[elastic_agent] field mappings trips up the ECS data quality checks - Githubissues

elastic / integrations

Elastic Integrations

https://www.elastic.co/integrations

Other

194 stars 421 forks source link

[elastic_agent] field mappings trips up the ECS data quality checks #7846

Closed frconil closed 12 months ago

frconil commented 1 year ago

We define text in https://github.com/elastic/integrations/blob/6e0b6ff1cb51e7b2b6b6b5021492da421d20c293/packages/elastic_agent/data_stream/endpoint_sercurity_logs/fields/fields.yml#L2 but ECS expects match_only_text .

Similarly event.dataset (https://github.com/elastic/integrations/blob/6e0b6ff1cb51e7b2b6b6b5021492da421d20c293/packages/elastic_agent/data_stream/endpoint_sercurity_logs/fields/base-fields.yml#L13) is set as constant_keyword when the data quality dashboard expect keyword.

.ds-logs-elastic_agent.endpoint_security`

Result	Index	Incompatible fields
❌	.ds-logs-elastic_agent.endpoint_security	2

Field	ECS mapping type (expected)	Index mapping type (actual)
event.dataset	`keyword`	`constant_keyword` `same family`
message	`match_only_text`	`text` `same family`

elasticmachine commented 1 year ago

Pinging @elastic/elastic-agent (Team:Elastic-Agent)