Add support for runtime fields in packages #39
Comments
|
@ycombinator for the spec |
* Fix: create missing build directory * Fix
|
Adding to this, Elasticsearch supports to set the |
|
@elastic/apm-server feel free to pick this up for |
|
We would really like to see this prioritised. The way I would propose this to be implemented is as following: This is slightly different from the way it looks in Elasticsearch where a separate block for runtime fields has to be specified. Having it directly as a boolean in the fields definition allows a very simple way to enable / disable it for devs. Fleet still has to create the additional block. |
|
@jlind23 putting this on your radar. |
|
A couple things to consider here. Runtime fields is mostly optimized for extracting new fields out of other indexed fields that are available in the "doc values" and the runtime field's script has to be written differently depend on whether or not the field that we're extracting from is being indexed. So there's really 2 use cases here:
When Fleet creates the index templates for runtime fields, the We can probably support a design like this for both use cases: I think the implementation could work something like this:
|
|
The approach mentioned by @joshdover in #39 (comment) LGTM For adding this new field, according to the docs it should be checked that
I'll try to create a proposal PR in package-spec to include that field. Fleet should also add support to create those runtime fields, @kpollich do you foresee any issue having that field being In elastic-package there could be some improvements to be added:
|
|
Plan sounds good to me too.
This seems to be already the behaviour of Elasticsearch when no script is set (see here). In principle it seems enough to add the field as runtime field, without any script, and it does the equivalent to
@mrodm could you please check if there is already an open issue for that, and create one otherwise?
It seems possible to have variables with multiple types in typescript, I think this will need more special handling in Go if we need to do something with this field 🙂
Maybe we can try to remove a field in a package, and add it as a runtime field in the |
I don't foresee this being an issue on Fleet's end. Just a small piece of logic for how the field is used when generating mappings. |
I've tested this approach, and what I observed is that runtime fields are just present in the
In that case, Created issue to support runtime fields in elastic-package elastic/elastic-package#1229 Also tested that if nowadays a field with the |
|
Thanks @mrodm for the work here so far. I'm going to move this issue to Sprint 12 but of course it could get closed out by #505 if that merges soon. Follow up issues elastic/elastic-package#1229, elastic/kibana#155255) will be moved to Sprint 12 as well. |
The support for package-spec has been added through that PR, but runtime fields need to be supported also in Kibana/Fleet. There is another issue for that elastic/kibana#155255. According to the comments in the PR, it should be for 8.9.0 https://github.com/elastic/package-spec/pull/505/files#r1173839069 Should we close this one and just let the other issue in kibana open ? @jlind23 |
|
We should not close this issue. This is about adding support fo runtime fields in packages. As long as Fleet does not support it, it is from my perspective not supported in packages even though users could add it. |
|
@mrodm moving this issue out of our current sprint as they are is nothing to do here from a package-spec perspective. We will close this one later as ruflin stated as soon as elastic/kibana#155255 is fixed. |
## Summary Closes #155255 Closes elastic/package-spec#39 Add support in Fleet for Runtime fields, based on these docs: - Defining runtime fields: - https://www.elastic.co/guide/en/elasticsearch/reference/8.8/runtime-mapping-fields.html - https://www.elastic.co/guide/en/elasticsearch/reference/8.8/runtime-retrieving-fields.html - Mapping runtime fields in dynamic templates: - https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-templates.html#dynamic-mapping-runtime-fields - Adding runtime fields under groups Given these field definitions in packages: ```yaml - name: bar type: boolean - name: uptime type: keyword - name: runtime_boolean type: boolean runtime: true - name: runtime.day type: keyword runtime: >- emit(doc['@timestamp'].value.dayOfWeekEnum.getDisplayName(TextStyle.FULL, Locale.ROOT)) - name: to_be_long type: long runtime: true - name: runtime.date type: date date_format: 'yyyy-MM-dd' runtime: >- emit(doc['@timestamp'].value.toEpochMilli()) - name: runtime.epoch_milli type: long runtime: >- emit(doc['@timestamp'].value.toEpochMilli()) - name: lowercase type: keyword runtime: >- emit(doc['uppercase'].value.toLowerCase()) - name: labels.