New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
o365: fix mappings for dynamically mapped fields #7988
Conversation
* o365.audit.ExchangeMetaData.* * o365.audit.ExceptionInfo.* * o365.audit.ExtendedProperties.* * o365.audit.Item.* * o365.audit.Item.*.* * o365.audit.ModifiedProperties.*.* * o365.audit.Parameters.* * o365.audit.SharePointMetaData.* Remove o365.audit.Members.*; o365.audit.Members is already defined as a flattened field.
- name: Item.* | ||
type: object | ||
object_type: keyword | ||
object_type_mapping_type: '*' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the dynamic templates, it looks like this is not necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why didn't it show up in the dynamic_templates?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's why I'm confused.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe in a bug in package-spec?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suspect Fleet. Like perhaps the dedupFields
function (https://github.com/elastic/kibana/blob/ed8225f7bcb9f8d16b2241c8de26cd8103fcb942/x-pack/plugins/fleet/server/services/epm/fields/field.ts#L124). Given that this would appear to be a parent of the Item.*.*
I wonder if it is being ignored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Logged an issue at elastic/kibana#167553.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can move forward without this being in the template because it's only purpose was to satisfy the field validation (all fields found in test cases must be defined) within elastic-package and it still does. The default dynamic mappings will work fine.
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
@@ -34,6 +34,9 @@ | |||
type: keyword | |||
- name: ExchangeMetaData.* | |||
type: object | |||
# This object can also contain date fields, but we cannot express multiple dynamic mapping types here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This object can also contain date fields
For these cases I assume the data has always been mapped as keyword because Fleet using "date_detection": false
in templates. So this isn't a regression.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, this is just a note for why it is.
What does this PR do?
o365.audit.ExchangeMetaData.*
o365.audit.ExceptionInfo.*
o365.audit.ExtendedProperties.*
o365.audit.Item.*
o365.audit.Item.*.*
o365.audit.ModifiedProperties.*.*
o365.audit.Parameters.*
o365.audit.SharePointMetaData.*
Remove
o365.audit.Members.*
;o365.audit.Members
is already defined as a flattened field.After this change the dynamic mappings are:
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots