Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] added missing package field mappings #128391

Merged
merged 1 commit into from
Mar 24, 2022
Merged

[Fleet] added missing package field mappings #128391

merged 1 commit into from
Mar 24, 2022

Conversation

juliaElastic
Copy link
Contributor

Summary

Added field mappings for:

  • doc_values: false value
  • multi_fields: match_only_text type

Original issue: elastic/elastic-package#678

Related discussion: elastic/elastic-package#752 (comment)

Checklist

@juliaElastic juliaElastic added release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting v8.2.0 labels Mar 23, 2022
@juliaElastic juliaElastic requested a review from a team as a code owner March 23, 2022 15:47
@juliaElastic juliaElastic self-assigned this Mar 23, 2022
@botelastic botelastic bot added the Team:Fleet Team label for Observability Data Collection Fleet team label Mar 23, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

nchaulet
nchaulet approved these changes Mar 23, 2022
View reviewed changes
Copy link
Member

@nchaulet nchaulet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 🚀

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @juliaElastic

jsoriano
jsoriano approved these changes Mar 23, 2022
View reviewed changes
Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, only wondering if we should also set ignore_above for match_only_text.

x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.ts Show resolved Hide resolved
@juliaElastic juliaElastic merged commit 0695df6 into elastic:main Mar 24, 2022
@juliaElastic juliaElastic deleted the integration-field-mappings branch March 24, 2022 09:08
@joshdover joshdover added QA:Needs Validation Issue needs to be validated by QA QA:Ready for Testing Code is merged and ready for QA to validate labels Mar 24, 2022
@jsoriano jsoriano mentioned this pull request Mar 28, 2022
Merged
@joshdover
Copy link
Contributor

@juliaElastic is there a way to test this yet with an existing package? If not, maybe we should remove the QA validation labels.

@juliaElastic
Copy link
Contributor Author

@joshdover I saw here that Windows integration uses a multi_field, but I'm getting an error when trying to install it on latest master:

Error installing windows 1.10.0: mapper_parsing_exception: [mapper_parsing_exception] Reason: Failed to parse mapping: analyzer [powershell_script_analyzer] has not been configured in mappings

@joshdover
Copy link
Contributor

@juliaElastic That error should have been fixed by #128498, have you pulled latest main?

@juliaElastic
Copy link
Contributor Author

@joshdover you're right, I forgot to pull locally. Now I can successfully install Windows integration.
however, I'm not seeing match_only_text under command_line mapping here: http://localhost:5620/app/management/data/index_management/templates/logs-windows.sysmon_operational

@joshdover
Copy link
Contributor

joshdover commented Mar 30, 2022
edited
Loading

however, I'm not seeing match_only_text under command_line mapping here:

I believe the "Mappings" tab on that flyout only shows the mappings defined in the base index template. Since we've moved the mappings to the @package component template, you'll need to look there instead. Should be something like http://localhost:5601/app/management/data/index_management/component_templates/logs-windows.sysmon_operational%40package

@juliaElastic
Copy link
Contributor Author

juliaElastic commented Mar 30, 2022
edited
Loading

I'm checking in the Preview tab where all mappings are there.

EDIT: I checked what is actually coming from the package fields, and there is no multi_field specified, so that is why it is not there in mappings either.

 proc [kibana] {
 proc [kibana]   "name": "process",
 proc [kibana]   "type": "group",
 proc [kibana]   "fields": [
 proc [kibana]     {
 proc [kibana]       "description": "Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.",
 proc [kibana]       "name": "command_line",
 proc [kibana]       "type": "wildcard"
 proc [kibana]     },

@jsoriano do you know a package to test the new type of multi_fields with? I tried with Windows package, but it doesn't seem to have that field.

@jsoriano
Copy link
Member

@jsoriano do you know a package to test the new type of multi_fields with? I tried with Windows package, but it doesn't seem to have that field.

elastic-package didn't support importing multi_fields from ECS till elastic/elastic-package#678, that is still not used in the integrations repo (coming in elastic/integrations#2916). So packages don't have multi-fields on ECS fields yet, this is probably the case of the Windows package.

There are though some packages that have multi_fields on their own fields, for example aws, mimecast, osquery_manager or synthetics. And some others have them too in their "agent" fields, but these fields may not be used as were added on bulk.

@juliaElastic
Copy link
Contributor Author

@joshdover I think we can remove the QA labels, as there is no package with these specific fields (multi_fields/match_only_text type or doc_values)

@jsoriano jsoriano mentioned this pull request Apr 6, 2022
Merged
10 tasks
@amolnater-qasource
Copy link

Hi @juliaElastic
As per your comment shared at #128391 (comment), could you please confirm if any testing is required on this from our end?

cc: @joshdover
Thanks

@juliaElastic
Copy link
Contributor Author

@amolnater-qasource I think no testing is needed, thanks.

@amolnater-qasource
Copy link

Thanks @juliaElastic
We will be removing QA: Ready for testing label from this issue.

@amolnater-qasource amolnater-qasource removed the QA:Ready for Testing Code is merged and ready for QA to validate label Apr 20, 2022
@amolnater-qasource amolnater-qasource removed the QA:Needs Validation Issue needs to be validated by QA label Feb 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsoriano jsoriano jsoriano approved these changes

@nchaulet nchaulet nchaulet approved these changes

Assignees

@juliaElastic juliaElastic

Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v8.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@juliaElastic @elasticmachine @kibana-ci @joshdover @jsoriano @amolnater-qasource @nchaulet