[Dev] Add High Cardinality Indexer to Kibana as kbn-data-forge (#174559)

## Summary This PR adds the [High Cardinality Indexer](https://github.com/elastic/high-cardinality-cluster) to Kibana as a new package called `kbn-data-forge`. It also replaces `kbn-infra-forge` usage in the test and is the preferred way to generate data for Observability use cases, specifically for SLO testing. ### Todo - [x] Replace `kbn-infra-forge` usage - [x] Create convenience functions for testing (`generate` and `cleanup`) - [x] Make the logger (`LoggingTool`) configurable as an injected dependency - [x] Make the Elasticsearch client (`Client`) configurable as an injected dependency - [x] Fix the ECS Generate commands - [x] Add CLI options via Commander ### CLI Help Screen ``` Usage: data_forge.js [options] A data generation tool that will create realistic data with different scenarios. Options: --config <filepath> The YAML config file --lookback <datemath> When to start the indexing (default: "now-15m") --events-per-cycle <number> The number of events per cycle (default: 1) --payload-size <number> The size of the ES bulk payload (default: 10000) --concurrency <number> The number of concurrent connections to Elasticsearch (default: 5) --index-interval <milliseconds> The interval of the data in milliseconds (default: 60000) --dataset <dataset> The name of the dataset to use. Valid options: "fake_logs", "fake_hosts", "fake_stack" (default: "fake_logs") --scenario <scenerio> The scenario to label the events with (default: "good") --elasticsearch-host <address> The address to the Elasticsearch cluster (default: "http://localhost:9200") --elasticsearch-username <username> The username to for the Elasticsearch cluster (default: "elastic") --elasticsearch-password <password> The password for the Elasticsearch cluster (default: "changeme") --elasticsearch-api-key <key> The API key to connect to the Elasticsearch cluster --kibana-url <address> The address to the Kibana server (default: "http://localhost:5601") --kibana-username <username> The username for the Kibana server (default: "elastic") --kibana-password <password> The password for the Kibana server (default: "changeme") --install-kibana-assets This will install index patterns, visualizations, and dashboards for the dataset --event-template <template> The name of the event template (default: "good") --reduce-weekend-traffic-by <ratio> This will reduce the traffic on the weekends by the specified amount. Example: 0.5 will reduce the traffic by half (default: 0) --ephemeral-project-ids <number> The number of ephemeral projects to create. This is only enabled for the "fake_stack" dataset. It will create project IDs that will last 5 to 12 hours. (default: 0) -h, --help output usage information ``` ### Testing an Example Run the following command against a clean Kibana development enviroment: ``` node x-pack/scripts/data_forge.js --events-per-cycle 200 --lookback now-1h --install-kibana-assets --ephemeral-project-ids 10 --dataset fake_stack ``` This should install a handful of DataViews (Admin Console, Message Processor, Nginx Logs, Mongodb Logs) along with a few dashboards and visualizations. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2025-04-23 17:28:26 -04:00 · 2024-01-23 16:32:09 -07:00 · 2024-01-23 16:32:09 -07:00 · 5f72e78f82
commit 5f72e78f82
parent 67db684deb
221 changed files with 17752 additions and 107 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -315,6 +315,7 @@ src/plugins/custom_integrations @elastic/fleet
 packages/kbn-cypress-config @elastic/kibana-operations
 x-pack/plugins/dashboard_enhanced @elastic/kibana-presentation
 src/plugins/dashboard @elastic/kibana-presentation
+x-pack/packages/kbn-data-forge @elastic/obs-ux-management-team
 src/plugins/data @elastic/kibana-visualizations @elastic/kibana-data-discovery
 test/plugin_functional/plugins/data_search @elastic/kibana-data-discovery
 packages/kbn-data-service @elastic/kibana-visualizations @elastic/kibana-data-discovery
--- a/package.json
+++ b/package.json
@ -118,6 +118,7 @@
    "@emotion/serialize": "^1.1.2",
    "@emotion/server": "^11.11.0",
    "@emotion/styled": "^11.11.0",
+    "@faker-js/faker": "^8.3.1",
    "@grpc/grpc-js": "^1.6.8",
    "@hapi/accept": "^5.0.2",
    "@hapi/boom": "^9.1.4",
@ -364,6 +365,7 @@
    "@kbn/custom-integrations-plugin": "link:src/plugins/custom_integrations",
    "@kbn/dashboard-enhanced-plugin": "link:x-pack/plugins/dashboard_enhanced",
    "@kbn/dashboard-plugin": "link:src/plugins/dashboard",
+    "@kbn/data-forge": "link:x-pack/packages/kbn-data-forge",
    "@kbn/data-plugin": "link:src/plugins/data",
    "@kbn/data-search-plugin": "link:test/plugin_functional/plugins/data_search",
    "@kbn/data-service": "link:packages/kbn-data-service",
--- a/src/dev/precommit_hook/casing_check_config.js
+++ b/src/dev/precommit_hook/casing_check_config.js
@ -80,6 +80,9 @@ export const IGNORE_FILE_GLOBS = [

  // generator templates use weird filenames based on the requirements for the files they're generating
  'packages/kbn-generate/templates/**/*',
+
+  // ecs templates
+  '**/ecs/fields/**/*',
 ];

 /**
--- a/tsconfig.base.json
+++ b/tsconfig.base.json
@ -624,6 +624,8 @@
      "@kbn/dashboard-enhanced-plugin/*": ["x-pack/plugins/dashboard_enhanced/*"],
      "@kbn/dashboard-plugin": ["src/plugins/dashboard"],
      "@kbn/dashboard-plugin/*": ["src/plugins/dashboard/*"],
+      "@kbn/data-forge": ["x-pack/packages/kbn-data-forge"],
+      "@kbn/data-forge/*": ["x-pack/packages/kbn-data-forge/*"],
      "@kbn/data-plugin": ["src/plugins/data"],
      "@kbn/data-plugin/*": ["src/plugins/data/*"],
      "@kbn/data-search-plugin": ["test/plugin_functional/plugins/data_search"],
--- a/x-pack/packages/kbn-data-forge/README.md
+++ b/x-pack/packages/kbn-data-forge/README.md
@ -0,0 +1,3 @@
+# @kbn/data-forge
+
+Empty package generated by @kbn/generate
--- a/x-pack/packages/kbn-data-forge/index.ts
+++ b/x-pack/packages/kbn-data-forge/index.ts
@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export type {
+  Config,
+  Dataset,
+  PartialConfig,
+  Schedule,
+  EventsPerCycle,
+  MetricEventDef,
+  TransitionMethod,
+} from './src/types';
+export { run } from './src/run';
+export { cli } from './src/cli';
+export { generate } from './src/generate';
+export { cleanup } from './src/cleanup';
+export { createConfig, readConfig } from './src/lib/create_config';
--- a/x-pack/packages/kbn-data-forge/jest.config.js
+++ b/x-pack/packages/kbn-data-forge/jest.config.js
@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../../..',
+  roots: ['<rootDir>/x-pack/packages/kbn-data-forge'],
+};
--- a/x-pack/packages/kbn-data-forge/kibana.jsonc
+++ b/x-pack/packages/kbn-data-forge/kibana.jsonc
@ -0,0 +1,5 @@
+{
+  "type": "shared-common",
+  "id": "@kbn/data-forge",
+  "owner": "@elastic/obs-ux-management-team"
+}
--- a/x-pack/packages/kbn-data-forge/package.json
+++ b/x-pack/packages/kbn-data-forge/package.json
@ -0,0 +1,6 @@
+{
+  "name": "@kbn/data-forge",
+  "private": true,
+  "version": "1.0.0",
+  "license": "Elastic License 2.0"
+}
--- a/x-pack/packages/kbn-data-forge/src/cleanup.ts
+++ b/x-pack/packages/kbn-data-forge/src/cleanup.ts
@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Client } from '@elastic/elasticsearch';
+import { ToolingLog } from '@kbn/tooling-log';
+import { createConfig } from './lib/create_config';
+import { deleteIndexTemplate } from './lib/delete_index_template';
+import { PartialConfig } from './types';
+
+export async function cleanup({
+  client,
+  config: partialConfig,
+  logger,
+}: {
+  client: Client;
+  config: PartialConfig;
+  logger: ToolingLog;
+}) {
+  const config = createConfig(partialConfig);
+  return deleteIndexTemplate(config, client, logger);
+}
--- a/x-pack/packages/kbn-data-forge/src/cli.ts
+++ b/x-pack/packages/kbn-data-forge/src/cli.ts
@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ToolingLog } from '@kbn/tooling-log';
+import { cliOptionsToPartialConfig } from './lib/cli_to_partial_config';
+import { createConfig, readConfig } from './lib/create_config';
+import { getEsClient } from './lib/get_es_client';
+import { parseCliOptions } from './lib/parse_cli_options';
+import { run } from './run';
+
+export async function cli() {
+  const options = parseCliOptions();
+  const partialConfig = options.config
+    ? await readConfig(options.config)
+    : cliOptionsToPartialConfig(options);
+  const logger = new ToolingLog({ level: 'info', writeTo: process.stdout });
+  const config = createConfig(partialConfig);
+  const client = getEsClient(config);
+  logger.info(
+    `Starting index to ${config.elasticsearch.host} with a payload size of ${config.indexing.payloadSize} using ${config.indexing.concurrency} workers to index ${config.indexing.eventsPerCycle} events per cycle`
+  );
+  return run(config, client, logger);
+}
--- a/x-pack/packages/kbn-data-forge/src/constants.ts
+++ b/x-pack/packages/kbn-data-forge/src/constants.ts
@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const FAKE_HOSTS = 'fake_hosts';
+export const FAKE_LOGS = 'fake_logs';
+export const FAKE_STACK = 'fake_stack';
+
+export const INDEX_PREFIX = 'kbn-data-forge';
+
+export const DEFAULTS = {
+  EVENTS_PER_CYCLE: 1,
+  PAYLOAD_SIZE: 10_000,
+  CONCURRENCY: 5,
+  SERVERLESS: false,
+  INDEX_INTERVAL: 60_000,
+  DATASET: FAKE_LOGS,
+  SCENARIO: 'good',
+  ELASTICSEARCH_HOST: 'http://localhost:9200',
+  ELASTICSEARCH_USERNAME: 'elastic',
+  ELASTICSEARCH_PASSWORD: 'changeme',
+  ELASTICSEARCH_API_KEY: '',
+  SKIP_KIBANA_USER: false,
+  INSTALL_KIBANA_ASSETS: false,
+  DELAY_IN_MINUTES: 0,
+  DELAY_EVERY_MINUTES: 5,
+  LOOKBACK: 'now-15m',
+  KIBANA_URL: 'http://localhost:5601',
+  KIBANA_USERNAME: 'elastic',
+  KIBANA_PASSWORD: 'changeme',
+  EVENT_TEMPLATE: 'good',
+  REDUCE_WEEKEND_TRAFFIC_BY: 0,
+  EPHEMERAL_PROJECT_IDS: 0,
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/custom/metricset.yaml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/custom/metricset.yaml
@ -0,0 +1,11 @@
+- name: metricset
+  title: Metricset
+  description: >
+    Metricset data
+  type: group
+  fields:
+    - name: interval
+      type: long
+      level: custom
+      description: >
+        The interval of the data
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/custom/system.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/custom/system.yml
@ -0,0 +1,34 @@
+- name: system
+  title: System
+  type: group
+  level: custom
+  description: "System-related information"
+  fields:
+    - name: cpu.cores
+      type: integer
+      level: custom
+      description: "Number of CPU cores"
+    - name: cpu.total.norm.pct
+      level: custom
+      type: float
+      description: "Percentage of CPU usage"
+    - name: cpu.user.pct
+      level: custom
+      type: float
+      description: "Percentage of CPU usage by user processes"
+    - name: cpu.system.pct
+      level: custom
+      type: float
+      description: "Percentage of CPU usage by system processes"
+    - name: network.name
+      type: keyword
+      level: custom
+      description: "Name of the network interface"
+    - name: network.in.bytes
+      level: custom
+      type: long
+      description: "Number of incoming bytes"
+    - name: network.out.bytes
+      level: custom
+      type: long
+      description: "Number of outgoing bytes"
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/mapping-settings.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/mapping-settings.json
@ -0,0 +1,20 @@
+{
+  "_meta": {
+    "version": "1.6.0"
+  },
+  "date_detection": false,
+  "dynamic_templates": [
+    {
+      "strings_as_keyword": {
+        "mapping": {
+          "type": "keyword",
+          "ignore_above": 1024,
+          "fields": {
+            "text": { "type": "text", "norms" : false }
+          }
+        },
+        "match_mapping_type": "string"
+      }
+    }
+  ]
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/subset.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/subset.yml
@ -0,0 +1,16 @@
+---
+name: fake_hosts
+fields:
+  base:
+    fields: '*'
+  event:
+    fields:
+      module: {}
+      dataset: {}
+  host:
+    fields: '*'
+  metricset:
+    fields: '*'
+  system:
+    fields: '*'
+
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/template-settings-legacy.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/template-settings-legacy.json
@ -0,0 +1,17 @@
+{
+  "index_patterns": ["kbn-data-forge-fake_hosts.fake_hosts-*"],
+  "order": 1,
+  "settings": {
+    "index": {
+      "codec" : "best_compression",
+      "mapping": {
+        "total_fields": {
+          "limit": 2000
+        }
+      },
+      "refresh_interval": "2s"
+    }
+  }
+}
+
+
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/template-settings.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/fields/template-settings.json
@ -0,0 +1,16 @@
+{
+  "index_patterns": ["kbn-data-forge-fake_hosts.fake_hosts-*"],
+  "priority": 1,
+  "template": {
+    "settings": {
+      "index": {
+        "codec" : "best_compression",
+        "mapping": {
+          "total_fields": {
+            "limit": 2000
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generate.sh
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generate.sh
@ -0,0 +1,14 @@
+#!/bin/sh
+
+cd ../../../../../../../../ecs
+
+BASE=../kibana/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts
+ECS=$BASE/ecs
+
+python3 ./scripts/generator.py --ref v8.0.0 \
+  --subset                   $ECS/fields/subset.yml \
+  --include                  $ECS/fields/custom \
+  --out                      $ECS/ \
+  --template-settings-legacy $ECS/fields/template-settings-legacy.json \
+  --template-settings        $ECS/fields/template-settings.json \
+  --mapping-settings         $ECS/fields/mapping-settings.json
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/beats/fields.ecs.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/beats/fields.ecs.yml
@ -0,0 +1,416 @@
+# WARNING! Do not edit this file directly, it was generated by the ECS project,
+# based on ECS version 8.0.0.
+# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
+
+- key: ecs
+  title: ECS
+  description: ECS Fields.
+  fields:
+  - name: '@timestamp'
+    level: core
+    required: true
+    type: date
+    description: 'Date/time when the event originated.
+
+      This is the date/time extracted from the event, typically representing when
+      the event was generated by the source.
+
+      If the event source has no original timestamp, this value is typically populated
+      by the first time the event was received by the pipeline.
+
+      Required field for all events.'
+    example: '2016-05-23T08:05:34.853Z'
+    default_field: true
+  - name: labels
+    level: core
+    type: object
+    object_type: keyword
+    description: 'Custom key/value pairs.
+
+      Can be used to add meta information to events. Should not contain nested objects.
+      All values are stored as keyword.
+
+      Example: `docker` and `k8s` labels.'
+    example: '{"application": "foo-bar", "env": "production"}'
+    default_field: true
+  - name: message
+    level: core
+    type: match_only_text
+    description: 'For log events the message field contains the log message, optimized
+      for viewing in a log viewer.
+
+      For structured logs without an original message field, other fields can be concatenated
+      to form a human-readable summary of the event.
+
+      If multiple messages exist, they can be combined into one message.'
+    example: Hello World
+    default_field: true
+  - name: tags
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: List of keywords used to tag each event.
+    example: '["production", "env2"]'
+    default_field: true
+  - name: event
+    title: Event
+    group: 2
+    description: 'The event fields are used for context information about the log
+      or metric event itself.
+
+      A log is defined as an event containing details of something that happened.
+      Log events must include the time at which the thing happened. Examples of log
+      events include a process starting on a host, a network packet being sent from
+      a source to a destination, or a network connection between a client and a server
+      being initiated or closed. A metric is defined as an event containing one or
+      more numerical measurements and the time at which the measurement was taken.
+      Examples of metric events include memory pressure measured on a host and device
+      temperature. See the `event.kind` definition in this section for additional
+      details about metric and state events.'
+    type: group
+    default_field: true
+    fields:
+    - name: dataset
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the dataset.
+
+        If an event source publishes more than one type of log or events (e.g. access
+        log, error log), the dataset is used to specify which one the event comes
+        from.
+
+        It''s recommended but not required to start the dataset name with the module
+        name, followed by a dot, then the dataset name.'
+      example: apache.access
+    - name: module
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the module this data is coming from.
+
+        If your monitoring agent supports the concept of modules or plugins to process
+        events of a given source (e.g. Apache logs), `event.module` should contain
+        the name of this module.'
+      example: apache
+  - name: host
+    title: Host
+    group: 2
+    description: 'A host is defined as a general computing instance.
+
+      ECS host.* fields should be populated with details about the host on which the
+      event happened, or from which the measurement was taken. Host types include
+      hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+    type: group
+    default_field: true
+    fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: cpu.usage
+      level: extended
+      type: scaled_float
+      description: 'Percent CPU used which is normalized by the number of CPU cores
+        and it ranges from 0 to 1.
+
+        Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of the
+        two cores, between 0 and 1.'
+      scaling_factor: 1000
+      default_field: false
+    - name: disk.read.bytes
+      level: extended
+      type: long
+      description: The total number of bytes (gauge) read successfully (aggregated
+        from all disks) since the last metric collection.
+      default_field: false
+    - name: disk.write.bytes
+      level: extended
+      type: long
+      description: The total number of bytes (gauge) written successfully (aggregated
+        from all disks) since the last metric collection.
+      default_field: false
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain
+        or NetBIOS domain name. For Linux this could be the domain of the host''s
+        LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Host MAC addresses.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+    - name: network.egress.bytes
+      level: extended
+      type: long
+      description: The number of bytes (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.egress.packets
+      level: extended
+      type: long
+      description: The number of packets (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.ingress.bytes
+      level: extended
+      type: long
+      description: The number of bytes received (gauge) on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: network.ingress.packets
+      level: extended
+      type: long
+      description: The number of packets (gauge) received on all network interfaces
+        by the host since the last metric collection.
+      default_field: false
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.full
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      default_field: false
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm,
+        this could be the container, for example, or other information meaningful
+        in your environment.'
+    - name: uptime
+      level: extended
+      type: long
+      description: Seconds the host has been up.
+      example: 1325
+  - name: metricset
+    title: Metricset
+    group: 2
+    description: Metricset data
+    type: group
+    default_field: true
+    fields:
+    - name: interval
+      level: custom
+      type: long
+      description: The interval of the data
+      default_field: false
+  - name: system
+    title: System
+    group: 2
+    description: System-related information
+    type: group
+    default_field: true
+    fields:
+    - name: cpu.cores
+      level: custom
+      type: integer
+      description: Number of CPU cores
+      default_field: false
+    - name: cpu.system.pct
+      level: custom
+      type: float
+      description: Percentage of CPU usage by system processes
+      default_field: false
+    - name: cpu.total.norm.pct
+      level: custom
+      type: float
+      description: Percentage of CPU usage
+      default_field: false
+    - name: cpu.user.pct
+      level: custom
+      type: float
+      description: Percentage of CPU usage by user processes
+      default_field: false
+    - name: network.in.bytes
+      level: custom
+      type: long
+      description: Number of incoming bytes
+      default_field: false
+    - name: network.name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: Name of the network interface
+      default_field: false
+    - name: network.out.bytes
+      level: custom
+      type: long
+      description: Number of outgoing bytes
+      default_field: false
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/csv/fields.csv
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/csv/fields.csv
@ -0,0 +1,51 @@
+ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
+8.0.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.0.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.0.0,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.0.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.0.0,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.0.0,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.0.0,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+8.0.0,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+8.0.0,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+8.0.0,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+8.0.0,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+8.0.0,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+8.0.0,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+8.0.0,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+8.0.0,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+8.0.0,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+8.0.0,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+8.0.0,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+8.0.0,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+8.0.0,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+8.0.0,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+8.0.0,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+8.0.0,true,host,host.hostname,keyword,core,,,Hostname of the host.
+8.0.0,true,host,host.id,keyword,core,,,Unique host id.
+8.0.0,true,host,host.ip,ip,core,array,,Host ip addresses.
+8.0.0,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+8.0.0,true,host,host.name,keyword,core,,,Name of the host.
+8.0.0,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+8.0.0,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+8.0.0,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.0.0,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.0.0,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+8.0.0,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.0.0,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+8.0.0,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+8.0.0,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+8.0.0,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+8.0.0,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+8.0.0,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
+8.0.0,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+8.0.0,true,host,host.type,keyword,core,,,Type of host.
+8.0.0,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+8.0.0,true,metricset,metricset.interval,long,custom,,,The interval of the data
+8.0.0,true,system,system.cpu.cores,integer,custom,,,Number of CPU cores
+8.0.0,true,system,system.cpu.system.pct,float,custom,,,Percentage of CPU usage by system processes
+8.0.0,true,system,system.cpu.total.norm.pct,float,custom,,,Percentage of CPU usage
+8.0.0,true,system,system.cpu.user.pct,float,custom,,,Percentage of CPU usage by user processes
+8.0.0,true,system,system.network.in.bytes,long,custom,,,Number of incoming bytes
+8.0.0,true,system,system.network.name,keyword,custom,,,Name of the network interface
+8.0.0,true,system,system.network.out.bytes,long,custom,,,Number of outgoing bytes
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/ecs/ecs_flat.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/ecs/ecs_flat.yml
@ -0,0 +1,596 @@
+'@timestamp':
+  dashed_name: timestamp
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: '@timestamp'
+  level: core
+  name: '@timestamp'
+  normalize: []
+  required: true
+  short: Date/time when the event originated.
+  type: date
+event.dataset:
+  dashed_name: event-dataset
+  description: 'Name of the dataset.
+
+    If an event source publishes more than one type of log or events (e.g. access
+    log, error log), the dataset is used to specify which one the event comes from.
+
+    It''s recommended but not required to start the dataset name with the module name,
+    followed by a dot, then the dataset name.'
+  example: apache.access
+  flat_name: event.dataset
+  ignore_above: 1024
+  level: core
+  name: dataset
+  normalize: []
+  short: Name of the dataset.
+  type: keyword
+event.module:
+  dashed_name: event-module
+  description: 'Name of the module this data is coming from.
+
+    If your monitoring agent supports the concept of modules or plugins to process
+    events of a given source (e.g. Apache logs), `event.module` should contain the
+    name of this module.'
+  example: apache
+  flat_name: event.module
+  ignore_above: 1024
+  level: core
+  name: module
+  normalize: []
+  short: Name of the module this data is coming from.
+  type: keyword
+host.architecture:
+  dashed_name: host-architecture
+  description: Operating system architecture.
+  example: x86_64
+  flat_name: host.architecture
+  ignore_above: 1024
+  level: core
+  name: architecture
+  normalize: []
+  short: Operating system architecture.
+  type: keyword
+host.cpu.usage:
+  dashed_name: host-cpu-usage
+  description: 'Percent CPU used which is normalized by the number of CPU cores and
+    it ranges from 0 to 1.
+
+    Scaling factor: 1000.
+
+    For example: For a two core host, this value should be the average of the two
+    cores, between 0 and 1.'
+  flat_name: host.cpu.usage
+  level: extended
+  name: cpu.usage
+  normalize: []
+  scaling_factor: 1000
+  short: Percent CPU used, between 0 and 1.
+  type: scaled_float
+host.disk.read.bytes:
+  dashed_name: host-disk-read-bytes
+  description: The total number of bytes (gauge) read successfully (aggregated from
+    all disks) since the last metric collection.
+  flat_name: host.disk.read.bytes
+  level: extended
+  name: disk.read.bytes
+  normalize: []
+  short: The number of bytes read by all disks.
+  type: long
+host.disk.write.bytes:
+  dashed_name: host-disk-write-bytes
+  description: The total number of bytes (gauge) written successfully (aggregated
+    from all disks) since the last metric collection.
+  flat_name: host.disk.write.bytes
+  level: extended
+  name: disk.write.bytes
+  normalize: []
+  short: The number of bytes written on all disks.
+  type: long
+host.domain:
+  dashed_name: host-domain
+  description: 'Name of the domain of which the host is a member.
+
+    For example, on Windows this could be the host''s Active Directory domain or NetBIOS
+    domain name. For Linux this could be the domain of the host''s LDAP provider.'
+  example: CONTOSO
+  flat_name: host.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  short: Name of the directory the group is a member of.
+  type: keyword
+host.geo.city_name:
+  dashed_name: host-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: host.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+host.geo.continent_code:
+  dashed_name: host-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: host.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+host.geo.continent_name:
+  dashed_name: host-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: host.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+host.geo.country_iso_code:
+  dashed_name: host-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: host.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+host.geo.country_name:
+  dashed_name: host-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: host.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+host.geo.location:
+  dashed_name: host-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: host.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+host.geo.name:
+  dashed_name: host-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: host.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+host.geo.postal_code:
+  dashed_name: host-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: host.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+host.geo.region_iso_code:
+  dashed_name: host-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: host.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+host.geo.region_name:
+  dashed_name: host-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: host.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+host.geo.timezone:
+  dashed_name: host-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: host.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+host.hostname:
+  dashed_name: host-hostname
+  description: 'Hostname of the host.
+
+    It normally contains what the `hostname` command returns on the host machine.'
+  flat_name: host.hostname
+  ignore_above: 1024
+  level: core
+  name: hostname
+  normalize: []
+  short: Hostname of the host.
+  type: keyword
+host.id:
+  dashed_name: host-id
+  description: 'Unique host id.
+
+    As hostname is not always unique, use values that are meaningful in your environment.
+
+    Example: The current usage of `beat.name`.'
+  flat_name: host.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique host id.
+  type: keyword
+host.ip:
+  dashed_name: host-ip
+  description: Host ip addresses.
+  flat_name: host.ip
+  level: core
+  name: ip
+  normalize:
+  - array
+  short: Host ip addresses.
+  type: ip
+host.mac:
+  dashed_name: host-mac
+  description: 'Host MAC addresses.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
+  flat_name: host.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize:
+  - array
+  short: Host MAC addresses.
+  type: keyword
+host.name:
+  dashed_name: host-name
+  description: 'Name of the host.
+
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain
+    name, or a name specified by the user. The sender decides which value to use.'
+  flat_name: host.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the host.
+  type: keyword
+host.network.egress.bytes:
+  dashed_name: host-network-egress-bytes
+  description: The number of bytes (gauge) sent out on all network interfaces by the
+    host since the last metric collection.
+  flat_name: host.network.egress.bytes
+  level: extended
+  name: network.egress.bytes
+  normalize: []
+  short: The number of bytes sent on all network interfaces.
+  type: long
+host.network.egress.packets:
+  dashed_name: host-network-egress-packets
+  description: The number of packets (gauge) sent out on all network interfaces by
+    the host since the last metric collection.
+  flat_name: host.network.egress.packets
+  level: extended
+  name: network.egress.packets
+  normalize: []
+  short: The number of packets sent on all network interfaces.
+  type: long
+host.network.ingress.bytes:
+  dashed_name: host-network-ingress-bytes
+  description: The number of bytes received (gauge) on all network interfaces by the
+    host since the last metric collection.
+  flat_name: host.network.ingress.bytes
+  level: extended
+  name: network.ingress.bytes
+  normalize: []
+  short: The number of bytes received on all network interfaces.
+  type: long
+host.network.ingress.packets:
+  dashed_name: host-network-ingress-packets
+  description: The number of packets (gauge) received on all network interfaces by
+    the host since the last metric collection.
+  flat_name: host.network.ingress.packets
+  level: extended
+  name: network.ingress.packets
+  normalize: []
+  short: The number of packets received on all network interfaces.
+  type: long
+host.os.family:
+  dashed_name: host-os-family
+  description: OS family (such as redhat, debian, freebsd, windows).
+  example: debian
+  flat_name: host.os.family
+  ignore_above: 1024
+  level: extended
+  name: family
+  normalize: []
+  original_fieldset: os
+  short: OS family (such as redhat, debian, freebsd, windows).
+  type: keyword
+host.os.full:
+  dashed_name: host-os-full
+  description: Operating system name, including the version or code name.
+  example: Mac OS Mojave
+  flat_name: host.os.full
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: host.os.full.text
+    name: text
+    type: match_only_text
+  name: full
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, including the version or code name.
+  type: keyword
+host.os.kernel:
+  dashed_name: host-os-kernel
+  description: Operating system kernel version as a raw string.
+  example: 4.4.0-112-generic
+  flat_name: host.os.kernel
+  ignore_above: 1024
+  level: extended
+  name: kernel
+  normalize: []
+  original_fieldset: os
+  short: Operating system kernel version as a raw string.
