google_workspace: Discard events that are missing the items[] field during the split operation and returned as the root object

The Google Workspace Reports API sometimes does not return the `items[]` array, resulting
in the absence of the target field in the `response.split` operation. This leads to the
root level object being returned, which causes failures in the ingest pipeline.

An issue[1] has been created to resolve the problem with the split[].ignore_empty_value operation.

To address this issue as of now, a `drop` processor has been added at the start of the pipeline to ensure
that we discard events that are not required.

Here is the list of affected data streams:

- access_transparency
- admin
- context_aware_access
- device
- drive
- gcp
- group_enterprise
- groups
- login
- rules
- saml
- token
- user_accounts

[1] elastic/beats#47699

Author: brijesh-elastic

packages/google_workspace/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.47.2"
+  changes:
+    - description: Discard events that are missing the `items[]` field during the split operation and are returned as the root object.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15948
 - version: "2.47.1"
   changes:
     - description: Fix handling of `google_workspace.gmail.message_info.post_delivery_info.interaction.attachment` records.

packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json

@@ -111,4 +111,4 @@
             }
         }
     ]
-}
+}

packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml

@@ -32,6 +32,10 @@ processors:
         - append:
             field: error.message
             value: '{{{_ingest.on_failure_message}}}'
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - set:
       field: event.kind
       value: [event]

packages/google_workspace/data_stream/access_transparency/sample_event.json

@@ -1,32 +1,32 @@
 {
     "@timestamp": "2020-10-02T15:00:00.000Z",
     "agent": {
-        "ephemeral_id": "e3f2296a-a4a2-4d03-9105-cee5b37c1408",
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "e71ef9cb-072e-48d2-9130-96f1d4bce4d3",
+        "id": "2da80338-c8c6-4300-9470-025fe55de0c1",
+        "name": "elastic-agent-58418",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "google_workspace.access_transparency",
-        "namespace": "83912",
+        "namespace": "21501",
         "type": "logs"
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.16.0"
     },
     "elastic_agent": {
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+        "id": "2da80338-c8c6-4300-9470-025fe55de0c1",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "action": "APPLICATION_EVENT",
         "agent_id_status": "verified",
-        "created": "2024-08-01T21:50:19.274Z",
+        "created": "2025-11-12T09:20:36.555Z",
         "dataset": "google_workspace.access_transparency",
         "id": "1",
-        "ingested": "2024-08-01T21:50:31Z",
+        "ingested": "2025-11-12T09:20:39Z",
         "kind": [
             "event"
         ],
@@ -130,4 +130,4 @@
         "id": "1",
         "name": "foo"
     }
-}
+}

packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml

@@ -31,6 +31,10 @@ processors:
   - json:
       field: event.original
       target_field: json
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - set:
       field: event.kind
       value: event

packages/google_workspace/data_stream/admin/sample_event.json

@@ -1,24 +1,24 @@
 {
     "@timestamp": "2022-04-04T15:04:05.000Z",
     "agent": {
-        "ephemeral_id": "e64e710c-e02b-4997-bb7e-83b936dd6aa5",
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "14b6ad66-8af9-429d-b327-3fee869369e5",
+        "id": "752f45e8-5f63-4dca-ab63-ec8e8f790d4a",
+        "name": "elastic-agent-14522",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "google_workspace.admin",
-        "namespace": "62273",
+        "namespace": "51420",
         "type": "logs"
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.16.0"
     },
     "elastic_agent": {
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+        "id": "752f45e8-5f63-4dca-ab63-ec8e8f790d4a",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "action": "CHANGE_APPLICATION_SETTING",
@@ -27,10 +27,10 @@
             "iam",
             "configuration"
         ],
-        "created": "2024-08-01T21:51:15.529Z",
+        "created": "2025-11-12T09:21:44.692Z",
         "dataset": "google_workspace.admin",
         "id": "1",
-        "ingested": "2024-08-01T21:51:27Z",
+        "ingested": "2025-11-12T09:21:47Z",
         "kind": "event",
         "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"[email protected]\",\"profileId\":1},\"events\":{\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"[email protected]\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}],\"type\":\"APPLICATION_SETTINGS\"},\"id\":{\"applicationName\":\"admin\",\"customerId\":\"1\",\"time\":\"2022-04-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
         "provider": "admin",
@@ -117,4 +117,4 @@
             }
         }
     }
-}
+}

packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json

@@ -1333,4 +1333,4 @@
             ]
         }
     ]
-}
+}

packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json

@@ -105,4 +105,4 @@
             }
         }
     ]
-}
+}

packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml

@@ -32,6 +32,10 @@ processors:
         - append:
             field: error.message
             value: '{{{_ingest.on_failure_message}}}'
+  - drop:
+      if: ctx.json?.events == null
+      description: Discard events that are missing the target during the split operation and are subsequently returned as the root object.
+      tag: drop_empty_events
   - set:
       field: event.kind
       value: [event]

packages/google_workspace/data_stream/context_aware_access/sample_event.json

@@ -1,32 +1,32 @@
 {
     "@timestamp": "2020-10-02T15:00:00.000Z",
     "agent": {
-        "ephemeral_id": "6fde0a21-1448-4531-a5c9-42751772e3a7",
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "01101cd7-b942-4061-8dcf-8488f5b64461",
+        "id": "10bdbb6c-0cff-4af9-866d-64a6bb61e845",
+        "name": "elastic-agent-67948",
         "type": "filebeat",
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "google_workspace.context_aware_access",
-        "namespace": "14973",
+        "namespace": "38010",
         "type": "logs"
     },
     "ecs": {
-        "version": "8.11.0"
+        "version": "8.16.0"
     },
     "elastic_agent": {
-        "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
+        "id": "10bdbb6c-0cff-4af9-866d-64a6bb61e845",
         "snapshot": false,
-        "version": "8.13.0"
+        "version": "8.18.0"
     },
     "event": {
         "action": "APPLICATION_EVENT",
         "agent_id_status": "verified",
-        "created": "2024-08-01T21:53:36.823Z",
+        "created": "2025-11-12T09:23:14.570Z",
         "dataset": "google_workspace.context_aware_access",
         "id": "1",
-        "ingested": "2024-08-01T21:53:48Z",
+        "ingested": "2025-11-12T09:23:17Z",
         "kind": [
             "event"
         ],
@@ -124,4 +124,4 @@
         "id": "1",
         "name": "foo"
     }
-}
+}