, 23 Oct 2025 13:28:53 +0200 Subject: [PATCH 08/11] only store the status code --- .../_dev/deploy/docker/config.yml | 4 +-- .../_dev/test/pipeline/test-hello-world.json | 2 +- .../test-hello-world.json-expected.json | 8 ++--- .../generic/agent/stream/cel.yml.hbs | 36 ++++--------------- .../elasticsearch/ingest_pipeline/default.yml | 26 +++++++++----- .../data_stream/generic/fields/fields.yml | 10 ++---- .../data_stream/generic/sample_event.json | 34 +++++++----------- packages/agentless_hello_world/docs/README.md | 6 ++-- 8 files changed, 47 insertions(+), 79 deletions(-) diff --git a/packages/agentless_hello_world/_dev/deploy/docker/config.yml b/packages/agentless_hello_world/_dev/deploy/docker/config.yml index f002bb7da7f..c42828457ff 100644 --- a/packages/agentless_hello_world/_dev/deploy/docker/config.yml +++ b/packages/agentless_hello_world/_dev/deploy/docker/config.yml @@ -2,9 +2,9 @@ rules: - path: / methods: ["GET"] responses: - - status_code: 200 + - status_code: 418 headers: Content-Type: - "application/json" body: |- - {"service.name":"package-registry","service.version":"1.0.0"} + {"this_is": "ignored"} diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json index 1a4514d5794..8c7ded3486a 100644 --- a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json @@ -1,7 +1,7 @@ { "events": [ { - "message": "{\"state\":\"ok\",\"result\":{\"service.name\":\"package-registry\",\"service.version\":\"1.0.0\"}}" + "message": "{\"status_code\":200}" } ] } diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json index d43d07c8a98..2eba7de4248 100644 --- a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json @@ -3,15 +3,11 @@ { "agentless_hello_world": { "generic": { - "result": { - "service.name": "package-registry", - "service.version": "1.0.0" - }, - "state": "ok" + "status_code": 200 } }, "ecs": { - "version": "8.11.0" + "version": "9.1.0" }, "event": { "category": [ diff --git a/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs b/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs index c61dd5ef857..c7f7a6a7b8b 100644 --- a/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs +++ b/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs @@ -1,40 +1,18 @@ config_version: 2 -interval: 1m -resource.timeout: 15 +interval: 20s +resource.timeout: 15s resource.url: "{{url}}" state: url: "{{url}}" program: | request("GET", state.url) .do_request() - .as(resp, resp.StatusCode == 200 ? - { + .as(resp, { "events": [{ - "message": { - "state": "ok", - "result": bytes(resp.Body).decode_json() - }.encode_json() + "message": { + "status_code": resp.StatusCode + }.encode_json() }] - } - : - { - "events": [{ - "message": { - "state": "error", - "error": { - "code": string(resp.StatusCode), - "message": "GET: " + state.url + " - " + ( - size(resp.Body) != 0 ? - string(resp.Body) - : - string(resp.Status) + " (" + string(resp.StatusCode) + ")" - ) - } - }.encode_json() - }] - } - ) + }) tags: - - preserve_original_event - agentless-hello-world -publisher_pipeline.disable_host: true diff --git a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml index 601510a1dff..01d5c3d29cd 100644 --- a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml +++ b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml @@ -4,6 +4,19 @@ processors: - set: field: ecs.version value: '9.1.0' + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, as they can collide with ECS fields. + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null - rename: field: message target_field: event.original @@ -28,10 +41,6 @@ processors: - set: field: event.category value: [web] - - remove: - field: message - if: ctx.event?.original != null - ignore_missing: true - remove: field: event.original if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) @@ -65,10 +74,9 @@ on_failure: - set: field: event.kind value: pipeline_error - - append: - field: tags - value: preserve_original_event - allow_duplicates: false - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/agentless_hello_world/data_stream/generic/fields/fields.yml b/packages/agentless_hello_world/data_stream/generic/fields/fields.yml index 43a3381bbd2..a21c3526dbe 100644 --- a/packages/agentless_hello_world/data_stream/generic/fields/fields.yml +++ b/packages/agentless_hello_world/data_stream/generic/fields/fields.yml @@ -1,10 +1,6 @@ - name: agentless_hello_world.generic type: group fields: - - name: state - type: keyword - description: State of the request (always "ok"). - - name: result.service.name - type: keyword - - name: result.service.version - type: keyword \ No newline at end of file + - name: status_code + type: long + description: HTTP Status Code diff --git a/packages/agentless_hello_world/data_stream/generic/sample_event.json b/packages/agentless_hello_world/data_stream/generic/sample_event.json index b6117b5c6dc..a7f4fa78a4b 100644 --- a/packages/agentless_hello_world/data_stream/generic/sample_event.json +++ b/packages/agentless_hello_world/data_stream/generic/sample_event.json @@ -1,33 +1,27 @@ { - "@timestamp": "2025-10-23T01:10:29.025Z", + "@timestamp": "2025-10-23T11:25:00.349Z", "agent": { - "ephemeral_id": "c5f24e17-6df9-4064-a794-a0f44b8fa5f0", - "id": "32683580-4724-4c15-beac-63a6da97cbc1", - "name": "elastic-agent-57960", + "ephemeral_id": "2f0402ea-00e1-47fa-944c-1e34d91fdc2f", + "id": "0909c464-2093-4f85-8bf7-b11593587146", + "name": "elastic-agent-93305", "type": "filebeat", "version": "9.1.3" }, "agentless_hello_world": { "generic": { - "result": { - "service": { - "name": "package-registry", - "version": "1.0.0" - } - }, - "state": "ok" + "status_code": 418 } }, "data_stream": { "dataset": "agentless_hello_world.generic", - "namespace": "55019", + "namespace": "88559", "type": "logs" }, "ecs": { - "version": "8.11.0" + "version": "9.1.0" }, "elastic_agent": { - "id": "32683580-4724-4c15-beac-63a6da97cbc1", + "id": "0909c464-2093-4f85-8bf7-b11593587146", "snapshot": false, "version": "9.1.3" }, @@ -37,10 +31,9 @@ "web" ], "dataset": "agentless_hello_world.generic", - "ingested": "2025-10-23T01:10:32Z", + "ingested": "2025-10-23T11:25:03Z", "kind": "event", "module": "agentless_hello_world", - "original": "{\"result\":{\"service.name\":\"package-registry\",\"service.version\":\"1.0.0\"},\"state\":\"ok\"}", "type": [ "info" ] @@ -48,16 +41,16 @@ "host": { "architecture": "aarch64", "containerized": false, - "hostname": "elastic-agent-57960", + "hostname": "elastic-agent-93305", "ip": [ "172.30.0.2", "172.18.0.4" ], "mac": [ - "36-86-7D-0B-56-14", - "36-89-96-33-5A-DF" + "36-F7-E4-8A-31-61", + "B2-C0-07-A9-21-9B" ], - "name": "elastic-agent-57960", + "name": "elastic-agent-93305", "os": { "family": "", "kernel": "6.10.14-linuxkit", @@ -71,7 +64,6 @@ "type": "cel" }, "tags": [ - "preserve_original_event", "agentless-hello-world" ] } diff --git a/packages/agentless_hello_world/docs/README.md b/packages/agentless_hello_world/docs/README.md index 739073fa7f1..e400b080988 100644 --- a/packages/agentless_hello_world/docs/README.md +++ b/packages/agentless_hello_world/docs/README.md @@ -19,8 +19,7 @@ This integration requires no configuration from the user. All settings are pre-c ## Data Collection The integration makes HTTP GET requests to `https://epr.elastic.co` and stores: -- **state**: Always set to "ok" for successful requests -- **result**: The JSON response body from the EPR endpoint +- **status_code**: HTTP Status Code for the response. ## Requirements @@ -46,8 +45,7 @@ Please refer to the following document for detailed information on ECS fields: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| agentless_hello_world.generic.result | The JSON response from the EPR endpoint. | object | -| agentless_hello_world.generic.state | State of the request (always "ok"). | keyword | +| agentless_hello_world.generic.status_code | The HTTP Status Code of the response. | long | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | From 0c4599ea70761d750d5ea4a65b2fcacc39185941 Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Thu, 23 Oct 2025 16:49:04 +0200 Subject: [PATCH 09/11] remove message field --- .../generic/elasticsearch/ingest_pipeline/default.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml index 01d5c3d29cd..4b97edf83de 100644 --- a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml +++ b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml @@ -22,6 +22,12 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - json: field: event.original target_field: agentless_hello_world.generic From 62fdfe8cdc9f73800c34a435bff19101bd8d9b3e Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Mon, 10 Nov 2025 11:34:44 +0100 Subject: [PATCH 10/11] Use external:ecs in packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml Co-authored-by: Andrew Kroh --- .../data_stream/generic/fields/base-fields.