+  type: keyword
+host.os.name:
+  dashed_name: host-os-name
+  description: Operating system name, without the version.
+  example: Mac OS X
+  flat_name: host.os.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: host.os.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, without the version.
+  type: keyword
+host.os.platform:
+  dashed_name: host-os-platform
+  description: Operating system platform (such centos, ubuntu, windows).
+  example: darwin
+  flat_name: host.os.platform
+  ignore_above: 1024
+  level: extended
+  name: platform
+  normalize: []
+  original_fieldset: os
+  short: Operating system platform (such centos, ubuntu, windows).
+  type: keyword
+host.os.type:
+  dashed_name: host-os-type
+  description: 'Use the `os.type` field to categorize the operating system into one
+    of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS you''re dealing with is not in the list, the field should not be populated.
+    Please let us know by opening an issue with ECS, to propose its addition.'
+  example: macos
+  flat_name: host.os.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
+host.os.version:
+  dashed_name: host-os-version
+  description: Operating system version as a raw string.
+  example: 10.14.1
+  flat_name: host.os.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  original_fieldset: os
+  short: Operating system version as a raw string.
+  type: keyword
+host.type:
+  dashed_name: host-type
+  description: 'Type of host.
+
+    For Cloud providers this can be the machine type like `t2.medium`. If vm, this
+    could be the container, for example, or other information meaningful in your environment.'
+  flat_name: host.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  short: Type of host.
+  type: keyword
+host.uptime:
+  dashed_name: host-uptime
+  description: Seconds the host has been up.
+  example: 1325
+  flat_name: host.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  short: Seconds the host has been up.
+  type: long
+labels:
+  dashed_name: labels
+  description: 'Custom key/value pairs.
+
+    Can be used to add meta information to events. Should not contain nested objects.
+    All values are stored as keyword.
+
+    Example: `docker` and `k8s` labels.'
+  example: '{"application": "foo-bar", "env": "production"}'
+  flat_name: labels
+  level: core
+  name: labels
+  normalize: []
+  object_type: keyword
+  short: Custom key/value pairs.
+  type: object
+message:
+  dashed_name: message
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+  flat_name: message
+  level: core
+  name: message
+  normalize: []
+  short: Log message optimized for viewing in a log viewer.
+  type: match_only_text
+metricset.interval:
+  dashed_name: metricset-interval
+  description: The interval of the data
+  flat_name: metricset.interval
+  level: custom
+  name: interval
+  normalize: []
+  short: The interval of the data
+  type: long
+system.cpu.cores:
+  dashed_name: system-cpu-cores
+  description: Number of CPU cores
+  flat_name: system.cpu.cores
+  level: custom
+  name: cpu.cores
+  normalize: []
+  short: Number of CPU cores
+  type: integer
+system.cpu.system.pct:
+  dashed_name: system-cpu-system-pct
+  description: Percentage of CPU usage by system processes
+  flat_name: system.cpu.system.pct
+  level: custom
+  name: cpu.system.pct
+  normalize: []
+  short: Percentage of CPU usage by system processes
+  type: float
+system.cpu.total.norm.pct:
+  dashed_name: system-cpu-total-norm-pct
+  description: Percentage of CPU usage
+  flat_name: system.cpu.total.norm.pct
+  level: custom
+  name: cpu.total.norm.pct
+  normalize: []
+  short: Percentage of CPU usage
+  type: float
+system.cpu.user.pct:
+  dashed_name: system-cpu-user-pct
+  description: Percentage of CPU usage by user processes
+  flat_name: system.cpu.user.pct
+  level: custom
+  name: cpu.user.pct
+  normalize: []
+  short: Percentage of CPU usage by user processes
+  type: float
+system.network.in.bytes:
+  dashed_name: system-network-in-bytes
+  description: Number of incoming bytes
+  flat_name: system.network.in.bytes
+  level: custom
+  name: network.in.bytes
+  normalize: []
+  short: Number of incoming bytes
+  type: long
+system.network.name:
+  dashed_name: system-network-name
+  description: Name of the network interface
+  flat_name: system.network.name
+  ignore_above: 1024
+  level: custom
+  name: network.name
+  normalize: []
+  short: Name of the network interface
+  type: keyword
+system.network.out.bytes:
+  dashed_name: system-network-out-bytes
+  description: Number of outgoing bytes
+  flat_name: system.network.out.bytes
+  level: custom
+  name: network.out.bytes
+  normalize: []
+  short: Number of outgoing bytes
+  type: long
+tags:
+  dashed_name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  flat_name: tags
+  ignore_above: 1024
+  level: core
+  name: tags
+  normalize:
+  - array
+  short: List of keywords used to tag each event.
+  type: keyword
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/ecs/ecs_nested.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/ecs/ecs_nested.yml
@ -0,0 +1,675 @@
+base:
+  description: The `base` field set contains all fields which are at the root of the
+    events. These fields are common across all types of events.
+  fields:
+    '@timestamp':
+      dashed_name: timestamp
+      description: 'Date/time when the event originated.
+
+        This is the date/time extracted from the event, typically representing when
+        the event was generated by the source.
+
+        If the event source has no original timestamp, this value is typically populated
+        by the first time the event was received by the pipeline.
+
+        Required field for all events.'
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: '@timestamp'
+      level: core
+      name: '@timestamp'
+      normalize: []
+      required: true
+      short: Date/time when the event originated.
+      type: date
+    labels:
+      dashed_name: labels
+      description: 'Custom key/value pairs.
+
+        Can be used to add meta information to events. Should not contain nested objects.
+        All values are stored as keyword.
+
+        Example: `docker` and `k8s` labels.'
+      example: '{"application": "foo-bar", "env": "production"}'
+      flat_name: labels
+      level: core
+      name: labels
+      normalize: []
+      object_type: keyword
+      short: Custom key/value pairs.
+      type: object
+    message:
+      dashed_name: message
+      description: 'For log events the message field contains the log message, optimized
+        for viewing in a log viewer.
+
+        For structured logs without an original message field, other fields can be
+        concatenated to form a human-readable summary of the event.
+
+        If multiple messages exist, they can be combined into one message.'
+      example: Hello World
+      flat_name: message
+      level: core
+      name: message
+      normalize: []
+      short: Log message optimized for viewing in a log viewer.
+      type: match_only_text
+    tags:
+      dashed_name: tags
+      description: List of keywords used to tag each event.
+      example: '["production", "env2"]'
+      flat_name: tags
+      ignore_above: 1024
+      level: core
+      name: tags
+      normalize:
+      - array
+      short: List of keywords used to tag each event.
+      type: keyword
+  group: 1
+  name: base
+  prefix: ''
+  root: true
+  short: All fields defined directly at the root of the events.
+  title: Base
+  type: group
+event:
+  description: 'The event fields are used for context information about the log or
+    metric event itself.
+
+    A log is defined as an event containing details of something that happened. Log
+    events must include the time at which the thing happened. Examples of log events
+    include a process starting on a host, a network packet being sent from a source
+    to a destination, or a network connection between a client and a server being
+    initiated or closed. A metric is defined as an event containing one or more numerical
+    measurements and the time at which the measurement was taken. Examples of metric
+    events include memory pressure measured on a host and device temperature. See
+    the `event.kind` definition in this section for additional details about metric
+    and state events.'
+  fields:
+    event.dataset:
+      dashed_name: event-dataset
+      description: 'Name of the dataset.
+
+        If an event source publishes more than one type of log or events (e.g. access
+        log, error log), the dataset is used to specify which one the event comes
+        from.
+
+        It''s recommended but not required to start the dataset name with the module
+        name, followed by a dot, then the dataset name.'
+      example: apache.access
+      flat_name: event.dataset
+      ignore_above: 1024
+      level: core
+      name: dataset
+      normalize: []
+      short: Name of the dataset.
+      type: keyword
+    event.module:
+      dashed_name: event-module
+      description: 'Name of the module this data is coming from.
+
+        If your monitoring agent supports the concept of modules or plugins to process
+        events of a given source (e.g. Apache logs), `event.module` should contain
+        the name of this module.'
+      example: apache
+      flat_name: event.module
+      ignore_above: 1024
+      level: core
+      name: module
+      normalize: []
+      short: Name of the module this data is coming from.
+      type: keyword
+  group: 2
+  name: event
+  prefix: event.
+  short: Fields breaking down the event details.
+  title: Event
+  type: group
+host:
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the
+    event happened, or from which the measurement was taken. Host types include hardware,
+    virtual machines, Docker containers, and Kubernetes nodes.'
+  fields:
+    host.architecture:
+      dashed_name: host-architecture
+      description: Operating system architecture.
+      example: x86_64
+      flat_name: host.architecture
+      ignore_above: 1024
+      level: core
+      name: architecture
+      normalize: []
+      short: Operating system architecture.
+      type: keyword
+    host.cpu.usage:
+      dashed_name: host-cpu-usage
+      description: 'Percent CPU used which is normalized by the number of CPU cores
+        and it ranges from 0 to 1.
+
+        Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of the
+        two cores, between 0 and 1.'
+      flat_name: host.cpu.usage
+      level: extended
+      name: cpu.usage
+      normalize: []
+      scaling_factor: 1000
+      short: Percent CPU used, between 0 and 1.
+      type: scaled_float
+    host.disk.read.bytes:
+      dashed_name: host-disk-read-bytes
+      description: The total number of bytes (gauge) read successfully (aggregated
+        from all disks) since the last metric collection.
+      flat_name: host.disk.read.bytes
+      level: extended
+      name: disk.read.bytes
+      normalize: []
+      short: The number of bytes read by all disks.
+      type: long
+    host.disk.write.bytes:
+      dashed_name: host-disk-write-bytes
+      description: The total number of bytes (gauge) written successfully (aggregated
+        from all disks) since the last metric collection.
+      flat_name: host.disk.write.bytes
+      level: extended
+      name: disk.write.bytes
+      normalize: []
+      short: The number of bytes written on all disks.
+      type: long
+    host.domain:
+      dashed_name: host-domain
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain
+        or NetBIOS domain name. For Linux this could be the domain of the host''s
+        LDAP provider.'
+      example: CONTOSO
+      flat_name: host.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      short: Name of the directory the group is a member of.
+      type: keyword
+    host.geo.city_name:
+      dashed_name: host-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: host.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    host.geo.continent_code:
+      dashed_name: host-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: host.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    host.geo.continent_name:
+      dashed_name: host-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: host.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    host.geo.country_iso_code:
+      dashed_name: host-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: host.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    host.geo.country_name:
+      dashed_name: host-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: host.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    host.geo.location:
+      dashed_name: host-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: host.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    host.geo.name:
+      dashed_name: host-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: host.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    host.geo.postal_code:
+      dashed_name: host-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: host.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    host.geo.region_iso_code:
+      dashed_name: host-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: host.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    host.geo.region_name:
+      dashed_name: host-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: host.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    host.geo.timezone:
+      dashed_name: host-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: host.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    host.hostname:
+      dashed_name: host-hostname
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+      flat_name: host.hostname
+      ignore_above: 1024
+      level: core
+      name: hostname
+      normalize: []
+      short: Hostname of the host.
+      type: keyword
+    host.id:
+      dashed_name: host-id
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+      flat_name: host.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique host id.
+      type: keyword
+    host.ip:
+      dashed_name: host-ip
+      description: Host ip addresses.
+      flat_name: host.ip
+      level: core
+      name: ip
+      normalize:
+      - array
+      short: Host ip addresses.
+      type: ip
+    host.mac:
+      dashed_name: host-mac
+      description: 'Host MAC addresses.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
+      flat_name: host.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize:
+      - array
+      short: Host MAC addresses.
+      type: keyword
+    host.name:
+      dashed_name: host-name
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+      flat_name: host.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the host.
+      type: keyword
+    host.network.egress.bytes:
+      dashed_name: host-network-egress-bytes
+      description: The number of bytes (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.egress.bytes
+      level: extended
+      name: network.egress.bytes
+      normalize: []
+      short: The number of bytes sent on all network interfaces.
+      type: long
+    host.network.egress.packets:
+      dashed_name: host-network-egress-packets
+      description: The number of packets (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.egress.packets
+      level: extended
+      name: network.egress.packets
+      normalize: []
+      short: The number of packets sent on all network interfaces.
+      type: long
+    host.network.ingress.bytes:
+      dashed_name: host-network-ingress-bytes
+      description: The number of bytes received (gauge) on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.ingress.bytes
+      level: extended
+      name: network.ingress.bytes
+      normalize: []
+      short: The number of bytes received on all network interfaces.
+      type: long
+    host.network.ingress.packets:
+      dashed_name: host-network-ingress-packets
+      description: The number of packets (gauge) received on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.ingress.packets
+      level: extended
+      name: network.ingress.packets
+      normalize: []
+      short: The number of packets received on all network interfaces.
+      type: long
+    host.os.family:
+      dashed_name: host-os-family
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+      flat_name: host.os.family
+      ignore_above: 1024
+      level: extended
+      name: family
+      normalize: []
+      original_fieldset: os
+      short: OS family (such as redhat, debian, freebsd, windows).
+      type: keyword
+    host.os.full:
+      dashed_name: host-os-full
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+      flat_name: host.os.full
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: host.os.full.text
+        name: text
+        type: match_only_text
+      name: full
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, including the version or code name.
+      type: keyword
+    host.os.kernel:
+      dashed_name: host-os-kernel
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+      flat_name: host.os.kernel
+      ignore_above: 1024
+      level: extended
+      name: kernel
+      normalize: []
+      original_fieldset: os
+      short: Operating system kernel version as a raw string.
+      type: keyword
+    host.os.name:
+      dashed_name: host-os-name
+      description: Operating system name, without the version.
+      example: Mac OS X
+      flat_name: host.os.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: host.os.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, without the version.
+      type: keyword
+    host.os.platform:
+      dashed_name: host-os-platform
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+      flat_name: host.os.platform
+      ignore_above: 1024
+      level: extended
+      name: platform
+      normalize: []
+      original_fieldset: os
+      short: Operating system platform (such centos, ubuntu, windows).
+      type: keyword
+    host.os.type:
+      dashed_name: host-os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: host.os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
+    host.os.version:
+      dashed_name: host-os-version
+      description: Operating system version as a raw string.
+      example: 10.14.1
+      flat_name: host.os.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      original_fieldset: os
+      short: Operating system version as a raw string.
+      type: keyword
+    host.type:
+      dashed_name: host-type
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm,
+        this could be the container, for example, or other information meaningful
+        in your environment.'
+      flat_name: host.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      short: Type of host.
+      type: keyword
+    host.uptime:
+      dashed_name: host-uptime
+      description: Seconds the host has been up.
+      example: 1325
+      flat_name: host.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      short: Seconds the host has been up.
+      type: long
+  group: 2
+  name: host
+  nestings:
+  - host.geo
+  - host.os
+  prefix: host.
+  reused_here:
+  - full: host.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: host.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields describing the relevant computing instance.
+  title: Host
+  type: group
+metricset:
+  description: Metricset data
+  fields:
+    metricset.interval:
+      dashed_name: metricset-interval
+      description: The interval of the data
+      flat_name: metricset.interval
+      level: custom
+      name: interval
+      normalize: []
+      short: The interval of the data
+      type: long
+  group: 2
+  name: metricset
+  prefix: metricset.
+  short: Metricset data
+  title: Metricset
+  type: group
+system:
+  description: System-related information
+  fields:
+    system.cpu.cores:
+      dashed_name: system-cpu-cores
+      description: Number of CPU cores
+      flat_name: system.cpu.cores
+      level: custom
+      name: cpu.cores
+      normalize: []
+      short: Number of CPU cores
+      type: integer
+    system.cpu.system.pct:
+      dashed_name: system-cpu-system-pct
+      description: Percentage of CPU usage by system processes
+      flat_name: system.cpu.system.pct
+      level: custom
+      name: cpu.system.pct
+      normalize: []
+      short: Percentage of CPU usage by system processes
+      type: float
+    system.cpu.total.norm.pct:
+      dashed_name: system-cpu-total-norm-pct
+      description: Percentage of CPU usage
+      flat_name: system.cpu.total.norm.pct
+      level: custom
+      name: cpu.total.norm.pct
+      normalize: []
+      short: Percentage of CPU usage
+      type: float
+    system.cpu.user.pct:
+      dashed_name: system-cpu-user-pct
+      description: Percentage of CPU usage by user processes
+      flat_name: system.cpu.user.pct
+      level: custom
+      name: cpu.user.pct
+      normalize: []
+      short: Percentage of CPU usage by user processes
+      type: float
+    system.network.in.bytes:
+      dashed_name: system-network-in-bytes
+      description: Number of incoming bytes
+      flat_name: system.network.in.bytes
+      level: custom
+      name: network.in.bytes
+      normalize: []
+      short: Number of incoming bytes
+      type: long
+    system.network.name:
+      dashed_name: system-network-name
+      description: Name of the network interface
+      flat_name: system.network.name
+      ignore_above: 1024
+      level: custom
+      name: network.name
+      normalize: []
+      short: Name of the network interface
+      type: keyword
+    system.network.out.bytes:
+      dashed_name: system-network-out-bytes
+      description: Number of outgoing bytes
+      flat_name: system.network.out.bytes
+      level: custom
+      name: network.out.bytes
+      normalize: []
+      short: Number of outgoing bytes
+      type: long
+  group: 2
+  level: custom
+  name: system
+  prefix: system.
+  short: System-related information
+  title: System
+  type: group
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/ecs/subset/fake_hosts/ecs_flat.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/ecs/subset/fake_hosts/ecs_flat.yml
@ -0,0 +1,596 @@
+'@timestamp':
+  dashed_name: timestamp
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: '@timestamp'
+  level: core
+  name: '@timestamp'
+  normalize: []
+  required: true
+  short: Date/time when the event originated.
+  type: date
+event.dataset:
+  dashed_name: event-dataset
+  description: 'Name of the dataset.
+
+    If an event source publishes more than one type of log or events (e.g. access
+    log, error log), the dataset is used to specify which one the event comes from.
+
+    It''s recommended but not required to start the dataset name with the module name,
+    followed by a dot, then the dataset name.'
+  example: apache.access
+  flat_name: event.dataset
+  ignore_above: 1024
+  level: core
+  name: dataset
+  normalize: []
+  short: Name of the dataset.
+  type: keyword
+event.module:
+  dashed_name: event-module
+  description: 'Name of the module this data is coming from.
+
+    If your monitoring agent supports the concept of modules or plugins to process
+    events of a given source (e.g. Apache logs), `event.module` should contain the
+    name of this module.'
+  example: apache
+  flat_name: event.module
+  ignore_above: 1024
+  level: core
+  name: module
+  normalize: []
+  short: Name of the module this data is coming from.
+  type: keyword
+host.architecture:
+  dashed_name: host-architecture
+  description: Operating system architecture.
+  example: x86_64
+  flat_name: host.architecture
+  ignore_above: 1024
+  level: core
+  name: architecture
+  normalize: []
+  short: Operating system architecture.
+  type: keyword
+host.cpu.usage:
+  dashed_name: host-cpu-usage
+  description: 'Percent CPU used which is normalized by the number of CPU cores and
+    it ranges from 0 to 1.
+
+    Scaling factor: 1000.
+
+    For example: For a two core host, this value should be the average of the two
+    cores, between 0 and 1.'
+  flat_name: host.cpu.usage
+  level: extended
+  name: cpu.usage
+  normalize: []
+  scaling_factor: 1000
+  short: Percent CPU used, between 0 and 1.
+  type: scaled_float
+host.disk.read.bytes:
+  dashed_name: host-disk-read-bytes
+  description: The total number of bytes (gauge) read successfully (aggregated from
+    all disks) since the last metric collection.
+  flat_name: host.disk.read.bytes
+  level: extended
+  name: disk.read.bytes
+  normalize: []
+  short: The number of bytes read by all disks.
+  type: long
+host.disk.write.bytes:
+  dashed_name: host-disk-write-bytes
+  description: The total number of bytes (gauge) written successfully (aggregated
+    from all disks) since the last metric collection.
+  flat_name: host.disk.write.bytes
+  level: extended
+  name: disk.write.bytes
+  normalize: []
+  short: The number of bytes written on all disks.
+  type: long
+host.domain:
+  dashed_name: host-domain
+  description: 'Name of the domain of which the host is a member.
+
+    For example, on Windows this could be the host''s Active Directory domain or NetBIOS
+    domain name. For Linux this could be the domain of the host''s LDAP provider.'
+  example: CONTOSO
+  flat_name: host.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  short: Name of the directory the group is a member of.
+  type: keyword
+host.geo.city_name:
+  dashed_name: host-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: host.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+host.geo.continent_code:
+  dashed_name: host-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: host.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+host.geo.continent_name:
+  dashed_name: host-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: host.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+host.geo.country_iso_code:
+  dashed_name: host-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: host.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+host.geo.country_name:
+  dashed_name: host-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: host.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+host.geo.location:
+  dashed_name: host-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: host.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+host.geo.name:
+  dashed_name: host-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: host.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+host.geo.postal_code:
+  dashed_name: host-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: host.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+host.geo.region_iso_code:
+  dashed_name: host-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: host.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+host.geo.region_name:
+  dashed_name: host-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: host.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+host.geo.timezone:
+  dashed_name: host-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: host.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+host.hostname:
+  dashed_name: host-hostname
+  description: 'Hostname of the host.
+
+    It normally contains what the `hostname` command returns on the host machine.'
+  flat_name: host.hostname
+  ignore_above: 1024
+  level: core
+  name: hostname
+  normalize: []
+  short: Hostname of the host.
+  type: keyword
+host.id:
+  dashed_name: host-id
+  description: 'Unique host id.
+
+    As hostname is not always unique, use values that are meaningful in your environment.
+
+    Example: The current usage of `beat.name`.'
+  flat_name: host.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique host id.
+  type: keyword
+host.ip:
+  dashed_name: host-ip
+  description: Host ip addresses.
+  flat_name: host.ip
+  level: core
+  name: ip
+  normalize:
+  - array
+  short: Host ip addresses.
+  type: ip
+host.mac:
+  dashed_name: host-mac
+  description: 'Host MAC addresses.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
+  flat_name: host.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize:
+  - array
+  short: Host MAC addresses.
+  type: keyword
+host.name:
+  dashed_name: host-name
+  description: 'Name of the host.
+
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain
+    name, or a name specified by the user. The sender decides which value to use.'
+  flat_name: host.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the host.
+  type: keyword
+host.network.egress.bytes:
+  dashed_name: host-network-egress-bytes
+  description: The number of bytes (gauge) sent out on all network interfaces by the
+    host since the last metric collection.
+  flat_name: host.network.egress.bytes
+  level: extended
+  name: network.egress.bytes
+  normalize: []
+  short: The number of bytes sent on all network interfaces.
+  type: long
+host.network.egress.packets:
+  dashed_name: host-network-egress-packets
+  description: The number of packets (gauge) sent out on all network interfaces by
+    the host since the last metric collection.
+  flat_name: host.network.egress.packets
+  level: extended
+  name: network.egress.packets
+  normalize: []
+  short: The number of packets sent on all network interfaces.
+  type: long
+host.network.ingress.bytes:
+  dashed_name: host-network-ingress-bytes
+  description: The number of bytes received (gauge) on all network interfaces by the
+    host since the last metric collection.
+  flat_name: host.network.ingress.bytes
+  level: extended
+  name: network.ingress.bytes
+  normalize: []
+  short: The number of bytes received on all network interfaces.
+  type: long
+host.network.ingress.packets:
+  dashed_name: host-network-ingress-packets
+  description: The number of packets (gauge) received on all network interfaces by
+    the host since the last metric collection.
+  flat_name: host.network.ingress.packets
+  level: extended
+  name: network.ingress.packets
+  normalize: []
+  short: The number of packets received on all network interfaces.
+  type: long
+host.os.family:
+  dashed_name: host-os-family
+  description: OS family (such as redhat, debian, freebsd, windows).
+  example: debian
+  flat_name: host.os.family
+  ignore_above: 1024
+  level: extended
+  name: family
+  normalize: []
+  original_fieldset: os
+  short: OS family (such as redhat, debian, freebsd, windows).
+  type: keyword
+host.os.full:
+  dashed_name: host-os-full
+  description: Operating system name, including the version or code name.
+  example: Mac OS Mojave
+  flat_name: host.os.full
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: host.os.full.text
+    name: text
+    type: match_only_text
+  name: full
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, including the version or code name.
+  type: keyword
+host.os.kernel:
+  dashed_name: host-os-kernel
+  description: Operating system kernel version as a raw string.
+  example: 4.4.0-112-generic
+  flat_name: host.os.kernel
+  ignore_above: 1024
+  level: extended
+  name: kernel
+  normalize: []
+  original_fieldset: os
+  short: Operating system kernel version as a raw string.
+  type: keyword
+host.os.name:
+  dashed_name: host-os-name
+  description: Operating system name, without the version.
+  example: Mac OS X
+  flat_name: host.os.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: host.os.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: os
+  short: Operating system name, without the version.
+  type: keyword
+host.os.platform:
+  dashed_name: host-os-platform
+  description: Operating system platform (such centos, ubuntu, windows).
+  example: darwin
+  flat_name: host.os.platform
+  ignore_above: 1024
+  level: extended
+  name: platform
+  normalize: []
+  original_fieldset: os
+  short: Operating system platform (such centos, ubuntu, windows).
+  type: keyword
+host.os.type:
+  dashed_name: host-os-type
+  description: 'Use the `os.type` field to categorize the operating system into one
+    of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS you''re dealing with is not in the list, the field should not be populated.
+    Please let us know by opening an issue with ECS, to propose its addition.'
+  example: macos
+  flat_name: host.os.type
+  ignore_above: 1024
+  level: extended
+  name: type
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
+host.os.version:
+  dashed_name: host-os-version
+  description: Operating system version as a raw string.
+  example: 10.14.1
+  flat_name: host.os.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  original_fieldset: os
+  short: Operating system version as a raw string.
+  type: keyword
+host.type:
+  dashed_name: host-type
+  description: 'Type of host.
+
+    For Cloud providers this can be the machine type like `t2.medium`. If vm, this
+    could be the container, for example, or other information meaningful in your environment.'
+  flat_name: host.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize: []
+  short: Type of host.
+  type: keyword
+host.uptime:
+  dashed_name: host-uptime
+  description: Seconds the host has been up.
+  example: 1325
+  flat_name: host.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  short: Seconds the host has been up.
+  type: long
+labels:
+  dashed_name: labels
+  description: 'Custom key/value pairs.
+
+    Can be used to add meta information to events. Should not contain nested objects.
+    All values are stored as keyword.
+
+    Example: `docker` and `k8s` labels.'
+  example: '{"application": "foo-bar", "env": "production"}'
+  flat_name: labels
+  level: core
+  name: labels
+  normalize: []
+  object_type: keyword
+  short: Custom key/value pairs.
+  type: object
+message:
+  dashed_name: message
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+  flat_name: message
+  level: core
+  name: message
+  normalize: []
+  short: Log message optimized for viewing in a log viewer.
+  type: match_only_text
+metricset.interval:
+  dashed_name: metricset-interval
+  description: The interval of the data
+  flat_name: metricset.interval
+  level: custom
+  name: interval
+  normalize: []
+  short: The interval of the data
+  type: long
+system.cpu.cores:
+  dashed_name: system-cpu-cores
+  description: Number of CPU cores
+  flat_name: system.cpu.cores
+  level: custom
+  name: cpu.cores
+  normalize: []
+  short: Number of CPU cores
+  type: integer
+system.cpu.system.pct:
+  dashed_name: system-cpu-system-pct
+  description: Percentage of CPU usage by system processes
+  flat_name: system.cpu.system.pct
+  level: custom
+  name: cpu.system.pct
+  normalize: []
+  short: Percentage of CPU usage by system processes
+  type: float
+system.cpu.total.norm.pct:
+  dashed_name: system-cpu-total-norm-pct
+  description: Percentage of CPU usage
+  flat_name: system.cpu.total.norm.pct
+  level: custom
+  name: cpu.total.norm.pct
+  normalize: []
+  short: Percentage of CPU usage
+  type: float
+system.cpu.user.pct:
+  dashed_name: system-cpu-user-pct
+  description: Percentage of CPU usage by user processes
+  flat_name: system.cpu.user.pct
+  level: custom
+  name: cpu.user.pct
+  normalize: []
+  short: Percentage of CPU usage by user processes
+  type: float
+system.network.in.bytes:
+  dashed_name: system-network-in-bytes
+  description: Number of incoming bytes
+  flat_name: system.network.in.bytes
+  level: custom
+  name: network.in.bytes
+  normalize: []
+  short: Number of incoming bytes
+  type: long
+system.network.name:
+  dashed_name: system-network-name
+  description: Name of the network interface
+  flat_name: system.network.name
+  ignore_above: 1024
+  level: custom
+  name: network.name
+  normalize: []
+  short: Name of the network interface
+  type: keyword
+system.network.out.bytes:
+  dashed_name: system-network-out-bytes
+  description: Number of outgoing bytes
+  flat_name: system.network.out.bytes
+  level: custom
+  name: network.out.bytes
+  normalize: []
+  short: Number of outgoing bytes
+  type: long
+tags:
+  dashed_name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  flat_name: tags
+  ignore_above: 1024
+  level: core
+  name: tags
+  normalize:
+  - array
+  short: List of keywords used to tag each event.
