x-pack/filebeat/input/cel: integrate emit macro and stream producers

[efd6]

Proposed commit message

x-pack/filebeat/input/cel: integrate emit macro and stream producers

Wire the mito emit macro and stream producer libraries into the CEL
input. The sessionEmitter adapts inputcursor.Publisher to the
lib.Emitter interface so that emit calls during CEL evaluation
publish events directly, bypassing state.events.

When emit publishes with cursors, the program should return a
single-element state.events entry for cursor bookkeeping (typically
dropped by a filebeat processor). A warning fires if state.events
is not exactly one element in this case.

Document the emit macro, stream producers, and lazy JSON and CSV
decode, and line streaming functions in the CEL input reference.

Assisted-By: Cursor

Note

This is the partner to elastic/mito#130. That change has the implementation for emit and the streaming calls.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

How to test this PR locally

Related issues

• ref lib: add streaming decode, stream producers, and emit macro mito#130

Use cases

Screenshots

Logs

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
• /test : Run the Buildkite pipeline.

[github-actions]

🔍 Preview links for changed docs

• docs/reference/filebeat/filebeat-input-cel.md

[github-actions]

Elastic Docs Style Checker (Vale)

Summary: 1 warning, 2 suggestions found

⚠️ Warnings (1): Fix when the suggestion improves clarity or correctness.

File	Line	Rule	Message
docs/reference/filebeat/filebeat-input-cel.md	125	Elastic.QuotesPunctuation	Place punctuation inside closing quotation marks.

💡 Suggestions (2): Optional style improvements. Apply when helpful.

File	Line	Rule	Message
docs/reference/filebeat/filebeat-input-cel.md	125	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.
docs/reference/filebeat/filebeat-input-cel.md	165	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.

---

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[coderabbitai]

Caution

Review failed

An error occurred during the review process. Please try again later.

📝 Walkthrough

Walkthrough

The PR bumps github.com/elastic/mito from v1.25.1 to v1.27.0 and uses the new version to add three capabilities to the Filebeat CEL input: an emit macro for publishing events during evaluation, streaming decompression (stream_gzip/stream_zip), and lazy CSV/line decoding. A new sessionEmitter type implements lib.Emitter, publishing events directly via inputcursor.Publisher while tracking per-evaluation event count and cursor presence. newProgram gains an emitOpt parameter and registers lib.Stream, lib.CSV, and lib.Lines in the CEL environment. Config validation is fixed to pass a no-op emitter to suppress emission during syntax checking. Tests cover emit with/without cursors and all streaming decoder combinations. Documentation describes the emit macro's calling conventions, cursor bookkeeping rules, and new library functions.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reference/filebeat/filebeat-input-cel.md`:
- Line 125: Fix three linting issues in the events field description: First,
remove the duplicate "will" in the phrase "this will will be wrapped" so it
reads "this will be wrapped". Second, review the punctuation placement around
the quoted text to ensure punctuation marks are placed inside the quotation
marks where appropriate. Third, verify the markdown link fragment for the emit
macro reference uses correct syntax and formatting to resolve the MD051 link
validation error. These fixes will ensure the documentation passes Vale,
Markdownlint, and CI validation checks.
- Line 149: The fenced code block containing the emit method examples lacks a
language identifier specification. Locate the code block that contains the
comments about two-arg and three-arg publish patterns with the emit method
calls, and add the language identifier "cel" to the opening fence by changing
the opening triple backticks from ``` to ```cel to comply with markdownlint-cli2
validation requirements.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: a5f2d64d-740f-4215-a397-48297ab079a1

📥 Commits

Reviewing files that changed from the base of the PR and between c762428 and dcf2c4d.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• NOTICE.txt
• changelog/fragments/1781587054-cel-emit-stream.yaml
• docs/reference/filebeat/filebeat-input-cel.md
• go.mod
• x-pack/filebeat/input/cel/config.go
• x-pack/filebeat/input/cel/input.go
• x-pack/filebeat/input/cel/input_test.go