Elasticsearch: user_agent plugin failed parsing fields in Filebeat CI tests

Pinging @elastic/es-core-features (:Core/Features/Ingest)

I'm currently working on disabling the specific checks in Beats https://github.com/elastic/beats/pull/14179.

Find here the differences in expectations in Beats test files: https://github.com/elastic/beats/pull/14190/files

Most cases can be summarized in these ones, I think that the first two may worth investigating.

• Dots added after the version:

-        "user_agent.version": "50.0"
+        "user_agent.version": "50.0."

• Some versions changed number:

         "user_agent.original": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR[ 2.0.50727](tel: 2050727); .NET CLR 3.0.30729)",
-        "user_agent.os.name": "Windows 8.1",
-        "user_agent.version": "7.0"
+        "user_agent.os.full": "Windows 8.1",
+        "user_agent.os.name": "Windows",
+        "user_agent.os.version": "8.1",
+        "user_agent.version": "11.0"

• More details in some user agent (they look good):

-        "user_agent.os.name": "Windows 7",
+        "user_agent.os.full": "Windows 7",
+        "user_agent.os.name": "Windows",
+        "user_agent.os.version": "7",

• More detailed versions (they look good too):

-        "user_agent.version": "54.0.2840"
+        "user_agent.version": "54.0.2840.98"

@jsoriano @kaiyan-sheng - It looks like https://github.com/elastic/elasticsearch/pull/47807 is the catalyst here. We use reg-exes from https://github.com/ua-parser/uap-core which were recently updated. I hesitant to roll back the changes introduced there since UA strings are a moving target and we should move with them. If you find errors in the parsing we should contribute that back upstream and update our parser config.

Maybe the Beats tests need to be updated with more modern UA strings ?

cc @spinscale

The one with the extra dot at the end of the version number is Firefox:

        "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
-       "user_agent.version": "50.0"
+       "user_agent.version": "50.0."

I hesitant to roll back the changes introduced there since UA strings are a moving target and we should move with them. If you find errors in the parsing we should contribute that back upstream and update our parser config.

Agree, I wouldn't roll back the changes. But I wonder if the new values for these Windows/IE versions (from 7.0 to 11.0) are expected.

Maybe the Beats tests need to be updated with more modern UA strings ?

Yep, we have done that by now (https://github.com/elastic/beats/pull/14190).

The one with the extra dot at the end of the version number is Firefox:

But is the dot at the end expected?

But is the dot at the end expected?

I guess not, it doesn't make much sense. I was just adding an example for what looks like another error