+  type: keyword
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/ecs/subset/fake_hosts/ecs_nested.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/ecs/subset/fake_hosts/ecs_nested.yml
@ -0,0 +1,675 @@
+base:
+  description: The `base` field set contains all fields which are at the root of the
+    events. These fields are common across all types of events.
+  fields:
+    '@timestamp':
+      dashed_name: timestamp
+      description: 'Date/time when the event originated.
+
+        This is the date/time extracted from the event, typically representing when
+        the event was generated by the source.
+
+        If the event source has no original timestamp, this value is typically populated
+        by the first time the event was received by the pipeline.
+
+        Required field for all events.'
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: '@timestamp'
+      level: core
+      name: '@timestamp'
+      normalize: []
+      required: true
+      short: Date/time when the event originated.
+      type: date
+    labels:
+      dashed_name: labels
+      description: 'Custom key/value pairs.
+
+        Can be used to add meta information to events. Should not contain nested objects.
+        All values are stored as keyword.
+
+        Example: `docker` and `k8s` labels.'
+      example: '{"application": "foo-bar", "env": "production"}'
+      flat_name: labels
+      level: core
+      name: labels
+      normalize: []
+      object_type: keyword
+      short: Custom key/value pairs.
+      type: object
+    message:
+      dashed_name: message
+      description: 'For log events the message field contains the log message, optimized
+        for viewing in a log viewer.
+
+        For structured logs without an original message field, other fields can be
+        concatenated to form a human-readable summary of the event.
+
+        If multiple messages exist, they can be combined into one message.'
+      example: Hello World
+      flat_name: message
+      level: core
+      name: message
+      normalize: []
+      short: Log message optimized for viewing in a log viewer.
+      type: match_only_text
+    tags:
+      dashed_name: tags
+      description: List of keywords used to tag each event.
+      example: '["production", "env2"]'
+      flat_name: tags
+      ignore_above: 1024
+      level: core
+      name: tags
+      normalize:
+      - array
+      short: List of keywords used to tag each event.
+      type: keyword
+  group: 1
+  name: base
+  prefix: ''
+  root: true
+  short: All fields defined directly at the root of the events.
+  title: Base
+  type: group
+event:
+  description: 'The event fields are used for context information about the log or
+    metric event itself.
+
+    A log is defined as an event containing details of something that happened. Log
+    events must include the time at which the thing happened. Examples of log events
+    include a process starting on a host, a network packet being sent from a source
+    to a destination, or a network connection between a client and a server being
+    initiated or closed. A metric is defined as an event containing one or more numerical
+    measurements and the time at which the measurement was taken. Examples of metric
+    events include memory pressure measured on a host and device temperature. See
+    the `event.kind` definition in this section for additional details about metric
+    and state events.'
+  fields:
+    event.dataset:
+      dashed_name: event-dataset
+      description: 'Name of the dataset.
+
+        If an event source publishes more than one type of log or events (e.g. access
+        log, error log), the dataset is used to specify which one the event comes
+        from.
+
+        It''s recommended but not required to start the dataset name with the module
+        name, followed by a dot, then the dataset name.'
+      example: apache.access
+      flat_name: event.dataset
+      ignore_above: 1024
+      level: core
+      name: dataset
+      normalize: []
+      short: Name of the dataset.
+      type: keyword
+    event.module:
+      dashed_name: event-module
+      description: 'Name of the module this data is coming from.
+
+        If your monitoring agent supports the concept of modules or plugins to process
+        events of a given source (e.g. Apache logs), `event.module` should contain
+        the name of this module.'
+      example: apache
+      flat_name: event.module
+      ignore_above: 1024
+      level: core
+      name: module
+      normalize: []
+      short: Name of the module this data is coming from.
+      type: keyword
+  group: 2
+  name: event
+  prefix: event.
+  short: Fields breaking down the event details.
+  title: Event
+  type: group
+host:
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the
+    event happened, or from which the measurement was taken. Host types include hardware,
+    virtual machines, Docker containers, and Kubernetes nodes.'
+  fields:
+    host.architecture:
+      dashed_name: host-architecture
+      description: Operating system architecture.
+      example: x86_64
+      flat_name: host.architecture
+      ignore_above: 1024
+      level: core
+      name: architecture
+      normalize: []
+      short: Operating system architecture.
+      type: keyword
+    host.cpu.usage:
+      dashed_name: host-cpu-usage
+      description: 'Percent CPU used which is normalized by the number of CPU cores
+        and it ranges from 0 to 1.
+
+        Scaling factor: 1000.
+
+        For example: For a two core host, this value should be the average of the
+        two cores, between 0 and 1.'
+      flat_name: host.cpu.usage
+      level: extended
+      name: cpu.usage
+      normalize: []
+      scaling_factor: 1000
+      short: Percent CPU used, between 0 and 1.
+      type: scaled_float
+    host.disk.read.bytes:
+      dashed_name: host-disk-read-bytes
+      description: The total number of bytes (gauge) read successfully (aggregated
+        from all disks) since the last metric collection.
+      flat_name: host.disk.read.bytes
+      level: extended
+      name: disk.read.bytes
+      normalize: []
+      short: The number of bytes read by all disks.
+      type: long
+    host.disk.write.bytes:
+      dashed_name: host-disk-write-bytes
+      description: The total number of bytes (gauge) written successfully (aggregated
+        from all disks) since the last metric collection.
+      flat_name: host.disk.write.bytes
+      level: extended
+      name: disk.write.bytes
+      normalize: []
+      short: The number of bytes written on all disks.
+      type: long
+    host.domain:
+      dashed_name: host-domain
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain
+        or NetBIOS domain name. For Linux this could be the domain of the host''s
+        LDAP provider.'
+      example: CONTOSO
+      flat_name: host.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      short: Name of the directory the group is a member of.
+      type: keyword
+    host.geo.city_name:
+      dashed_name: host-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: host.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    host.geo.continent_code:
+      dashed_name: host-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: host.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    host.geo.continent_name:
+      dashed_name: host-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: host.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    host.geo.country_iso_code:
+      dashed_name: host-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: host.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    host.geo.country_name:
+      dashed_name: host-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: host.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    host.geo.location:
+      dashed_name: host-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: host.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    host.geo.name:
+      dashed_name: host-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: host.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    host.geo.postal_code:
+      dashed_name: host-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: host.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    host.geo.region_iso_code:
+      dashed_name: host-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: host.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    host.geo.region_name:
+      dashed_name: host-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: host.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    host.geo.timezone:
+      dashed_name: host-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: host.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    host.hostname:
+      dashed_name: host-hostname
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+      flat_name: host.hostname
+      ignore_above: 1024
+      level: core
+      name: hostname
+      normalize: []
+      short: Hostname of the host.
+      type: keyword
+    host.id:
+      dashed_name: host-id
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+      flat_name: host.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique host id.
+      type: keyword
+    host.ip:
+      dashed_name: host-ip
+      description: Host ip addresses.
+      flat_name: host.ip
+      level: core
+      name: ip
+      normalize:
+      - array
+      short: Host ip addresses.
+      type: ip
+    host.mac:
+      dashed_name: host-mac
+      description: 'Host MAC addresses.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
+      flat_name: host.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize:
+      - array
+      short: Host MAC addresses.
+      type: keyword
+    host.name:
+      dashed_name: host-name
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+      flat_name: host.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the host.
+      type: keyword
+    host.network.egress.bytes:
+      dashed_name: host-network-egress-bytes
+      description: The number of bytes (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.egress.bytes
+      level: extended
+      name: network.egress.bytes
+      normalize: []
+      short: The number of bytes sent on all network interfaces.
+      type: long
+    host.network.egress.packets:
+      dashed_name: host-network-egress-packets
+      description: The number of packets (gauge) sent out on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.egress.packets
+      level: extended
+      name: network.egress.packets
+      normalize: []
+      short: The number of packets sent on all network interfaces.
+      type: long
+    host.network.ingress.bytes:
+      dashed_name: host-network-ingress-bytes
+      description: The number of bytes received (gauge) on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.ingress.bytes
+      level: extended
+      name: network.ingress.bytes
+      normalize: []
+      short: The number of bytes received on all network interfaces.
+      type: long
+    host.network.ingress.packets:
+      dashed_name: host-network-ingress-packets
+      description: The number of packets (gauge) received on all network interfaces
+        by the host since the last metric collection.
+      flat_name: host.network.ingress.packets
+      level: extended
+      name: network.ingress.packets
+      normalize: []
+      short: The number of packets received on all network interfaces.
+      type: long
+    host.os.family:
+      dashed_name: host-os-family
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+      flat_name: host.os.family
+      ignore_above: 1024
+      level: extended
+      name: family
+      normalize: []
+      original_fieldset: os
+      short: OS family (such as redhat, debian, freebsd, windows).
+      type: keyword
+    host.os.full:
+      dashed_name: host-os-full
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+      flat_name: host.os.full
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: host.os.full.text
+        name: text
+        type: match_only_text
+      name: full
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, including the version or code name.
+      type: keyword
+    host.os.kernel:
+      dashed_name: host-os-kernel
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+      flat_name: host.os.kernel
+      ignore_above: 1024
+      level: extended
+      name: kernel
+      normalize: []
+      original_fieldset: os
+      short: Operating system kernel version as a raw string.
+      type: keyword
+    host.os.name:
+      dashed_name: host-os-name
+      description: Operating system name, without the version.
+      example: Mac OS X
+      flat_name: host.os.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: host.os.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: os
+      short: Operating system name, without the version.
+      type: keyword
+    host.os.platform:
+      dashed_name: host-os-platform
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+      flat_name: host.os.platform
+      ignore_above: 1024
+      level: extended
+      name: platform
+      normalize: []
+      original_fieldset: os
+      short: Operating system platform (such centos, ubuntu, windows).
+      type: keyword
+    host.os.type:
+      dashed_name: host-os-type
+      description: 'Use the `os.type` field to categorize the operating system into
+        one of the broad commercial families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS you''re dealing with is not in the list, the field should not be
+        populated. Please let us know by opening an issue with ECS, to propose its
+        addition.'
+      example: macos
+      flat_name: host.os.type
+      ignore_above: 1024
+      level: extended
+      name: type
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
+    host.os.version:
+      dashed_name: host-os-version
+      description: Operating system version as a raw string.
+      example: 10.14.1
+      flat_name: host.os.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      original_fieldset: os
+      short: Operating system version as a raw string.
+      type: keyword
+    host.type:
+      dashed_name: host-type
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm,
+        this could be the container, for example, or other information meaningful
+        in your environment.'
+      flat_name: host.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize: []
+      short: Type of host.
+      type: keyword
+    host.uptime:
+      dashed_name: host-uptime
+      description: Seconds the host has been up.
+      example: 1325
+      flat_name: host.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      short: Seconds the host has been up.
+      type: long
+  group: 2
+  name: host
+  nestings:
+  - host.geo
+  - host.os
+  prefix: host.
+  reused_here:
+  - full: host.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: host.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields describing the relevant computing instance.
+  title: Host
+  type: group
+metricset:
+  description: Metricset data
+  fields:
+    metricset.interval:
+      dashed_name: metricset-interval
+      description: The interval of the data
+      flat_name: metricset.interval
+      level: custom
+      name: interval
+      normalize: []
+      short: The interval of the data
+      type: long
+  group: 2
+  name: metricset
+  prefix: metricset.
+  short: Metricset data
+  title: Metricset
+  type: group
+system:
+  description: System-related information
+  fields:
+    system.cpu.cores:
+      dashed_name: system-cpu-cores
+      description: Number of CPU cores
+      flat_name: system.cpu.cores
+      level: custom
+      name: cpu.cores
+      normalize: []
+      short: Number of CPU cores
+      type: integer
+    system.cpu.system.pct:
+      dashed_name: system-cpu-system-pct
+      description: Percentage of CPU usage by system processes
+      flat_name: system.cpu.system.pct
+      level: custom
+      name: cpu.system.pct
+      normalize: []
+      short: Percentage of CPU usage by system processes
+      type: float
+    system.cpu.total.norm.pct:
+      dashed_name: system-cpu-total-norm-pct
+      description: Percentage of CPU usage
+      flat_name: system.cpu.total.norm.pct
+      level: custom
+      name: cpu.total.norm.pct
+      normalize: []
+      short: Percentage of CPU usage
+      type: float
+    system.cpu.user.pct:
+      dashed_name: system-cpu-user-pct
+      description: Percentage of CPU usage by user processes
+      flat_name: system.cpu.user.pct
+      level: custom
+      name: cpu.user.pct
+      normalize: []
+      short: Percentage of CPU usage by user processes
+      type: float
+    system.network.in.bytes:
+      dashed_name: system-network-in-bytes
+      description: Number of incoming bytes
+      flat_name: system.network.in.bytes
+      level: custom
+      name: network.in.bytes
+      normalize: []
+      short: Number of incoming bytes
+      type: long
+    system.network.name:
+      dashed_name: system-network-name
+      description: Name of the network interface
+      flat_name: system.network.name
+      ignore_above: 1024
+      level: custom
+      name: network.name
+      normalize: []
+      short: Name of the network interface
+      type: keyword
+    system.network.out.bytes:
+      dashed_name: system-network-out-bytes
+      description: Number of outgoing bytes
+      flat_name: system.network.out.bytes
+      level: custom
+      name: network.out.bytes
+      normalize: []
+      short: Number of outgoing bytes
+      type: long
+  group: 2
+  level: custom
+  name: system
+  prefix: system.
