-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate fields skipped in type assertion #147
Comments
|
Looking at this issue, it seems to be a good candidate to implement while we will introduce support for processors' fields in elastic/package-spec#63 . |
Related: elastic/package-spec#199 |
This issue is relatively old now, so I assume it isn't really important. I will close it for now. |
I think we need to revisit the check for elastic-package/internal/fields/validate.go Line 266 in a4a0b19
|
Several event field mappings were missing (tests do not validate event.* as per elastic/elastic-package#147). After adding those mappings some of the data types didn't match so I added a few convert processors. I modified the pipeline tests to use simulated data from the Beats decode_cef processor. Fixes: elastic#2805
Several event field mappings were missing (tests do not validate event.* as per elastic/elastic-package#147). After adding those mappings some of the data types didn't match so I added a few convert processors. I modified the pipeline tests to use simulated data from the Beats decode_cef processor. Fixes: #2805
I remember that we disabled them because it means that we have to add more exactly the same fields to every data stream. We tried to figure out an option to introduce common fields and the topic was deprioritized. I agree that's a high time to refresh the discussion :) |
This enables field validation for `event.*`. There are exemptions for fields contained in the Fleet managed .fleet_component_template that is added to all data streams. This template contains event.ingested and event.agent_id_status. Relates elastic#147
Several event field mappings were missing (tests do not validate event.* as per elastic/elastic-package#147). After adding those mappings some of the data types didn't match so I added a few convert processors. I modified the pipeline tests to use simulated data from the Beats decode_cef processor. Fixes: elastic#2805
Reopening as the skip is still in the code, and there seems to be related issues that could be detected by the skipped validation. |
This enables field validation for `event.*`. There are exemptions for fields contained in the Fleet managed .fleet_component_template that is added to all data streams. This template contains event.ingested and event.agent_id_status. Relates elastic#147
This enables field validation for `event.*`. There are exemptions for fields contained in the Fleet managed .fleet_component_template that is added to all data streams. This template contains event.ingested and event.agent_id_status. Relates elastic#147
I wanted to mention that there are two fields under Perhaps something like this: diff --git a/internal/fields/validate.go b/internal/fields/validate.go
index afed354..f149e57 100644
--- a/internal/fields/validate.go
+++ b/internal/fields/validate.go
@@ -263,16 +263,29 @@ func skipValidationForField(key string) bool {
return isFieldFamilyMatching("agent", key) ||
isFieldFamilyMatching("elastic_agent", key) ||
isFieldFamilyMatching("cloud", key) || // too many common fields
- isFieldFamilyMatching("event", key) || // too many common fields
isFieldFamilyMatching("host", key) || // too many common fields
isFieldFamilyMatching("metricset", key) || // field is deprecated
- isFieldFamilyMatching("event.module", key) // field is deprecated
+ isFleetManagedMapping(key)
}
func isFieldFamilyMatching(family, key string) bool {
return key == family || strings.HasPrefix(key, family+".")
}
+// isFleetManagedMapping return true if the field is contained in a Fleet
+// managed component template that is added to all data streams.
+//
+// The template is controlled in elastic/kibana at:
+// https://github.com/elastic/kibana/blob/v8.1.0/x-pack/plugins/fleet/server/constants/fleet_es_assets.ts#L24-L39
+func isFleetManagedMapping(key string) bool {
+ switch key {
+ case "event.agent_id_status",
+ "event.ingested":
+ return true
+ }
+ return false
+}
+
func isFieldTypeFlattened(key string, fieldDefinitions []FieldDefinition) bool {
definition := FindElementDefinition(key, fieldDefinitions)
return definition != nil && definition.Type == "flattened" |
Gave a try to this in the context of elastic/package-spec#399, but I think that we need some kind of centralized schema for data providers (elastic/package-spec#199). |
Follow-up on:
#143 (comment)
#143 (comment)
Currently we skip validation for generic fields present in every (most?) document collected by Elastic Agents but undefined in
fields.yml
files (not part of integrations). Sample fields:agent.*
,elastic_agent.*
.The goal is to introduce validation for the special fields as well.
The text was updated successfully, but these errors were encountered: