Skip to content

[checkpoint] Update kv split for checkpoint #15745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[checkpoint] Update kv split for checkpoint #15745

wants to merge 5 commits into from
+6 −1

Conversation

@ash-darin
Copy link
Contributor

@ash-darin ash-darin commented Oct 24, 2025
edited
Loading

Enhancement

Proposed commit message

This uses a more complex Regex to split the KV pairs in the Checkpoint message.

This is necessary if you use it to process email, as the headers might contain strings of the form:

X-IronPort-AV: E=Sophos;i=\\\"8.18,219,1756234400\\\"; d=\\\"png

"; Sophos

The original regex would regeard both examples as a split, when in reality they are not. Use (negative) lookbehind to box the kv split parameter in.

(?<!\\")(?<="); (?=\w)

lookbehind: (?<=") react to ";
but
negative lookbehind: (?<!\\") do not react to \";

lookahead: (?=\w) expect a character after 1 (one) space: ; abcd

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.

How to test this PR locally

Check your logs/indices if any messages are rejected. Apply fix and check whether numbers go down..

@ash-darin ash-darin requested a review from a team as a code owner October 24, 2025 09:21
@ash-darin ash-darin closed this Oct 24, 2025
@ash-darin ash-darin reopened this Oct 24, 2025
@ash-darin ash-darin changed the title Update kv split Update kv split for checkpoint Oct 24, 2025
@ash-darin ash-darin changed the title Update kv split for checkpoint [checkpoint] Update kv split for checkpoint Oct 24, 2025
@andrewkroh andrewkroh added Integration:checkpoint Check Point Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels Oct 24, 2025
@elasticmachine
Copy link

Pinging @elastic/integration-experience (Team:Integration-Experience)

taylor-swanson
taylor-swanson reviewed Oct 24, 2025
View reviewed changes
Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a pipeline test to verify the change behaves correctly?

Additionally, the version in manifest.yml needs to be updated to match the changelog (1.41.3)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taylor-swanson taylor-swanson taylor-swanson left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Integration:checkpoint Check Point Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ash-darin @elasticmachine @taylor-swanson @andrewkroh