Merge branch 'main' into 2529-assistant-knowledge-base-usecase-walkthrough

Author: benironside

deploy-manage/security/fips-ingest.md

@@ -85,14 +85,23 @@ When you use {{agent}} and {{fleet-server}}, these limitations apply:
 * Running {{agent}} in [OpenTelemetry mode](https://github.com/elastic/elastic-agent/blob/main/internal/pkg/otel/README.md) is not yet supported. This includes all receivers, such as Filebeat Receiver, Metricbeat Receiver, [Prometheus Receiver](https://www.elastic.co/docs/reference/integrations/prometheus).
 * Some Elastic Integrations are not FIPS compatible, as they depend on functionality that is not yet supported for FIPS configuration. In general, when using {{agent}} and {{fleet-server}}, the same restrictions listed previously for {{metricbeat}} and {{filebeat}} modules, inputs, and processors apply.
 
-  These Elastic Integrations have components that are **not** FIPS compatible, and **cannot** be used in FIPS environments, even if combined with other ingest tools that offer FIPS mode. 
-
-  - [Azure Logs Integration (v2 preview)](integration-docs://reference/azure/events.md)
-  - [Azure Event Hub Input](integration-docs://reference/azure/eventhub.md)
-  - [SQL Input](integration-docs://reference/sql.md) 
-  - [PostgreSQL Integration](integration-docs://reference/postgresql.md)
-  - [MongoDB Integration](integration-docs://reference/mongodb.md)
-  - [MySQL Integration](integration-docs://reference/mysql.md)
-  - [Microsoft SQL Server Integration](integration-docs://reference/microsoft_sqlserver.md)
-  - [Oracle Integration](integration-docs://reference/oracle.md)
-
+### Elastic Integrations that are not FIPS compatible [ingest-limitations-integrations]
+
+These Elastic Integrations have components that are **not** FIPS compatible, and **cannot** be used in FIPS environments, even if combined with other ingest tools that offer FIPS mode. 
+
+- [Azure Logs Integration (v2 preview)](integration-docs://reference/azure/events.md)
+- [Azure Event Hub Input](integration-docs://reference/azure/eventhub.md)
+- [Azure AI Foundry Integration](integration-docs://reference/azure_ai_foundry.md)
+- [Azure App Service Integration](integration-docs://reference/azure_app_service.md)
+- [Azure Application Insights Integration](integration-docs://reference/azure_application_insights.md)
+- [Azure Billing Metrics Integration](integration-docs://reference/azure_billing.md)
+- [Azure Functions Integration](integration-docs://reference/azure_functions.md)
+- [Custom Azure Logs Integration](integration-docs://reference/azure_logs.md)
+- [Azure Resource Metrics Integration](integration-docs://reference/azure_metrics.md)
+- [Azure OpenAI Integration](integration-docs://reference/azure_openai.md)
+- [SQL Input](integration-docs://reference/sql.md) 
+- [PostgreSQL Integration](integration-docs://reference/postgresql.md)
+- [MongoDB Integration](integration-docs://reference/mongodb.md)
+- [MySQL Integration](integration-docs://reference/mysql.md)
+- [Microsoft SQL Server Integration](integration-docs://reference/microsoft_sqlserver.md)
+- [Oracle Integration](integration-docs://reference/oracle.md)

deploy-manage/upgrade/orchestrator/upgrade-cloud-on-k8s.md

@@ -101,8 +101,11 @@ This will update the ECK installation to the latest binary and update the CRDs a
 Upgrading the operator results in a one-time update to existing managed resources in the cluster. This potentially triggers a rolling restart of pods by Kubernetes to apply those changes. The following list contains the ECK operator versions that would cause a rolling restart after they have been installed.
 
 ```
-1.6, 1.9, 2.0, 2.1, 2.2, 2.4, 2.5, 2.6, 2.7, 2.8, 2.14
+1.6, 1.9, 2.0, 2.1, 2.2, 2.4, 2.5, 2.6, 2.7, 2.8, 2.14, 3.1 <1>
 ```
+
+1. The restart when upgrading to version 3.1 happens only for applications using [stack monitoring](/deploy-manage/monitor/stack-monitoring/eck-stack-monitoring.md).
+
 ::::{note}
 Stepping over one of these versions, for example, upgrading ECK from 2.6 to 2.9, still triggers a rolling restart.
 ::::

