Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.x] [Auto Import] Improve the ECS mapping extraction logic (#195167) #195586

Merged
merged 1 commit into from
Oct 9, 2024

Conversation

kibanamachine
Copy link
Contributor

Backport

This will backport the following commits from main to 8.x:

Questions ?

Please refer to the Backport tool documentation

## Release Notes

Automatic Import is more forgiving if an LLM returns an ECS mapping in a
slightly unexpected format.

## Summary

When implementing elastic#194386 an issue
has been encountered where Claude returns the field name `date_format`
instead of expected `date_formats` and the ECS chain breaks down.

We add this case as a test to
`x-pack/plugins/integration_assistant/server/graphs/ecs/validate.test`.

Without the changes in this PR the list returned by
`findInvalidEcsFields` is

```
      [
        'Reserved ECS field mapping identified for event.created : ai_postgres_202410050058.logs.column1.target',
        'Invalid ECS field mapping identified for 0.9 : ai_postgres_202410050058.logs.column1.confidence, ai_postgres_202410050058.logs.column5.confidence',
        'Invalid ECS field mapping identified for date : ai_postgres_202410050058.logs.column1.type, ai_postgres_202410050058.logs.column9.type',
        'Invalid ECS field mapping identified for 0.95 : ai_postgres_202410050058.logs.column12.confidence',
        'Invalid ECS field mapping identified for string : ai_postgres_202410050058.logs.column12.type, ai_postgres_202410050058.logs.column14.type, ai_postgres_202410050058.logs.column24.type, ai_postgres_202410050058.logs.column5.type, ai_postgres_202410050058.logs.column3.type, ai_postgres_202410050058.logs.column2.type',
        'Invalid ECS field mapping identified for 0.8 : ai_postgres_202410050058.logs.column9.confidence, ai_postgres_202410050058.logs.column3.confidence',
        'Invalid ECS field mapping identified for 0.7 : ai_postgres_202410050058.logs.column14.confidence, ai_postgres_202410050058.logs.column2.confidence',
        'Invalid ECS field mapping identified for 0.85 : ai_postgres_202410050058.logs.column24.confidence'
      ]
```

while with these changes the result does not contain any `Invalid ECS field` messages.

The key changes are in the `processMapping` function:

1. We made function more forgiving in regards to the input, accepting
`date_format` in lieu of `date_formats`.
2. We have removed the collection of "other paths", that is, the reverse
index for simple values like `0.8`.

The latter change generally limits the impact of any other format issues
in the ECS mapping in the future.

Additionally, the function has been renamed to `extractECSMapping`, its
output type validated, and documentation has been added.

---------

Co-authored-by: Elastic Machine <[email protected]>
(cherry picked from commit 637d796)
@kibanamachine kibanamachine merged commit 9edfe2e into elastic:8.x Oct 9, 2024
24 checks passed
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

cc @ilyannn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants