Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Transform mappings lost in shallow merge #175331

Closed
chrisberkhout opened this issue Jan 23, 2024 · 4 comments · Fixed by #177608
Closed

[Fleet] Transform mappings lost in shallow merge #175331

chrisberkhout opened this issue Jan 23, 2024 · 4 comments · Fixed by #177608
Assignees
@nchaulet
Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@chrisberkhout
Copy link

Kibana version: v8.11.0+

Describe the bug:

A transform definition in an integration may have multiple files of field mappings, for example:

elasticsearch/transform/latest_ioc/fields/ecs.yml
elasticsearch/transform/latest_ioc/fields/ecs-extra.yml

Each file is processed and mappings are accumulated to produce the full set. However, mappings from files processed earlier will be overwritten if a later file defines a mapping for a field with the same prefix (e.g. threat.*. This is due to the shallow merge done here.

This differs from the behavior of mappings files for a data stream.

This merge logic may have the additional issue that it only processes data under the properties key, and not sibling keys such as dynamic_templates. I haven't verified this and it may be that it is correctly handled elsewhere.

Expected behavior:

A mapping for one field shouldn't overwrite the mapping for another field, even if they are defined in separate files and share a field prefix.

Any additional context:

The current merge logic was introduced in #168499.

This issue came up in elastic/integrations#8920, where I initially had one file for overriding/extending ECS fields and another file for plain references to external ECS field definitions. To work around this issue I combined them into one file.
@chrisberkhout chrisberkhout added bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team labels Jan 23, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@nchaulet
Copy link
Member

Looking at the code it looks like we have two different approach to build mappings for template and datastreams;

For datastream, we process all fields field and then put the index template https://github.com/elastic/kibana/blob/main/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/install.ts#L512-L519

For transform we process the fields file one by one and put the new mappings.

I think we should fix this, and process the mappings for the transform the same way we do for datastream, I am trying to come with a PR for that.

@chrisberkhout
Copy link
Author

Related? elastic/elastic-package#1641

@nchaulet
Copy link
Member

Related? elastic/elastic-package#1641

@chrisberkhout I think this is a different issue, that will need to be solved in elastic-package

@nchaulet nchaulet self-assigned this Feb 22, 2024
@nchaulet nchaulet mentioned this issue Feb 22, 2024
Merged
This was referenced Jun 6, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nchaulet nchaulet

Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Fleet] Fix loading fields for transform destination index template nchaulet/kibana
3 participants
@chrisberkhout @nchaulet @elasticmachine