[network_traffic] Set map_to_ecs to true by default #10785
Conversation
fearful-symmetry
added
the
Team:Security-Linux Platform
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
|
So, @efd6 I kind of want you to check my logic here. It looks like CI is failing on a handful of mappings: Looking at the packetbeat code, it looks like However, I'm not sure why this wasn't caught earlier, and I'm also not sure if I'm just...allowed to change the types of ECS fields? |
🚀 Benchmarks reportTo see the full report comment with |
andrewkroh
changed the title
| @@ -27,7 +27,7 @@ | |||
| The number of documents in the reply. | |||
|
|
|||
| - name: startingFrom | |||
| type: keyword | |||
| type: long | |||
There was a problem hiding this comment.
I don't think we should change any of these from keyword to long. I think they are all keywords in standalone Packetbeat mappings too, right? Unless we know that range queries1 need to be supported, then I would keep them as is. To make the tests pass there are two solutions:
- Convert numbers to strings via processors.
- Add
numeric_keyword_fieldsto the test configuration. (see https://github.com/elastic/elastic-package/blob/main/docs/howto/pipeline_testing.md)
Footnotes
There was a problem hiding this comment.
So, annoyingly, the packetbeat fields don't seem to have types set?
- name: startingFrom
description: >
Where in the cursor this reply is starting.
- name: cursorId
description: >
The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.
But the other fields do have the correct type set:
- name: numberToReturn
type: long
description: >
The requested maximum number of documents to be returned.
We do read them in as ints though:
m.event["startingFrom"], err = d.readInt32()
if err != nil {
logp.Err("An error occurred while parsing OP_REPLY message: %s", err)
return false, false
}
I wonder if that's how these got set to the wrong type to begin with? Either way, it seems like we won't be conflicting with any existing mapping? Maybe? Unless they default to keywords?
There was a problem hiding this comment.
So, annoyingly, the packetbeat fields don't seem to have types set?
The default is keyword in Beats fields.yml framework. So these fields are keywords in Beats.
I wonder if that's how these got set to the wrong type to begin with?
I don't think cursorId is wrong. A keyword is generally the best choice for identifiers when numeric range queries are not needed.
There might be some use to having startingFrom be indexed as a long, but I wouldn't change from keyword to long without good reason like a feature request. These fields are associated with mongodb opcodes that were deprecated in mongodb 5.0 from July 2021 (and that is now two majors ago), so doubt they are getting used much anyways.
I think adding numeric_keyword_fields: [...] to the test configuration to remove the strict check that _source contains strings is the best course of action to resolve the test failure.
💚 Build Succeeded
History
|
|
|
Package network_traffic - 1.32.0 containing this change is available at https://epr.elastic.co/search?package=network_traffic |
|
It looks to me like the sample events were not updated here. |
Proposed commit message
See #8185
This sets
map_to_ecsfor all thenetwork_trafficdatastreams to true, in line with #8185.I don't have a huge amount of context for this, so apologies if I forgot something.
Checklist
changelog.ymlfile.