Handle K8s events with invalid count or invalid Timestamps · elastic/beats#31126

2022-04-04T11:46:22.000Z

**Describe the enhancement:** - Handle use cases when k8s event timestamps (FirstTimestamp and LastTimestamp) are null - Handle use cases when the k8s event count is zero **Describe a specific use case for the enhancement or feature:** - We want to fall back to a valid timestamp if the event timestamps are null - We want to provide a valid count if the API reports a zero count **Notes** - discussion on proposed changes at https://github.com/elastic/beats/pull/29591 - we should create a new PR from main as suggested in this [comment](https://github.com/elastic/beats/pull/29591#pullrequestreview-839162129) - if event.Count == 0 and event.Series != null => default to event.Series.Count or 1 otherwise - I suggest to keep the original value for event.Count (either 0 or null as it comes) - add new fields for event.Series.Count. This increase the dimensionality of our metrics but it removes the unpredictability of what event.Count is filled with - the fact that event.Count is 0 or null might be a signal by itself. something else is wrong in the k8s setup - if event.FirstTimestamp = (null or 0) => default to event.LastTimestamp - a better suggestion I found is to default FirstTimestamp to event.EventTime like suggested at [comment](https://github.com/elastic/beats/pull/29591/files#r828976086) - if event.LastTimestamp = (null or 0) => default to event.Series.LastObservedTime or event.EventTime (if not null) or event.CreationTimestamp - about default to event.Series.LastObservedTime, I have the same opinion as for event.Series.Count. If new fields from event.Series.LastObservedTime is necessary, we should expose it as a new field instead of using its value as default value when some other field is null - as suggested at [comment](https://github.com/elastic/beats/pull/29591/files#r828967600) event.CreationTimestamp is not part of the kubernetes supported release. Not sure where it is coming from

(7 comments) (0 reactions) (1 assignee)Go (9,173 stars) (3,451 forks)batch import

Team:Cloudnative-Monitoringenhancementgood first issue

Description

Describe the enhancement:

Handle use cases when k8s event timestamps (FirstTimestamp and LastTimestamp) are null
Handle use cases when the k8s event count is zero

Describe a specific use case for the enhancement or feature:

We want to fall back to a valid timestamp if the event timestamps are null
We want to provide a valid count if the API reports a zero count

Notes

discussion on proposed changes at https://github.com/elastic/beats/pull/29591
- we should create a new PR from main as suggested in this comment
- if event.Count == 0 and event.Series != null => default to event.Series.Count or 1 otherwise
  - I suggest to keep the original value for event.Count (either 0 or null as it comes)
  - add new fields for event.Series.Count. This increase the dimensionality of our metrics but it removes the unpredictability of what event.Count is filled with
  - the fact that event.Count is 0 or null might be a signal by itself. something else is wrong in the k8s setup
- if event.FirstTimestamp = (null or 0) => default to event.LastTimestamp
  - a better suggestion I found is to default FirstTimestamp to event.EventTime like suggested at comment
- if event.LastTimestamp = (null or 0) => default to event.Series.LastObservedTime or event.EventTime (if not null) or event.CreationTimestamp
  - about default to event.Series.LastObservedTime, I have the same opinion as for event.Series.Count. If new fields from event.Series.LastObservedTime is necessary, we should expose it as a new field instead of using its value as default value when some other field is null
  - as suggested at comment event.CreationTimestamp is not part of the kubernetes supported release. Not sure where it is coming from

Contributor guide

Tech stack: go
Domain: backendobservability
Issue type: feature
Difficulty: 3
Estimated time: 1-2 days
Activity status: active
Clarity: mostly clear
Prerequisites: GoKubernetes eventsBeats codebase
Newbie friendliness: 35
Research direction: Review the discussion in PR #29591 for proposed changes. Examine the Kubernetes event handling code in the beats project (likely in libbeat/autodiscover/kubernetes or similar). Focus on the Event struct fields: Count, Series, FirstTimestamp, LastTimestamp, EventTime, CreationTimestamp. Implement fallback logic as described in the issue, ensuring new fields are added for Series.Count and Series.LastObservedTime if necessary. Verify with tests.