Skip to content

[Azure Logs] Expand date formats for parsing time fields#16328

Merged
zmoog merged 6 commits intomainfrom
zmoog/fix/azure/azure-logs/review-time-formats
Dec 15, 2025
Merged

[Azure Logs] Expand date formats for parsing time fields#16328
zmoog merged 6 commits intomainfrom
zmoog/fix/azure/azure-logs/review-time-formats

Conversation

@zmoog
Copy link
Contributor

@zmoog zmoog commented Dec 5, 2025
edited
Loading

Proposed commit message

We are revising the date processor format list to improve robustness. We've prioritized the formats based on usage frequency: the first format is the most common, followed by necessary fallbacks.

This addresses the fact that Azure Logs don't adhere to a single format. This approach maximizes efficiency while maintaining parsing resilience.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

cd packages/azure
elastic-package build && elastic-package stack up -d -v --version 9.2.1
elastic-package test pipeline -v

Related issues

@zmoog zmoog self-assigned this Dec 5, 2025
@zmoog zmoog added Integration:azure Azure Logs bugfix Pull request that fixes a bug issue Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Dec 5, 2025
@zmoog zmoog marked this pull request as ready for review December 5, 2025 11:11
@zmoog zmoog requested review from a team as code owners December 5, 2025 11:12
@zmoog zmoog changed the title [Azure Logs] Add fallback date formats based on frequency [Azure Logs] Expand date formats for parsing time fields Dec 5, 2025
@zmoog zmoog added Team:Service-Integrations Label for the Observability Service Integrations team Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Dec 5, 2025
@elasticmachine
Copy link

elasticmachine commented Dec 5, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 5, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

MichaelKatsoulis
MichaelKatsoulis approved these changes Dec 5, 2025
View reviewed changes
Copy link
Contributor

@MichaelKatsoulis MichaelKatsoulis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh andrewkroh added the Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] label Dec 5, 2025
@zmoog zmoog force-pushed the zmoog/fix/azure/azure-logs/review-time-formats branch from 0518b40 to f64bbff Compare December 5, 2025 14:37
@zmoog zmoog requested a review from muthu-mps December 5, 2025 14:37
@StacieClark-Elastic
Copy link
Member

StacieClark-Elastic commented Dec 5, 2025

For a bug fix, I would expect to see some tests that verify that the bug has been fixed. There are no changes to the tests so running the test suite only validates that the old tests did not get broken.

StacieClark-Elastic
StacieClark-Elastic requested changes Dec 5, 2025
View reviewed changes
kaiyan-sheng
kaiyan-sheng approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@kaiyan-sheng kaiyan-sheng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can add a sample log for each additional format as @StacieClark-Elastic mentioned about test?

@zmoog
Copy link
Contributor Author

zmoog commented Dec 9, 2025

For a bug fix, I would expect to see some tests that verify that the bug has been fixed. There are no changes to the tests so running the test suite only validates that the old tests did not get broken.

I agree, it makes sense to add more tests to prove the change is effective.

To add more context, this is not addressing a user-reported actual occurrence of this problem. This is mostly a defense against future off-spec changes, so we don't know which data stream will receive off-spec dates yet. Azure often emits off-spec values in dates and all sort of other fields.

I classified this PR as a bugfix because Azure-focused integrations have to work in this environment.

@zmoog
Copy link
Contributor Author

zmoog commented Dec 9, 2025

Maybe we can add a sample log for each additional format as @StacieClark-Elastic mentioned about test?

Yeah, and I guess we need to do it for every data stream in the Azure Logs package.

zmoog added 4 commits December 9, 2025 08:38
@zmoog
Add fallback date formats based on frequency
dd62dd1 
Expands the fallback formats based on the observed frequency of the
format for each given log category.
@zmoog
Update changelog
a0bee50
@zmoog
Add missing format
d803b42 
"M/d/yyyy h:mm:ss a XXX"
@zmoog
Update changelog
2b76017
@zmoog zmoog force-pushed the zmoog/fix/azure/azure-logs/review-time-formats branch from f64bbff to 2b76017 Compare December 9, 2025 07:38
muthu-mps
muthu-mps approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@muthu-mps muthu-mps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@giorgi-imerlishvili-elastic
Copy link
Contributor

giorgi-imerlishvili-elastic commented Dec 9, 2025

Tests related to the changes would be nice. Otherwise, LGTM!

@zmoog
Copy link
Contributor Author

zmoog commented Dec 9, 2025
edited
Loading

Thanks for all the comments and suggestions: collecting time format samples to add a "corner cases time formats" test file for each data stream.

@zmoog
Copy link
Contributor Author

zmoog commented Dec 10, 2025

@StacieClark-Elastic, added the following test case with the know time formats:

{"time": "01/09/2007 09:41:00", "category": "Administrative"}
{"time": "1/9/2007 09:41:00", "category": "Administrative"}
{"time": "01/09/2007 09:41:00 AM", "category": "Administrative"}
{"time": "1/9/2007 9:41:00 AM", "category": "Administrative"}
{"time": "1/9/2007 10:41:00 AM +01:00", "category": "Administrative"}
{"time": "2007-01-09T09:41:00", "category": "Administrative"}
{"time": "2007-01-09T09:41:00.22Z", "category": "Administrative"}
{"time": "2007-01-09T09:41:00.6816663Z", "category": "Administrative"}
{"time": "2007-01-09T09:41:00.535404056Z", "category": "Administrative"}
{"time": "2007-01-09T09:41:00.992099+00:00", "category": "Administrative"}
{"time": "2007-01-09T11:41:00+02:00", "category": "Administrative"}

Then I added the test case to all data streams that attempt to parse the @timestamp field.

This should ensure all data streams support the known data format variations we spotted in the wild. Please let me know what you think of this approach.

@zmoog
Copy link
Contributor Author

zmoog commented Dec 11, 2025

For a bug fix, I would expect to see some tests that verify that the bug has been fixed. There are no changes to the tests so running the test suite only validates that the old tests did not get broken.

@StacieClark-Elastic, please let me know if you think the change requires more/different tests coverage.

@elasticmachine
Copy link

elasticmachine commented Dec 15, 2025

💚 Build Succeeded

History

cc @zmoog

@zmoog
Copy link
Contributor Author

zmoog commented Dec 15, 2025

@StacieClark-Elastic, I'd appreciate your review when you get a moment! 🙇

StacieClark-Elastic
StacieClark-Elastic approved these changes Dec 15, 2025
View reviewed changes
Copy link
Member

@StacieClark-Elastic StacieClark-Elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zmoog zmoog merged commit 3678696 into main Dec 15, 2025
8 checks passed
@zmoog zmoog deleted the zmoog/fix/azure/azure-logs/review-time-formats branch December 15, 2025 18:18
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 15, 2025

Package azure - 1.31.1 containing this change is available at https://epr.elastic.co/package/azure/1.31.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

@MichaelKatsoulis MichaelKatsoulis MichaelKatsoulis approved these changes

@muthu-mps muthu-mps muthu-mps approved these changes

@StacieClark-Elastic StacieClark-Elastic StacieClark-Elastic approved these changes

@giorgi-imerlishvili-elastic giorgi-imerlishvili-elastic giorgi-imerlishvili-elastic approved these changes

Assignees

@zmoog zmoog

Labels

bugfix Pull request that fixes a bug issue Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Service-Integrations Label for the Observability Service Integrations team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update time format across all Azure Logs integrations

8 participants

@zmoog @elasticmachine @StacieClark-Elastic @giorgi-imerlishvili-elastic @kaiyan-sheng @MichaelKatsoulis @muthu-mps @andrewkroh