-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Response Ops][Alerting] Possible "experimental" ECS fields are not backwards compatible for alerts as data #168959
Comments
Pinging @elastic/response-ops (Team:ResponseOps) |
After discussing with @ymao1 @pmuellr @kobelb @doakalexi we will go with the following option:
While we omit this field, we should also omit all other ECS experimental fields to prevent this situation for now. |
According to the ECS RFC stages doc, any RFC in stage 3 is considered GA. Here are the fields from RFCs in https://github.com/elastic/ecs/blob/main/rfcs/text/0002-rfc-environment.md - marked as Seems like fields make it into the normal (not experimental) generated ECS file when they reach stage 2, where iterative but not breaking changes might be expected but they're still only recommended for experimental usage. There is a |
Opened an issue in the ECS repo: elastic/ecs#2294 |
…mponent template (elastic#170571) Resolves elastic#168959 ## Summary Hard-coding a list of experimental (RFC stage 2) ECS fields to exclude from the ECS component template. These are only the fields that are not currently defined in `ecs_flat.yml`. The only existing field that is excluded is `faas.trigger` which, if included, will cause a mapping conflict exception because of an ECS mapping change from `nested` to `object`. ## To Verify Compare the mappings for the `.alerts-ecs-mappings` component template between `main` and this branch and notice that the `faas.trigger` field is excluded from the component template on this branch. --------- Co-authored-by: Kibana Machine <[email protected]>
There was a recent PR to update the ECS field mappings from 8.6 to the latest that we noticed caused an error when updating existing alerts as data indices due to this error:
It looks like there was an intentional change to the ECS
faas.trigger
field to change it from nested to object. Reading the issue, it seems that this change was approved because at the time thefaas.trigger
field was experimental. We've left a question to the ECS team to ask if there's a way to differentiate experimental ECS fields from non-experimental fields, but in the meantime, we are left with a lot of alerts as data indices in the wild with the experimentalnested
mapping type.In order to move foward with the ECS update, which we've seen some customer requests for have been asking for, we should figure out how to handle this
Options
The text was updated successfully, but these errors were encountered: