[akamai.siem] handle empty userRiskData strings

[andrewkroh]

Proposed commit message

Prevent the kv processor from executing on empty userRiskData.{risk,trust,general} values. This aims to address these observed errors:

field [json.userRiskData.trust] does not contain value_split[:] field [json.userRiskData.risk] does not contain value_split[:] 

This is also improving on the error.message to help track down additional bugs.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 62c4fae

History

• 💚 Build #9996 succeeded 001b95e

[elastic-sonarqube]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[efd6]

That is a surprising behaviour.

This is even more surprising.

POST /_ingest/pipeline/_simulate { "pipeline": { "description": "_description", "processors": [ { "kv": { "field": "foo", "field_split": " ", "value_split": "(=|$)" } } ] }, "docs": [ { "_index": "index", "_id": "id", "_source": { "foo": "bar=one" } }, { "_index": "index", "_id": "id", "_source": { "foo": "rab" } }, { "_index": "index", "_id": "id", "_source": { "foo": "" } } ] } 

[andrewkroh]

This is even more surprising.

Agree. The behavior does not seem consistent.

[elasticmachine]

Package akamai - 2.23.1 containing this change is available at https://epr.elastic.co/search?package=akamai