[cribl] reroute to metrics datastreams

[kgeller]

Cribl reroute processors do not currently work when targeting metrics datastreams. Due to how reroute processors are currently setup, we do not have any configuration to specify the datastream type.

Instead of the current use of dataset and namespace, we need to use the destination.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[andrewkroh]

@kgeller, is this because the reroute processor does not support specifying the type (e.g. logs vs metrics)? If so, then let's open a feature request to Elasticsearch. I'd like to move the Cribl integration to GA and I think we should address this first.

[kgeller]

@andrewkroh The issue for us is that the reroute processor does not support routing to a different type. While we could open a feature request with ES to be able to do that, we also have other options we could support today.

Option 1

When I spoke to Felix (original author of reroute), he suggested:

As a workaround, you could have something like a cribl-router index that does an initial routing to something like a logs-cribl-default and logs-metrics-default via destination. From there on, you can do a second routing phase.

Option 2

Another option would be to simply update the docs so that the user specifies metrics for any metrics data that they want to send through. When we build the reroute processor, we don't alter the type. So whatever it comes in as from the Cribl side, is what it remains.

This method isn't super user friendly though as it would require duplicative setups on both the Elastic integration side as well as the Cribl side.

---

Assuming we move forward with the feature request approach or option 1, we'll also need minimal UI changes so that the user can indicate a data source is of type metrics. Maybe a checkbox?

I say this because as far as I can tell, we don't have a way to tell what the type of the selected datastream is.