Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External ECS field imports not containing their multi-fields #678

Closed
ebeahan opened this issue Feb 1, 2022 · 1 comment · Fixed by #752
Closed

External ECS field imports not containing their multi-fields #678

ebeahan opened this issue Feb 1, 2022 · 1 comment · Fixed by #752
Assignees
@jsoriano
Labels
Team:Ecosystem Label for the Packages Ecosystem team

Comments

@ebeahan
Copy link
Member

ebeahan commented Feb 1, 2022
edited
Loading

Summary

The expected multi-fields are not imported when external ECS fields are declared. I suspect this is the cause of some integrations not including the anticipated multi-fields in their index templates.

I first experienced on 7.16.3 using the Windows 1.5.0 integration. The logs-windows.sysmon_operational managed index template is missing process.command_line.text.

Example

Declaring an external field with process.command_line:

- name: process.command_line
  external: ecs

produces an index mapping of:

    "process": {
      "properties": {
            "command_line": {
              "type": "wildcard"
            }
          }
        }

In ECS, process.command_line contains the .text multi-field.

The expected field mapping:

    "process": {
      "properties": {
            "command_line": {
              "type": "wildcard",
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            }
        }
@andrewkroh
Copy link
Member

There appears to be a similar problem in that the doc_values and index attributes are not carried through from the ECS definition. event.original is an example.

The integration mapping is:

   "event": {
      "properties": {
        "original": {
          "ignore_above": 1024,
          "type": "keyword"
        },

The expected mapping is:

        "event": {
          "properties": {
            "original": {
              "doc_values": false,
              "index": false,
              "type": "keyword"
            },

https://github.com/elastic/ecs/blob/v1.12.2/generated/ecs/ecs_flat.yml#L2354

@jlind23 jlind23 added the Team:Ecosystem Label for the Packages Ecosystem team label Feb 4, 2022
@mtojek mtojek mentioned this issue Feb 24, 2022
Closed
2 tasks
@jsoriano jsoriano self-assigned this Mar 23, 2022
@jsoriano jsoriano mentioned this issue Mar 23, 2022
Merged
@juliaElastic juliaElastic mentioned this issue Mar 23, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsoriano jsoriano

Labels
Team:Ecosystem Label for the Packages Ecosystem team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Import aditional indexing settings on external fields jsoriano/elastic-package
4 participants
@jsoriano @andrewkroh @ebeahan @jlind23