manage-data/images/icon-check.svg

@@ -0,0 +1,157 @@
+---
+mapped_pages:
+  - https://www.elastic.co/docs/manage-data/ingest/transform-enrich/error-handling.html
+applies_to:
+  stack: ga
+  serverless: ga
+---
+
+# Error handling
+
+Ingest pipelines in Elasticsearch are powerful tools for transforming and enriching data before indexing. However, errors can occur during processing. This guide outlines strategies for handling such errors effectively.
+
+:::{important}
+Ingest pipelines are executed before the document is indexed by Elasticsearch. You can handle the errors occurring while processing the document (i.e. transforming the json object) but not the errors triggered while indexing like mapping conflict. For this is the Elasticsearch Failure Store.
+:::
+
+Errors in ingest pipelines typically fall into the following categories:
+
+- Parsing Errors: Occur when a processor fails to parse a field, such as a date or number.
+- Missing Fields: Happen when a required field is absent in the document.
+
+:::{tip}
+Create an `error-handling-pipeline` that sets `event.kind` to `pipeline_error` and stores the error message, along with the tag from the failed processor, in the `error.message` field. Including a tag is especially helpful when using multiple `grok`, `dissect`, or `script` processors, as it helps identify which one caused the failure.
+:::
+
+The `on_failure` parameter can be defined either for individual processors or at the pipeline level to catch exceptions that may occur during document processing. The `ignore_failure` option allows a specific processor to silently skip errors without affecting the rest of the pipeline.
+
+## Global vs. processor-specific
+
+The following example demonstrates how to use the `on_failure` handler at the pipeline level rather than within individual processors. While this approach ensures the pipeline exits gracefully on failure, it also means that processing stops at the point of error.
+
+In this example, a typo was made in the configuration of the `dissect` processor intended to extract `user.name` from the message. A comma (`,`) was used instead of the correct colon (`:`).
+
+```json
+POST _ingest/pipeline/_simulate
+{
+  "docs": [
+    {
+      "_source": {
+        "@timestamp": "2025-04-03T10:00:00.000Z",
+        "message": "user: philipp has logged in"
+      }
+    }
+  ],
+  "pipeline": {
+    "processors": [
+      {
+        "dissect": {
+          "field": "message",
+          "pattern": "%{}, %{user.name} %{}",
+          "tag": "dissect for user.name"
+        }
+      },
+      {
+        "append": {
+          "field": "event.category",
+          "value": "authentication"
+        }
+      }
+    ],
+    "on_failure": [
+      {
+        "set": {
+          "field": "event.kind",
+          "value": "pipeline_error"
+        }
+      },
+      {
+        "append": {
+          "field": "error.message",
+          "value": "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
+        }
+      }
+    ]
+  }
+}
+```
+
+The second processor, which sets `event.category` to `authentication`, is no longer executed because the first `dissect` processor fails and triggers the global `on_failure` handler. The resulting document shows which processor caused the error, the pattern it attempted to apply, and the input it received.
+
+```json
+"@timestamp": "2025-04-03T10:00:00.000Z",
+"message": "user: philipp has logged in",
+"event": {
+    "kind": "pipeline_error"
+},
+"error": {
+  "message": "Processor dissect with tag dissect for user.name in pipeline _simulate_pipeline failed with message: Unable to find match for dissect pattern: %{}, %{user.name} %{} against source: user: philipp has logged in"
+}
+```
+
+We can restructure the pipeline by moving the `on_failure` handling directly into the processor itself. This allows the pipeline to continue execution. In this case, the `event.category` processor still runs. You can also retain the global `on_failure` to handle errors from other processors, while adding processor-specific error handling where needed.
+
+:::{note}
+While executing two `set` processors within the `dissect` error handler may not always be ideal, it serves as a demonstration.
+:::
+
+For the `dissect` processor, consider setting a temporary field like `_tmp.error: dissect_failure`. You can then use `if` conditions in later processors to execute them only if parsing failed, allowing for more controlled and flexible error handling.
+
+```json
+POST _ingest/pipeline/_simulate
+{
+  "docs": [
+    {
+      "_source": {
+        "@timestamp": "2025-04-03T10:00:00.000Z",
+        "message": "user: philipp has logged in"
+      }
+    }
+  ],
+  "pipeline": {
+    "processors": [
+      {
+        "dissect": {
+          "field": "message",
+          "pattern": "%{}, %{user.name} %{}",
+          "on_failure": [
+            {
+              "set": {
+                "field": "event.kind",
+                "value": "pipeline_error"
+              }
+            },
+            {
+              "append": {
+                "field": "error.message",
+                "value": "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
+              }
+            }
+          ],
+          "tag": "dissect for user.name"
+        }
+      },
+      {
+        "append": {
+          "field": "event.category",
+          "value": "authentication"
+        }
+      }
+    ],
+    "on_failure": [
+      {
+        "set": {
+          "field": "event.kind",
+          "value": "pipeline_error"
+        }
+      },
+      {
+        "set": {
+          "field": "error.message",
+          "value": "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
+        }
+      }
+    ]
+  }
+}
+```