Add community_id, fingerprint, and network_direction processors

[andrewkroh]

Add ingest processor definitions for community_id, fingerprint, network_direction, and registered_domain processors. All parameters and descriptions were scraped from the 8.16 docs.

Add ip to the list of types supported by the convert processor.

Add ecs_compatibility to grok processor.

Add output_format to date processor.

Related issues

• Fixes ConvertType enum is missing 'ip' #2309
• Fixes Community ID Ingest Processor is missing #2553
• Fixes Fingerprint Ingest Processor is missing #2593
• Fixes Network Direction Ingest Processor is missing #2617

[github-actions]

Following you can find the validation results for the APIs you have changed.

API	Status	Request	Response
ingest.delete_geoip_database	🟢	1/1	1/1
ingest.delete_pipeline	🟢	15/15	15/15
ingest.geo_ip_stats	🟢	1/1	1/1
ingest.get_geoip_database	🟢	6/6	6/6
ingest.get_pipeline	🟢	22/22	22/22
ingest.processor_grok	🟢	1/1	1/1
ingest.put_geoip_database	🟢	3/3	3/3
ingest.put_pipeline	🟢	59/59	59/59
ingest.simulate	🟢	10/10	10/10

You can validate these APIs yourself by using the make validate target.

[flobernd]

Thank you for contributing to the spec 🙂

I left some comments.

[flobernd]

I just noticed that we have a Ip (_types.Ip) alias defined which we should probably as well use instead of just string for all fields that represent an IP address.

[andrewkroh]

@flobernd, What should I do here? The docs say the default is an empty string. Should I remove this entirely, change it to "", something else?

[flobernd]

I think we don't have a way to represent an empty string at the moment. This is something that we should probably improve in the future. cc @swallez @pquentin @l-trotta

We can remove the @server_default annotation for now.

[andrewkroh]

This is the one field that is almost an IP address where would could use the Ip[] type. But that would be inaccurate because the values can be a IP or a CIDR. Should I create a type alias for CIDR somewhere such that the type can be (Ip | CIDR)[]?

[flobernd]

Please refresh my memory. Is xxx.xxx.xxx.xxx without a slash a valid CIDR notation that defaults to /32?

In any way, I think it's fine keeping just string[] in this case.

[andrewkroh]

Please refresh my memory. Is xxx.xxx.xxx.xxx without a slash a valid CIDR notation that defaults to /32?

Yes, that's how the processor is behaving for ipv4. I didn't check it, but for ipv6 I would expect similar behavior just using /128 to indicate that it's matching one address.

[github-actions]

Following you can find the validation results for the APIs you have changed.

API	Status	Request	Response
ingest.delete_geoip_database	🟢	1/1	1/1
ingest.delete_pipeline	🟢	15/15	15/15
ingest.geo_ip_stats	🟢	1/1	1/1
ingest.get_geoip_database	🟢	6/6	6/6
ingest.get_pipeline	🟢	22/22	22/22
ingest.processor_grok	🟢	1/1	1/1
ingest.put_geoip_database	🟢	3/3	3/3
ingest.put_pipeline	🟢	59/59	59/59
ingest.simulate	🟢	10/10	10/10

You can validate these APIs yourself by using the make validate target.

[andrewkroh]

With this change, all of the processors and parameters used across elastic/integrations ingest pipelines are accounted for in the spec.

[flobernd]

Hi @andrewkroh, thanks for updating the PR. Looks good now 🙂

Let's just remove the @server_default <empty string> tag and we should be good to go. cc @pquentin @l-trotta if you want to have a second look.

[github-actions]

Following you can find the validation results for the APIs you have changed.

API	Status	Request	Response
ingest.delete_geoip_database	🟢	1/1	1/1
ingest.delete_pipeline	🟢	15/15	15/15
ingest.geo_ip_stats	🟢	1/1	1/1
ingest.get_geoip_database	🟢	6/6	6/6
ingest.get_pipeline	🟢	22/22	22/22
ingest.processor_grok	🟢	1/1	1/1
ingest.put_geoip_database	🟢	3/3	3/3
ingest.put_pipeline	🟢	59/59	59/59
ingest.simulate	🟢	10/10	10/10

You can validate these APIs yourself by using the make validate target.

[l-trotta]

LGTM! thank you