* type: long object_type_mapping_type: double runtime: true - name: responses type: group fields: - name: runtime_group_boolean type: boolean runtime: true - name: foo type: boolean ``` and this definition in the manifest ```yaml elasticsearch: index_template: mappings: runtime: day_of_week_two: type: keyword script: source: "emit(doc['@timestamp'].value.dayOfWeekEnum.getDisplayName(TextStyle.FULL, Locale.ROOT))" ``` This PR adds the required fields into the `mappings` key when installing the package. For this example, the resulting mappings are (just showing the relevant data for these changes): ```json { ".ds-logs-runtime_fields.foo-default-2023.07.10-000001": { "mappings": { "dynamic_templates": [ { "labels.*": { "path_match": "labels.*", "match_mapping_type": "double", "runtime": { "type": "long" } } } ], "runtime": { "day_of_week_two": { "type": "keyword", "script": { "source": "emit(doc['@timestamp'].value.dayOfWeekEnum.getDisplayName(TextStyle.FULL, Locale.ROOT))", "lang": "painless" } }, "labels.a": { "type": "long" }, "labels.b": { "type": "long" }, "lowercase": { "type": "keyword", "script": { "source": "emit(doc['uppercase'].value.toLowerCase())", "lang": "painless" } }, "responses.runtime_group_boolean": { "type": "boolean" }, "runtime.date": { "type": "date", "script": { "source": "emit(doc['@timestamp'].value.toEpochMilli())", "lang": "painless" }, "format": "yyyy-MM-dd" }, "runtime.day": { "type": "keyword", "script": { "source": "emit(doc['@timestamp'].value.dayOfWeekEnum.getDisplayName(TextStyle.FULL, Locale.ROOT))", "lang": "painless" } }, "runtime.epoch_milli": { "type": "long", "script": { "source": "emit(doc['@timestamp'].value.toEpochMilli())", "lang": "painless" } }, "runtime_boolean": { "type": "boolean" }, "to_be_long": { "type": "long" } }, "properties": { "@timestamp": { "type": "date", "ignore_malformed": false }, "bar": { "type": "boolean" }, "data_stream": { "properties": { "dataset": { "type": "constant_keyword" }, "namespace": { "type": "constant_keyword" }, "type": { "type": "constant_keyword" } } }, "labels": { "type": "object" }, "message": { "type": "keyword", "ignore_above": 1024 }, "responses": { "properties": { "foo": { "type": "boolean" } } }, "uppercase": { "type": "keyword", "ignore_above": 1024 }, "user": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 } } } } } } } ``` Tested manually installing a package containing runtime field definitions as the example above. Tested also indexing some documents and retrieving the runtime fields: - Indexing documents: ```json POST /logs-runtime_fields.foo-default/_doc/ { "@timestamp": "2023-07-07T13:32:09.000Z", "datastream": { "dataset": "logs-runtime_fields.foo", "namespace": "default", "type": "logs" }, "user": { "id": "8a4f500d" }, "message": "Login successful", "labels": { "a": 1.6, "b": 2.5 }, "uppercase": "SOMETHING", "to_be_long": 1.6, "runtime_boolean": true, "responses.runtime_group_boolean": false } ``` - Retrieving runtime fields (`_source` disabled): ```json GET logs-runtime_fields.foo-default/_search { "fields": [ "@timestamp", "runtime_boolean", "responses.runtime_group_boolean", "runtime.day", "runtime.date", "runtime.epoch_milli", "labels.*", "uppercase", "lowercase", "to_be_long" ], "_source": false } ``` - Output: ```json ... "hits": [ { "_index": ".ds-logs-runtime_fields.foo-default-2023.07.10-000001", "_id": "_7p1P4kBtEvrlGnsxiFN", "_score": 1, "fields": { "uppercase": [ "SOMETHING" ], "runtime.date": [ "2023-07-10" ], "@timestamp": [ "2023-07-10T09:33:09.000Z" ], "lowercase": [ "something" ], "to_be_long": [ 1 ], "runtime_boolean": [ true ], "runtime.day": [ "Monday" ], "labels.a": [ 1 ], "labels.b": [ 2 ], "responses.runtime_group_boolean": [ false ], "runtime.epoch_milli": [ 1688981589000 ] } } ] ... ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Soon Elasticsearch is planned to support runtime fields: elastic/elasticsearch#59332 I assume these can not be specified currently in our fields.yml. We should add support for these fields in fields.yml and on the Kibana side be able to create the correct Elasticsearch templates and Kibana index patterns.
The text was updated successfully, but these errors were encountered: