-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Crowdstrike] FDR - Fixes parsing errors in aip and ContextTimeStamp fields #5655
Conversation
c059a32
to
c73c50f
Compare
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
c73c50f
to
e3b26c4
Compare
🌐 Coverage report
|
168ebb2
to
b1c8e50
Compare
- convert: | ||
field: crowdstrike.localipCount | ||
type: integer | ||
if: (ctx.crowdstrike?.localipCount != null && ctx.crowdstrike?.localipCount != "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a thought looking at lot of repeated code..
Can we not run a painless script before all convert
/ set
with copy_from
processors to remove fields that are empty [""] / null
Like
if: (ctx.crowdstrike?.localipCount != null && ctx.crowdstrike?.localipCount != "") | |
- script: | |
lang: painless | |
description: This script processor iterates over the whole document to remove fields with null / empty values. | |
source: | | |
void handleMap(Map map) { | |
for (def x : map.values()) { | |
if (x instanceof Map) { | |
handleMap(x); | |
} else if (x instanceof List) { | |
handleList(x); | |
} | |
} | |
map.values().removeIf(v -> v == null || v == "" || v == "-" || v == "\"-\"" || ((v instanceof List || v instanceof Map) && v.isEmpty())); | |
} | |
void handleList(List list) { | |
for (def x : list) { | |
if (x instanceof Map) { | |
handleMap(x); | |
} else if (x instanceof List) { | |
handleList(x); | |
} | |
} | |
} | |
handleMap(ctx.crowdstrike); |
be8049c
to
11fd9be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its a shame that observer.* ends up as an array, but not much we can do if aip can often be arrays, because its impossible to know which to choose.
Since the field type is still keyword then its still fine.
Package crowdstrike - 1.11.1 containing this change is available at https://epr.elastic.co/search?package=crowdstrike |
What does this PR do?
For FDR datastreaM:
aip
andContextTimeStamp
fields parsing errorsChecklist
changelog.yml
file.How to test this PR locally
Related issues
Screenshots