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml b/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml index d40ecbe868b..d8d9ff14699 100644 --- a/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml +++ b/packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml @@ -2,22 +2,18 @@ type: keyword description: Input type - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module type: constant_keyword - description: Event module + external: ecs value: agentless_hello_world - name: event.dataset type: constant_keyword - description: Event dataset + external: ecs value: agentless_hello_world.generic -- name: '@timestamp' - type: date - description: Event timestamp. +- name: "@timestamp" + external: ecs From 4067de0a34547bba493c7214d9985384ca5a0e19 Mon Sep 17 00:00:00 2001 From: Njal Karevoll Date: Mon, 10 Nov 2025 11:49:07 +0100 Subject: [PATCH 11/11] use http.response.status_code directly --- .../_dev/test/pipeline/test-hello-world.json | 6 +++++- .../test-hello-world.json-expected.json | 4 ++-- .../generic/agent/stream/cel.yml.hbs | 6 ++++-- .../elasticsearch/ingest_pipeline/default.yml | 21 ------------------- .../data_stream/generic/fields/fields.yml | 8 ++----- .../data_stream/generic/sample_event.json | 10 ++++----- 6 files changed, 18 insertions(+), 37 deletions(-) diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json index 8c7ded3486a..08a5836cebc 100644 --- a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json @@ -1,7 +1,11 @@ { "events": [ { - "message": "{\"status_code\":200}" + "http": { + "response": { + "status_code": 200 + } + } } ] } diff --git a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json index 2eba7de4248..13ff7dea097 100644 --- a/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json +++ b/packages/agentless_hello_world/data_stream/generic/_dev/test/pipeline/test-hello-world.json-expected.json @@ -1,8 +1,8 @@ { "expected": [ { - "agentless_hello_world": { - "generic": { + "http": { + "response": { "status_code": 200 } }, diff --git a/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs b/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs index c7f7a6a7b8b..82d5627c258 100644 --- a/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs +++ b/packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs @@ -9,9 +9,11 @@ program: | .do_request() .as(resp, { "events": [{ - "message": { + "http": { + "response": { "status_code": resp.StatusCode - }.encode_json() + } + } }] }) tags: diff --git a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml index 4b97edf83de..ec67d9cd3b3 100644 --- a/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml +++ b/packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml @@ -17,27 +17,6 @@ processors: - terminate: tag: data_collection_error if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null - - rename: - field: message - target_field: event.original - ignore_missing: true - if: ctx.event?.original == null - - remove: - field: message - tag: remove_message - ignore_missing: true - description: The `message` field is no longer required if the document has an `event.original` field. - if: ctx.event?.original != null - - json: - field: event.original - target_field: agentless_hello_world.generic - on_failure: - - set: - field: error.type - value: "json_parse_error" - - set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: event diff --git a/packages/agentless_hello_world/data_stream/generic/fields/fields.yml b/packages/agentless_hello_world/data_stream/generic/fields/fields.yml index a21c3526dbe..1b48603eab3 100644 --- a/packages/agentless_hello_world/data_stream/generic/fields/fields.yml +++ b/packages/agentless_hello_world/data_stream/generic/fields/fields.yml @@ -1,6 +1,2 @@ -- name: agentless_hello_world.generic - type: group - fields: - - name: status_code - type: long - description: HTTP Status Code +- name: http.response.status_code + external: ecs diff --git a/packages/agentless_hello_world/data_stream/generic/sample_event.json b/packages/agentless_hello_world/data_stream/generic/sample_event.json index a7f4fa78a4b..3d12656541a 100644 --- a/packages/agentless_hello_world/data_stream/generic/sample_event.json +++ b/packages/agentless_hello_world/data_stream/generic/sample_event.json @@ -7,11 +7,6 @@ "type": "filebeat", "version": "9.1.3" }, - "agentless_hello_world": { - "generic": { - "status_code": 418 - } - }, "data_stream": { "dataset": "agentless_hello_world.generic", "namespace": "88559", @@ -60,6 +55,11 @@ "version": "20230201" } }, + "http": { + "response": { + "status_code": 418 + } + }, "input": { "type": "cel" },