Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add process.parent by duplicating all fields explicitly #612

Merged
merged 3 commits into from
Nov 19, 2019
Merged

Add process.parent by duplicating all fields explicitly #612

merged 3 commits into from
Nov 19, 2019

Conversation

webmat
Copy link
Contributor

@webmat webmat commented Nov 15, 2019

Doing this via normal field reuse is pretty tricky at this time. This is the
first time a field set gets reused under a different name ("process" nested as "parent").

So for now I suggest simply duplicating all fields.

In order to avoid issues with this duplication:

  • I call this out and explain it at length in a comment at the top of the process.yml file.
  • Each duplicate entry is directly below the entry it copies in this file
    (e.g. process.pid is directly followed by process.parent.pid)
    • Note that the generated docs are sorted by the flattened key name. So all parent.*
      fields will actually be grouped in the generated files.

Closes #597.

@webmat webmat self-assigned this Nov 15, 2019
@webmat
Copy link
Contributor Author

webmat commented Nov 18, 2019

@ruflin @andrewkroh I'd like to get feedback on the approach I'm taking here. I think it's the pragmatic approach to get this done sooner than later, but it may be controversial.

Also cc @andrew-goldstein, as this solves your issue #597 :-)

@ruflin
Copy link
Contributor

ruflin commented Nov 19, 2019

I'm ok with getting this in as a hack. We must make sure to get a proper implementation long term as otherwise it is guaranteed that the two get out of sync.

@webmat
Copy link
Contributor Author

webmat commented Nov 19, 2019

Totally agreed. I will have to adjust this PR because we've recently been adding a few other fields to process.*. So I'm already feeling the pain ;-)

Work has started on adjusting the scripts in this branch, but still very much a WIP.

Merge branch 'master' into process-parent-simple
934ed5a 
Duplicated the process.command_line entry to also have
process.parent.command_line
@webmat webmat merged commit 9843f32 into elastic:master Nov 19, 2019
@webmat webmat mentioned this pull request Nov 29, 2019
Closed
dcode pushed a commit to dcode/ecs that referenced this pull request Apr 15, 2020
@dcode
Add process.parent (elastic#612)
b3c60cc 
... by duplicating all fields explicitly for now
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@webmat webmat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consider adding an equivalent field to endgame.parent_process_name in ECS
3 participants
@webmat @ruflin @andrewkroh