+  short: System-related information
+  title: System
+  type: group
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/base.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/base.json
@ -0,0 +1,25 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "labels": {
+          "type": "object"
+        },
+        "message": {
+          "type": "match_only_text"
+        },
+        "tags": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/event.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/event.json
@ -0,0 +1,24 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "event": {
+          "properties": {
+            "dataset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "module": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/host.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/host.json
@ -0,0 +1,189 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "host": {
+          "properties": {
+            "architecture": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "cpu": {
+              "properties": {
+                "usage": {
+                  "scaling_factor": 1000,
+                  "type": "scaled_float"
+                }
+              }
+            },
+            "disk": {
+              "properties": {
+                "read": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "write": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            },
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "geo": {
+              "properties": {
+                "city_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "continent_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "country_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "location": {
+                  "type": "geo_point"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "postal_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_iso_code": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "timezone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "ip": {
+              "type": "ip"
+            },
+            "mac": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "network": {
+              "properties": {
+                "egress": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "packets": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "ingress": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "packets": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            },
+            "os": {
+              "properties": {
+                "family": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "kernel": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "platform": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "uptime": {
+              "type": "long"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/metricset.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/metricset.json
@ -0,0 +1,18 @@
+{
+  "_meta": {
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "metricset": {
+          "properties": {
+            "interval": {
+              "type": "long"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/system.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/component/system.json
@ -0,0 +1,69 @@
+{
+  "_meta": {
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "system": {
+          "properties": {
+            "cpu": {
+              "properties": {
+                "cores": {
+                  "type": "integer"
+                },
+                "system": {
+                  "properties": {
+                    "pct": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "total": {
+                  "properties": {
+                    "norm": {
+                      "properties": {
+                        "pct": {
+                          "type": "float"
+                        }
+                      }
+                    }
+                  }
+                },
+                "user": {
+                  "properties": {
+                    "pct": {
+                      "type": "float"
+                    }
+                  }
+                }
+              }
+            },
+            "network": {
+              "properties": {
+                "in": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "out": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/template.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/composable/template.json
@ -0,0 +1,52 @@
+{
+  "_meta": {
+    "description": "Sample composable template that includes all ECS fields",
+    "ecs_version": "8.0.0"
+  },
+  "composed_of": [
+    "ecs_8.0.0_base",
+    "ecs_8.0.0_event",
+    "ecs_8.0.0_host",
+    "ecs_8.0.0_metricset",
+    "ecs_8.0.0_system"
+  ],
+  "index_patterns": [
+    "kbn-data-forge-fake_hosts.fake_hosts-*"
+  ],
+  "priority": 1,
+  "template": {
+    "mappings": {
+      "_meta": {
+        "version": "1.6.0"
+      },
+      "date_detection": false,
+      "dynamic_templates": [
+        {
+          "strings_as_keyword": {
+            "mapping": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ]
+    },
+    "settings": {
+      "index": {
+        "codec": "best_compression",
+        "mapping": {
+          "total_fields": {
+            "limit": 2000
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/legacy/template.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/generated/elasticsearch/legacy/template.json
@ -0,0 +1,309 @@
+{
+  "index_patterns": [
+    "kbn-data-forge-fake_hosts.fake_hosts-*"
+  ],
+  "mappings": {
+    "_meta": {
+      "version": "1.6.0"
+    },
+    "date_detection": false,
+    "dynamic_templates": [
+      {
+        "strings_as_keyword": {
+          "mapping": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      }
+    ],
+    "properties": {
+      "@timestamp": {
+        "type": "date"
+      },
+      "event": {
+        "properties": {
+          "dataset": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "module": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "host": {
+        "properties": {
+          "architecture": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "cpu": {
+            "properties": {
+              "usage": {
+                "scaling_factor": 1000,
+                "type": "scaled_float"
+              }
+            }
+          },
+          "disk": {
+            "properties": {
+              "read": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "write": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "geo": {
+            "properties": {
+              "city_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "continent_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "country_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "location": {
+                "type": "geo_point"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "postal_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_iso_code": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "region_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "timezone": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hostname": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "ip": {
+            "type": "ip"
+          },
+          "mac": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "network": {
+            "properties": {
+              "egress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "packets": {
+                    "type": "long"
+                  }
+                }
+              },
+              "ingress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "packets": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
+          "os": {
+            "properties": {
+              "family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "kernel": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "platform": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "uptime": {
+            "type": "long"
+          }
+        }
+      },
+      "labels": {
+        "type": "object"
+      },
+      "message": {
+        "type": "match_only_text"
+      },
+      "metricset": {
+        "properties": {
+          "interval": {
+            "type": "long"
+          }
+        }
+      },
+      "system": {
+        "properties": {
+          "cpu": {
+            "properties": {
+              "cores": {
+                "type": "integer"
+              },
+              "system": {
+                "properties": {
+                  "pct": {
+                    "type": "float"
+                  }
+                }
+              },
+              "total": {
+                "properties": {
+                  "norm": {
+                    "properties": {
+                      "pct": {
+                        "type": "float"
+                      }
+                    }
+                  }
+                }
+              },
+              "user": {
+                "properties": {
+                  "pct": {
+                    "type": "float"
+                  }
+                }
+              }
+            }
+          },
+          "network": {
+            "properties": {
+              "in": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "out": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "tags": {
+        "ignore_above": 1024,
+        "type": "keyword"
+      }
+    }
+  },
+  "order": 1,
+  "settings": {
+    "index": {
+      "codec": "best_compression",
+      "mapping": {
+        "total_fields": {
+          "limit": 2000
+        }
+      },
+      "refresh_interval": "2s"
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/index.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/ecs/index.ts
@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import base from './generated/elasticsearch/composable/component/base.json';
+import event from './generated/elasticsearch/composable/component/event.json';
+import host from './generated/elasticsearch/composable/component/host.json';
+import metricset from './generated/elasticsearch/composable/component/metricset.json';
+import system from './generated/elasticsearch/composable/component/system.json';
+
+import template from './generated/elasticsearch/composable/template.json';
+import { IndexTemplateDef } from '../../../types';
+
+const ECS_VERSION = template._meta.ecs_version;
+
+const components = [
+  { name: `fake_hosts_${ECS_VERSION}_base`, template: base },
+  { name: `fake_hosts_${ECS_VERSION}_event`, template: event },
+  { name: `fake_hosts_${ECS_VERSION}_host`, template: host },
+  { name: `fake_hosts_${ECS_VERSION}_metricset`, template: metricset },
+  { name: `fake_hosts_${ECS_VERSION}_system`, template: system },
+];
+
+export const indexTemplate: IndexTemplateDef = {
+  namespace: 'fake_hosts',
+  template: { ...template, composed_of: components.map(({ name }) => name) },
+  components,
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/index.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/index.ts
@ -0,0 +1,171 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { faker } from '@faker-js/faker';
+import { sample, range, memoize } from 'lodash';
+import { GeneratorFunction } from '../../types';
+import { replaceMetricsWithShapes } from '../../lib/replace_metrics_with_shapes';
+
+export { indexTemplate } from './ecs';
+
+const createGroupIndex = (index: number) => Math.floor(index / 1000) * 1000;
+
+const randomBetween = (start = 0, end = 1, step = 0.1) => sample(range(start, end, step));
+
+let networkDataCount = 0;
+const generateNetworkData = memoize((_timestamp: string) => {
+  networkDataCount += Math.floor(10000 * Math.random());
+  return networkDataCount;
+});
+
+export const generateEvent: GeneratorFunction = (config, schedule, index, timestamp) => {
+  const groupIndex = createGroupIndex(index);
+  const interval = schedule.interval ?? config.indexing.interval;
+  const scenario = config.indexing.scenario || 'fake_hosts';
+  const docs = [
+    {
+      namespace: 'fake_hosts',
+      '@timestamp': timestamp.toISOString(),
+      tags: [`group-${groupIndex}`, `event-${index}`],
+      host: {
+        name: `host-${index}`,
+        mac: ['00-00-5E-00-53-23', '00-00-5E-00-53-24'],
+        network: {
+          name: `network-${index}`,
+        },
+      },
+      event: {
+        module: 'system',
+        dataset: 'system.cpu',
+      },
+      labels: {
+        groupId: `group-${groupIndex}`,
+        eventId: `event-${index}`,
+        scenario,
+      },
+      system: {
+        cpu: {
+          cores: 4,
+          total: {
+            norm: {
+              pct: randomBetween(),
+            },
+          },
+          user: {
+            pct: randomBetween(1, 4),
+          },
+          system: {
+            pct: randomBetween(1, 4),
+          },
+        },
+        load: {
+          1: randomBetween(1, 4),
+        },
+        memory: {
+          actual: {
+            used: {
+              pct: randomBetween(1, 4),
+            },
+          },
+        },
+        filesystem: {
+          used: {
+            pct: randomBetween(1, 4),
+          },
+        },
+      },
+      metricset: {
+        period: interval,
+      },
+      container: {
+        id: `container-${index}`,
+        name: 'container-name',
+      },
+    },
+    {
+      namespace: 'fake_hosts',
+      '@timestamp': timestamp.toISOString(),
+      host: {
+        name: `host-${index}`,
+        network: {
+          name: `network-${index}`,
+          ingress: {
+            bytes: parseInt(faker.string.numeric(3), 10),
+          },
+          egress: {
+            bytes: parseInt(faker.string.numeric(3), 10),
+          },
+        },
+      },
+      event: {
+        module: 'system',
+        dataset: 'system.network',
+      },
+      labels: {
+        groupId: `group-${groupIndex}`,
+        eventId: `event-${index}`,
+        scenario,
+      },
+      system: {
+        network: {
+          name: 'eth0',
+          in: {
+            bytes: generateNetworkData(timestamp.toISOString()),
+          },
+          out: {
+            bytes: generateNetworkData(timestamp.toISOString()),
+          },
+        },
+      },
+      metricset: {
+        period: interval,
+      },
+      container: {
+        id: `container-${index}`,
+        name: 'container-name',
+      },
+    },
+    {
+      namespace: 'fake_hosts',
+      '@timestamp': timestamp.toISOString(),
+      host: {
+        name: `host-${index}`,
+        network: {
+          name: `network-${index}`,
+        },
+      },
+      event: {
+        module: 'system',
+        dataset: 'system.network',
+      },
+      labels: {
+        groupId: `group-${groupIndex}`,
+        eventId: `event-${index}`,
+        scenario,
+      },
+      system: {
+        network: {
+          name: 'eth1',
+          in: {
+            bytes: generateNetworkData(timestamp.toISOString()),
+          },
+          out: {
+            bytes: generateNetworkData(timestamp.toISOString()),
+          },
+        },
+      },
+      metricset: {
+        period: interval,
+      },
+      container: {
+        id: `container-${index}`,
+        name: 'container-name',
+      },
+    },
+  ];
+  return replaceMetricsWithShapes(timestamp, schedule, docs);
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/template.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_hosts/template.json
@ -0,0 +1,224 @@
+{
+  "order": 1,
+  "index_patterns": [
+    "kbn-data-forge-fake_hosts.fake_hosts-*"
+  ],
+  "settings": {
+    "index": {
+      "mapping": {
+        "total_fields": {
+          "limit": "10000"
+        }
+      },
+      "number_of_shards": "1",
+      "number_of_replicas": "0",
+      "query": {
+        "default_field": [
+          "message",
+          "labels.*",
+          "event.*"
+        ]
+      }
+    }
+  },
+  "mappings": {
+    "dynamic_templates": [
+      {
+        "labels": {
+          "path_match": "labels.*",
+          "mapping": {
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      },
+      {
+        "strings_as_keyword": {
+          "mapping": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      }
+    ],
+    "date_detection": false,
+    "properties": {
+      "@timestamp": {
+        "type": "date"
+      },
+      "tags": {
+        "type": "keyword"
+      },
+      "metricset": {
+        "properties": {
+          "period": {
+            "type": "long"
+          }
+        }
+      },
+      "host": {
+        "properties": {
+          "name": {
+            "type": "keyword",
+            "ignore_above": 256
+          },
+          "network": {
+            "properties": {
+              "name": {
+                "type": "keyword",
+                "ignore_above": 256
+              },
+              "ingress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "egress": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "event": {
+        "properties": {
+          "dataset": {
+            "type": "keyword",
+            "ignore_above": 256
+          },
+          "module": {
+            "type": "keyword",
+            "ignore_above": 256
+          }
+        }
+      },
+      "system": {
+        "properties": {
+          "cpu": {
+            "properties": {
+              "cores": {
+                "type": "long"
+              },
+              "total": {
+                "properties": {
+                  "norm": {
+                    "properties": {
+                      "pct": {
+                        "scaling_factor": 1000,
+                        "type": "scaled_float"
+                      }
+                    }
+                  }
+                }
+              },
+              "user": {
+                "properties": {
+                  "pct": {
+                    "scaling_factor": 1000,
+                    "type": "scaled_float"
+                  },
+                  "norm": {
+                    "properties": {
+                      "pct": {
+                        "scaling_factor": 1000,
+                        "type": "scaled_float"
+                      }
+                    }
+                  }
+                }
+              },
+              "system": {
+                "properties": {
+                  "pct": {
+                    "scaling_factor": 1000,
+                    "type": "scaled_float"
+                  }
+                }
+              }
+            }
+          },
+          "network": {
+            "properties": {
+              "name": {
+                "type": "keyword",
+                "ignore_above": 256
+              },
+              "in": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              },
+              "out": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  }
+                }
+              }
+            }
+          },
+          "load": {
+            "properties": {
+              "1": {
+                "scaling_factor": 1000,
+                "type": "scaled_float"
+              }
+            }
+          },
+          "memory": {
+            "properties": {
+              "actual": {
+                "properties": {
+                  "used": {
+                    "properties": {
+                      "pct": {
+                        "scaling_factor": 1000,
+                        "type": "scaled_float"
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "filesystem": {
+            "properties": {
+              "used": {
+                "properties": {
+                  "pct": {
+                    "scaling_factor": 1000,
+                    "type": "scaled_float"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "container": {
+        "properties": {
+          "id": {
+            "type": "keyword",
+            "ignore_above": 256
+          },
+          "name": {
+            "type": "keyword",
+            "ignore_above": 256
+          }
+        }
+      }
+    }
+  },
+  "aliases": {
+    "metrics-fake_hosts": {}
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/custom/metricset.yaml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/custom/metricset.yaml
@ -0,0 +1,11 @@
+- name: metricset
+  title: Metricset
+  description: >
+    Metricset data
+  type: group
+  fields:
+    - name: interval
+      type: long
+      level: custom
+      description: >
+        The interval of the data
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/mapping-settings.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/mapping-settings.json
@ -0,0 +1,20 @@
+{
+  "_meta": {
+    "version": "1.6.0"
+  },
+  "date_detection": false,
+  "dynamic_templates": [
+    {
+      "strings_as_keyword": {
+        "mapping": {
+          "type": "keyword",
+          "ignore_above": 1024,
+          "fields": {
+            "text": { "type": "text", "norms" : false }
+          }
+        },
+        "match_mapping_type": "string"
+      }
+    }
+  ]
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/subset.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/subset.yml
@ -0,0 +1,21 @@
+---
+name: admin_console
+fields:
+  base:
+    fields: "*"
+  event:
+    fields:
+      module: {}
+      dataset: {}
+      duration: {}
+      code: {}
+  log:
+    fields:
+      level: {}
+      logger: {}
+  host:
+    fields:
+      name: {}
+  metricset:
+    fields: '*'
+
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/template-settings-legacy.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/template-settings-legacy.json
@ -0,0 +1,17 @@
+{
+  "index_patterns": ["kbn-data-forge-fake_logs.fake_logs-*"],
+  "order": 1,
+  "settings": {
+    "index": {
+      "codec" : "best_compression",
+      "mapping": {
+        "total_fields": {
+          "limit": 2000
+        }
+      },
+      "refresh_interval": "2s"
+    }
+  }
+}
+
+
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/template-settings.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/fields/template-settings.json
@ -0,0 +1,16 @@
+{
+  "index_patterns": ["kbn-data-forge-fake_logs.fake_logs-*"],
+  "priority": 1,
+  "template": {
+    "settings": {
+      "index": {
+        "codec" : "best_compression",
+        "mapping": {
+          "total_fields": {
+            "limit": 2000
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generate.sh
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generate.sh
@ -0,0 +1,14 @@
+#!/bin/sh
+
+cd ../../../../../../../../ecs
+
+BASE=../kibana/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs
+ECS=$BASE/ecs
+
+python3 ./scripts/generator.py --ref v8.0.0 \
+  --subset                   $ECS/fields/subset.yml \
+  --include                  $ECS/fields/custom \
+  --out                      $ECS/ \
+  --template-settings-legacy $ECS/fields/template-settings-legacy.json \
+  --template-settings        $ECS/fields/template-settings.json \
+  --mapping-settings         $ECS/fields/mapping-settings.json
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/beats/fields.ecs.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/beats/fields.ecs.yml
@ -0,0 +1,181 @@
+# WARNING! Do not edit this file directly, it was generated by the ECS project,
+# based on ECS version 8.0.0.
+# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
+
+- key: ecs
+  title: ECS
+  description: ECS Fields.
+  fields:
+  - name: '@timestamp'
+    level: core
+    required: true
+    type: date
+    description: 'Date/time when the event originated.
+
+      This is the date/time extracted from the event, typically representing when
+      the event was generated by the source.
+
+      If the event source has no original timestamp, this value is typically populated
+      by the first time the event was received by the pipeline.
+
+      Required field for all events.'
+    example: '2016-05-23T08:05:34.853Z'
+    default_field: true
+  - name: labels
+    level: core
+    type: object
+    object_type: keyword
+    description: 'Custom key/value pairs.
+
+      Can be used to add meta information to events. Should not contain nested objects.
+      All values are stored as keyword.
+
+      Example: `docker` and `k8s` labels.'
+    example: '{"application": "foo-bar", "env": "production"}'
+    default_field: true
+  - name: message
+    level: core
+    type: match_only_text
+    description: 'For log events the message field contains the log message, optimized
+      for viewing in a log viewer.
+
+      For structured logs without an original message field, other fields can be concatenated
+      to form a human-readable summary of the event.
+
+      If multiple messages exist, they can be combined into one message.'
+    example: Hello World
+    default_field: true
+  - name: tags
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: List of keywords used to tag each event.
+    example: '["production", "env2"]'
+    default_field: true
+  - name: event
+    title: Event
+    group: 2
+    description: 'The event fields are used for context information about the log
+      or metric event itself.
+
+      A log is defined as an event containing details of something that happened.
+      Log events must include the time at which the thing happened. Examples of log
+      events include a process starting on a host, a network packet being sent from
+      a source to a destination, or a network connection between a client and a server
+      being initiated or closed. A metric is defined as an event containing one or
+      more numerical measurements and the time at which the measurement was taken.
+      Examples of metric events include memory pressure measured on a host and device
+      temperature. See the `event.kind` definition in this section for additional
+      details about metric and state events.'
+    type: group
+    default_field: true
+    fields:
+    - name: code
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Identification code for this event, if one exists.
+
+        Some event sources use event codes to identify messages unambiguously, regardless
+        of message language or wording adjustments over time. An example of this is
+        the Windows Event ID.'
+      example: 4648
+    - name: dataset
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the dataset.
+
+        If an event source publishes more than one type of log or events (e.g. access
+        log, error log), the dataset is used to specify which one the event comes
+        from.
+
+        It''s recommended but not required to start the dataset name with the module
+        name, followed by a dot, then the dataset name.'
+      example: apache.access
+    - name: duration
+      level: core
+      type: long
+      format: duration
+      input_format: nanoseconds
+      output_format: asMilliseconds
+      output_precision: 1
+      description: 'Duration of the event in nanoseconds.
+
+        If event.start and event.end are known this value should be the difference
+        between the end and start time.'
+    - name: module
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the module this data is coming from.
+
+        If your monitoring agent supports the concept of modules or plugins to process
+        events of a given source (e.g. Apache logs), `event.module` should contain
+        the name of this module.'
+      example: apache
+  - name: host
+    title: Host
+    group: 2
+    description: 'A host is defined as a general computing instance.
+
+      ECS host.* fields should be populated with details about the host on which the
+      event happened, or from which the measurement was taken. Host types include
+      hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+    type: group
+    default_field: true
+    fields:
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+  - name: log
+    title: Log
+    group: 2
+    description: 'Details about the event''s logging mechanism or logging transport.
+
+      The log.* fields are typically populated with details about the logging mechanism
+      used to create and/or transport the event. For example, syslog details belong
+      under `log.syslog.*`.
+
+      The details specific to your event source are typically not logged under `log.*`,
+      but rather in `event.*` or in other ECS fields.'
+    type: group
+    default_field: true
+    fields:
+    - name: level
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Original log level of the log event.
+
+        If the source of the event provides a log level or textual severity, this
+        is the one that goes in `log.level`. If your source doesn''t specify one,
+        you may put your event transport''s severity here (e.g. Syslog severity).
+
+        Some examples are `warn`, `err`, `i`, `informational`.'
+      example: error
+    - name: logger
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The name of the logger inside an application. This is usually the
+        name of the class which initialized the logger, or can be a custom name.
+      example: org.elasticsearch.bootstrap.Bootstrap
+  - name: metricset
+    title: Metricset
+    group: 2
+    description: Metricset data
+    type: group
+    default_field: true
+    fields:
+    - name: interval
+      level: custom
+      type: long
+      description: The interval of the data
+      default_field: false
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/csv/fields.csv
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/csv/fields.csv
@ -0,0 +1,13 @@
+ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
+8.0.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.0.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.0.0,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.0.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.0.0,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+8.0.0,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+8.0.0,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.0.0,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+8.0.0,true,host,host.name,keyword,core,,,Name of the host.
+8.0.0,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.0.0,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.0.0,true,metricset,metricset.interval,long,custom,,,The interval of the data
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/ecs/ecs_flat.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/ecs/ecs_flat.yml
@ -0,0 +1,177 @@
+'@timestamp':
+  dashed_name: timestamp
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: '@timestamp'
+  level: core
+  name: '@timestamp'
+  normalize: []
+  required: true
+  short: Date/time when the event originated.
+  type: date
+event.code:
+  dashed_name: event-code
+  description: 'Identification code for this event, if one exists.
+
+    Some event sources use event codes to identify messages unambiguously, regardless
+    of message language or wording adjustments over time. An example of this is the
+    Windows Event ID.'
+  example: 4648
+  flat_name: event.code
+  ignore_above: 1024
+  level: extended
+  name: code
+  normalize: []
+  short: Identification code for this event.
+  type: keyword
+event.dataset:
+  dashed_name: event-dataset
+  description: 'Name of the dataset.
+
+    If an event source publishes more than one type of log or events (e.g. access
+    log, error log), the dataset is used to specify which one the event comes from.
+
+    It''s recommended but not required to start the dataset name with the module name,
+    followed by a dot, then the dataset name.'
+  example: apache.access
+  flat_name: event.dataset
+  ignore_above: 1024
+  level: core
+  name: dataset
+  normalize: []
+  short: Name of the dataset.
+  type: keyword
+event.duration:
+  dashed_name: event-duration
+  description: 'Duration of the event in nanoseconds.
+
+    If event.start and event.end are known this value should be the difference between
+    the end and start time.'
+  flat_name: event.duration
+  format: duration
+  input_format: nanoseconds
+  level: core
+  name: duration
+  normalize: []
+  output_format: asMilliseconds
+  output_precision: 1
+  short: Duration of the event in nanoseconds.
+  type: long
+event.module:
+  dashed_name: event-module
+  description: 'Name of the module this data is coming from.
+
+    If your monitoring agent supports the concept of modules or plugins to process
+    events of a given source (e.g. Apache logs), `event.module` should contain the
+    name of this module.'
+  example: apache
+  flat_name: event.module
+  ignore_above: 1024
+  level: core
+  name: module
+  normalize: []
+  short: Name of the module this data is coming from.
+  type: keyword
+host.name:
+  dashed_name: host-name
+  description: 'Name of the host.
+
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain
+    name, or a name specified by the user. The sender decides which value to use.'
+  flat_name: host.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the host.
+  type: keyword
+labels:
+  dashed_name: labels
+  description: 'Custom key/value pairs.
+
+    Can be used to add meta information to events. Should not contain nested objects.
+    All values are stored as keyword.
+
+    Example: `docker` and `k8s` labels.'
+  example: '{"application": "foo-bar", "env": "production"}'
+  flat_name: labels
+  level: core
+  name: labels
+  normalize: []
+  object_type: keyword
+  short: Custom key/value pairs.
+  type: object
+log.level:
+  dashed_name: log-level
+  description: 'Original log level of the log event.
+
+    If the source of the event provides a log level or textual severity, this is the
+    one that goes in `log.level`. If your source doesn''t specify one, you may put
+    your event transport''s severity here (e.g. Syslog severity).
+
+    Some examples are `warn`, `err`, `i`, `informational`.'
+  example: error
+  flat_name: log.level
+  ignore_above: 1024
+  level: core
+  name: level
+  normalize: []
+  short: Log level of the log event.
+  type: keyword
+log.logger:
+  dashed_name: log-logger
+  description: The name of the logger inside an application. This is usually the name
+    of the class which initialized the logger, or can be a custom name.
+  example: org.elasticsearch.bootstrap.Bootstrap
+  flat_name: log.logger
+  ignore_above: 1024
+  level: core
+  name: logger
+  normalize: []
+  short: Name of the logger.
+  type: keyword
+message:
+  dashed_name: message
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+  flat_name: message
+  level: core
+  name: message
+  normalize: []
+  short: Log message optimized for viewing in a log viewer.
+  type: match_only_text
+metricset.interval:
+  dashed_name: metricset-interval
+  description: The interval of the data
+  flat_name: metricset.interval
+  level: custom
+  name: interval
+  normalize: []
+  short: The interval of the data
+  type: long
+tags:
+  dashed_name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  flat_name: tags
+  ignore_above: 1024
+  level: core
+  name: tags
+  normalize:
+  - array
+  short: List of keywords used to tag each event.
+  type: keyword
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/ecs/ecs_nested.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/ecs/ecs_nested.yml
@ -0,0 +1,258 @@
+base:
+  description: The `base` field set contains all fields which are at the root of the
+    events. These fields are common across all types of events.
+  fields:
+    '@timestamp':
+      dashed_name: timestamp
+      description: 'Date/time when the event originated.
+
+        This is the date/time extracted from the event, typically representing when
+        the event was generated by the source.
+
+        If the event source has no original timestamp, this value is typically populated
+        by the first time the event was received by the pipeline.
+
+        Required field for all events.'
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: '@timestamp'
+      level: core
+      name: '@timestamp'
+      normalize: []
+      required: true
+      short: Date/time when the event originated.
+      type: date
+    labels:
+      dashed_name: labels
+      description: 'Custom key/value pairs.
+
+        Can be used to add meta information to events. Should not contain nested objects.
+        All values are stored as keyword.
+
+        Example: `docker` and `k8s` labels.'
+      example: '{"application": "foo-bar", "env": "production"}'
+      flat_name: labels
+      level: core
+      name: labels
+      normalize: []
+      object_type: keyword
+      short: Custom key/value pairs.
+      type: object
+    message:
+      dashed_name: message
+      description: 'For log events the message field contains the log message, optimized
+        for viewing in a log viewer.
+
+        For structured logs without an original message field, other fields can be
+        concatenated to form a human-readable summary of the event.
+
+        If multiple messages exist, they can be combined into one message.'
+      example: Hello World
+      flat_name: message
+      level: core
+      name: message
+      normalize: []
+      short: Log message optimized for viewing in a log viewer.
+      type: match_only_text
+    tags:
+      dashed_name: tags
+      description: List of keywords used to tag each event.
+      example: '["production", "env2"]'
+      flat_name: tags
+      ignore_above: 1024
+      level: core
+      name: tags
+      normalize:
+      - array
+      short: List of keywords used to tag each event.
+      type: keyword
+  group: 1
+  name: base
+  prefix: ''
+  root: true
+  short: All fields defined directly at the root of the events.
+  title: Base
+  type: group
+event:
+  description: 'The event fields are used for context information about the log or
+    metric event itself.
+
+    A log is defined as an event containing details of something that happened. Log
+    events must include the time at which the thing happened. Examples of log events
+    include a process starting on a host, a network packet being sent from a source
+    to a destination, or a network connection between a client and a server being
+    initiated or closed. A metric is defined as an event containing one or more numerical
+    measurements and the time at which the measurement was taken. Examples of metric
+    events include memory pressure measured on a host and device temperature. See
+    the `event.kind` definition in this section for additional details about metric
+    and state events.'
+  fields:
+    event.code:
+      dashed_name: event-code
+      description: 'Identification code for this event, if one exists.
+
+        Some event sources use event codes to identify messages unambiguously, regardless
+        of message language or wording adjustments over time. An example of this is
+        the Windows Event ID.'
+      example: 4648
+      flat_name: event.code
+      ignore_above: 1024
+      level: extended
+      name: code
+      normalize: []
+      short: Identification code for this event.
+      type: keyword
+    event.dataset:
+      dashed_name: event-dataset
+      description: 'Name of the dataset.
+
+        If an event source publishes more than one type of log or events (e.g. access
+        log, error log), the dataset is used to specify which one the event comes
+        from.
+
+        It''s recommended but not required to start the dataset name with the module
+        name, followed by a dot, then the dataset name.'
+      example: apache.access
+      flat_name: event.dataset
+      ignore_above: 1024
+      level: core
+      name: dataset
+      normalize: []
+      short: Name of the dataset.
+      type: keyword
+    event.duration:
+      dashed_name: event-duration
+      description: 'Duration of the event in nanoseconds.
+
+        If event.start and event.end are known this value should be the difference
+        between the end and start time.'
+      flat_name: event.duration
+      format: duration
+      input_format: nanoseconds
+      level: core
+      name: duration
+      normalize: []
+      output_format: asMilliseconds
+      output_precision: 1
+      short: Duration of the event in nanoseconds.
+      type: long
+    event.module:
+      dashed_name: event-module
+      description: 'Name of the module this data is coming from.
+
+        If your monitoring agent supports the concept of modules or plugins to process
+        events of a given source (e.g. Apache logs), `event.module` should contain
+        the name of this module.'
+      example: apache
+      flat_name: event.module
+      ignore_above: 1024
+      level: core
+      name: module
+      normalize: []
+      short: Name of the module this data is coming from.
+      type: keyword
+  group: 2
+  name: event
+  prefix: event.
+  short: Fields breaking down the event details.
+  title: Event
+  type: group
+host:
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the
+    event happened, or from which the measurement was taken. Host types include hardware,
+    virtual machines, Docker containers, and Kubernetes nodes.'
+  fields:
+    host.name:
+      dashed_name: host-name
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+      flat_name: host.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the host.
+      type: keyword
+  group: 2
+  name: host
+  nestings:
+  - host.geo
+  - host.os
+  prefix: host.
+  reused_here:
+  - full: host.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: host.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields describing the relevant computing instance.
+  title: Host
+  type: group
+log:
+  description: 'Details about the event''s logging mechanism or logging transport.
+
+    The log.* fields are typically populated with details about the logging mechanism
+    used to create and/or transport the event. For example, syslog details belong
+    under `log.syslog.*`.
+
+    The details specific to your event source are typically not logged under `log.*`,
+    but rather in `event.*` or in other ECS fields.'
+  fields:
+    log.level:
+      dashed_name: log-level
+      description: 'Original log level of the log event.
+
+        If the source of the event provides a log level or textual severity, this
+        is the one that goes in `log.level`. If your source doesn''t specify one,
+        you may put your event transport''s severity here (e.g. Syslog severity).
+
+        Some examples are `warn`, `err`, `i`, `informational`.'
+      example: error
+      flat_name: log.level
+      ignore_above: 1024
+      level: core
+      name: level
+      normalize: []
+      short: Log level of the log event.
+      type: keyword
+    log.logger:
+      dashed_name: log-logger
+      description: The name of the logger inside an application. This is usually the
+        name of the class which initialized the logger, or can be a custom name.
+      example: org.elasticsearch.bootstrap.Bootstrap
+      flat_name: log.logger
+      ignore_above: 1024
+      level: core
+      name: logger
+      normalize: []
+      short: Name of the logger.
+      type: keyword
+  group: 2
+  name: log
+  prefix: log.
+  short: Details about the event's logging mechanism.
+  title: Log
+  type: group
+metricset:
+  description: Metricset data
+  fields:
+    metricset.interval:
+      dashed_name: metricset-interval
+      description: The interval of the data
+      flat_name: metricset.interval
+      level: custom
+      name: interval
+      normalize: []
+      short: The interval of the data
+      type: long
+  group: 2
+  name: metricset
+  prefix: metricset.
+  short: Metricset data
+  title: Metricset
+  type: group
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/ecs/subset/admin_console/ecs_flat.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/ecs/subset/admin_console/ecs_flat.yml
@ -0,0 +1,177 @@
+'@timestamp':
+  dashed_name: timestamp
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: '@timestamp'
+  level: core
+  name: '@timestamp'
+  normalize: []
+  required: true
+  short: Date/time when the event originated.
+  type: date
+event.code:
+  dashed_name: event-code
+  description: 'Identification code for this event, if one exists.
+
+    Some event sources use event codes to identify messages unambiguously, regardless
+    of message language or wording adjustments over time. An example of this is the
+    Windows Event ID.'
+  example: 4648
+  flat_name: event.code
+  ignore_above: 1024
+  level: extended
+  name: code
+  normalize: []
+  short: Identification code for this event.
+  type: keyword
+event.dataset:
+  dashed_name: event-dataset
+  description: 'Name of the dataset.
+
+    If an event source publishes more than one type of log or events (e.g. access
+    log, error log), the dataset is used to specify which one the event comes from.
+
+    It''s recommended but not required to start the dataset name with the module name,
+    followed by a dot, then the dataset name.'
+  example: apache.access
+  flat_name: event.dataset
+  ignore_above: 1024
+  level: core
+  name: dataset
+  normalize: []
+  short: Name of the dataset.
+  type: keyword
+event.duration:
+  dashed_name: event-duration
+  description: 'Duration of the event in nanoseconds.
+
+    If event.start and event.end are known this value should be the difference between
+    the end and start time.'
+  flat_name: event.duration
+  format: duration
+  input_format: nanoseconds
+  level: core
+  name: duration
+  normalize: []
+  output_format: asMilliseconds
+  output_precision: 1
+  short: Duration of the event in nanoseconds.
+  type: long
+event.module:
+  dashed_name: event-module
+  description: 'Name of the module this data is coming from.
+
+    If your monitoring agent supports the concept of modules or plugins to process
+    events of a given source (e.g. Apache logs), `event.module` should contain the
+    name of this module.'
+  example: apache
+  flat_name: event.module
+  ignore_above: 1024
+  level: core
+  name: module
+  normalize: []
+  short: Name of the module this data is coming from.
+  type: keyword
+host.name:
+  dashed_name: host-name
+  description: 'Name of the host.
+
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain
+    name, or a name specified by the user. The sender decides which value to use.'
+  flat_name: host.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the host.
+  type: keyword
+labels:
+  dashed_name: labels
+  description: 'Custom key/value pairs.
+
+    Can be used to add meta information to events. Should not contain nested objects.
+    All values are stored as keyword.
+
+    Example: `docker` and `k8s` labels.'
+  example: '{"application": "foo-bar", "env": "production"}'
+  flat_name: labels
+  level: core
+  name: labels
+  normalize: []
+  object_type: keyword
+  short: Custom key/value pairs.
+  type: object
+log.level:
+  dashed_name: log-level
+  description: 'Original log level of the log event.
+
+    If the source of the event provides a log level or textual severity, this is the
+    one that goes in `log.level`. If your source doesn''t specify one, you may put
+    your event transport''s severity here (e.g. Syslog severity).
+
+    Some examples are `warn`, `err`, `i`, `informational`.'
+  example: error
+  flat_name: log.level
+  ignore_above: 1024
+  level: core
+  name: level
+  normalize: []
+  short: Log level of the log event.
+  type: keyword
+log.logger:
+  dashed_name: log-logger
+  description: The name of the logger inside an application. This is usually the name
+    of the class which initialized the logger, or can be a custom name.
+  example: org.elasticsearch.bootstrap.Bootstrap
+  flat_name: log.logger
+  ignore_above: 1024
+  level: core
+  name: logger
+  normalize: []
+  short: Name of the logger.
+  type: keyword
+message:
+  dashed_name: message
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+  flat_name: message
+  level: core
+  name: message
+  normalize: []
+  short: Log message optimized for viewing in a log viewer.
+  type: match_only_text
+metricset.interval:
+  dashed_name: metricset-interval
+  description: The interval of the data
+  flat_name: metricset.interval
+  level: custom
+  name: interval
+  normalize: []
+  short: The interval of the data
+  type: long
+tags:
+  dashed_name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  flat_name: tags
+  ignore_above: 1024
+  level: core
+  name: tags
+  normalize:
+  - array
+  short: List of keywords used to tag each event.
+  type: keyword
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/ecs/subset/admin_console/ecs_nested.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/ecs/subset/admin_console/ecs_nested.yml
@ -0,0 +1,258 @@
+base:
+  description: The `base` field set contains all fields which are at the root of the
+    events. These fields are common across all types of events.
+  fields:
+    '@timestamp':
+      dashed_name: timestamp
+      description: 'Date/time when the event originated.
+
+        This is the date/time extracted from the event, typically representing when
+        the event was generated by the source.
+
+        If the event source has no original timestamp, this value is typically populated
+        by the first time the event was received by the pipeline.
+
+        Required field for all events.'
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: '@timestamp'
+      level: core
+      name: '@timestamp'
+      normalize: []
+      required: true
+      short: Date/time when the event originated.
+      type: date
+    labels:
+      dashed_name: labels
+      description: 'Custom key/value pairs.
+
+        Can be used to add meta information to events. Should not contain nested objects.
+        All values are stored as keyword.
+
+        Example: `docker` and `k8s` labels.'
+      example: '{"application": "foo-bar", "env": "production"}'
+      flat_name: labels
+      level: core
+      name: labels
+      normalize: []
+      object_type: keyword
+      short: Custom key/value pairs.
+      type: object
+    message:
+      dashed_name: message
+      description: 'For log events the message field contains the log message, optimized
+        for viewing in a log viewer.
+
+        For structured logs without an original message field, other fields can be
+        concatenated to form a human-readable summary of the event.
+
+        If multiple messages exist, they can be combined into one message.'
+      example: Hello World
+      flat_name: message
+      level: core
+      name: message
+      normalize: []
+      short: Log message optimized for viewing in a log viewer.
+      type: match_only_text
+    tags:
+      dashed_name: tags
+      description: List of keywords used to tag each event.
+      example: '["production", "env2"]'
+      flat_name: tags
+      ignore_above: 1024
+      level: core
+      name: tags
+      normalize:
+      - array
+      short: List of keywords used to tag each event.
+      type: keyword
+  group: 1
+  name: base
+  prefix: ''
+  root: true
+  short: All fields defined directly at the root of the events.
+  title: Base
+  type: group
+event:
+  description: 'The event fields are used for context information about the log or
+    metric event itself.
+
+    A log is defined as an event containing details of something that happened. Log
+    events must include the time at which the thing happened. Examples of log events
+    include a process starting on a host, a network packet being sent from a source
+    to a destination, or a network connection between a client and a server being
+    initiated or closed. A metric is defined as an event containing one or more numerical
+    measurements and the time at which the measurement was taken. Examples of metric
+    events include memory pressure measured on a host and device temperature. See
+    the `event.kind` definition in this section for additional details about metric
+    and state events.'
+  fields:
+    event.code:
+      dashed_name: event-code
+      description: 'Identification code for this event, if one exists.
+
+        Some event sources use event codes to identify messages unambiguously, regardless
+        of message language or wording adjustments over time. An example of this is
+        the Windows Event ID.'
+      example: 4648
+      flat_name: event.code
+      ignore_above: 1024
+      level: extended
+      name: code
+      normalize: []
+      short: Identification code for this event.
+      type: keyword
+    event.dataset:
+      dashed_name: event-dataset
+      description: 'Name of the dataset.
+
+        If an event source publishes more than one type of log or events (e.g. access
+        log, error log), the dataset is used to specify which one the event comes
+        from.
+
+        It''s recommended but not required to start the dataset name with the module
+        name, followed by a dot, then the dataset name.'
+      example: apache.access
+      flat_name: event.dataset
+      ignore_above: 1024
+      level: core
+      name: dataset
+      normalize: []
+      short: Name of the dataset.
+      type: keyword
+    event.duration:
+      dashed_name: event-duration
+      description: 'Duration of the event in nanoseconds.
+
+        If event.start and event.end are known this value should be the difference
+        between the end and start time.'
+      flat_name: event.duration
+      format: duration
+      input_format: nanoseconds
+      level: core
+      name: duration
+      normalize: []
+      output_format: asMilliseconds
+      output_precision: 1
+      short: Duration of the event in nanoseconds.
+      type: long
+    event.module:
+      dashed_name: event-module
+      description: 'Name of the module this data is coming from.
+
+        If your monitoring agent supports the concept of modules or plugins to process
+        events of a given source (e.g. Apache logs), `event.module` should contain
+        the name of this module.'
+      example: apache
+      flat_name: event.module
+      ignore_above: 1024
+      level: core
+      name: module
+      normalize: []
+      short: Name of the module this data is coming from.
+      type: keyword
+  group: 2
+  name: event
+  prefix: event.
+  short: Fields breaking down the event details.
+  title: Event
+  type: group
+host:
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the
+    event happened, or from which the measurement was taken. Host types include hardware,
+    virtual machines, Docker containers, and Kubernetes nodes.'
+  fields:
+    host.name:
+      dashed_name: host-name
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+      flat_name: host.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the host.
+      type: keyword
+  group: 2
+  name: host
+  nestings:
+  - host.geo
+  - host.os
+  prefix: host.
+  reused_here:
+  - full: host.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: host.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields describing the relevant computing instance.
+  title: Host
+  type: group
+log:
+  description: 'Details about the event''s logging mechanism or logging transport.
+
+    The log.* fields are typically populated with details about the logging mechanism
+    used to create and/or transport the event. For example, syslog details belong
+    under `log.syslog.*`.
+
+    The details specific to your event source are typically not logged under `log.*`,
+    but rather in `event.*` or in other ECS fields.'
+  fields:
+    log.level:
+      dashed_name: log-level
+      description: 'Original log level of the log event.
+
+        If the source of the event provides a log level or textual severity, this
+        is the one that goes in `log.level`. If your source doesn''t specify one,
+        you may put your event transport''s severity here (e.g. Syslog severity).
+
+        Some examples are `warn`, `err`, `i`, `informational`.'
+      example: error
+      flat_name: log.level
+      ignore_above: 1024
+      level: core
+      name: level
+      normalize: []
+      short: Log level of the log event.
+      type: keyword
+    log.logger:
+      dashed_name: log-logger
+      description: The name of the logger inside an application. This is usually the
+        name of the class which initialized the logger, or can be a custom name.
+      example: org.elasticsearch.bootstrap.Bootstrap
+      flat_name: log.logger
+      ignore_above: 1024
+      level: core
+      name: logger
+      normalize: []
+      short: Name of the logger.
+      type: keyword
+  group: 2
+  name: log
+  prefix: log.
+  short: Details about the event's logging mechanism.
+  title: Log
+  type: group
+metricset:
+  description: Metricset data
+  fields:
+    metricset.interval:
+      dashed_name: metricset-interval
+      description: The interval of the data
+      flat_name: metricset.interval
+      level: custom
+      name: interval
+      normalize: []
+      short: The interval of the data
+      type: long
+  group: 2
+  name: metricset
+  prefix: metricset.
+  short: Metricset data
+  title: Metricset
+  type: group
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/base.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/base.json
@ -0,0 +1,25 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "labels": {
+          "type": "object"
+        },
+        "message": {
+          "type": "match_only_text"
+        },
+        "tags": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/event.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/event.json
@ -0,0 +1,31 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "event": {
+          "properties": {
+            "code": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "dataset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "duration": {
+              "type": "long"
+            },
+            "module": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/host.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/host.json
@ -0,0 +1,20 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "host": {
+          "properties": {
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/log.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/log.json
@ -0,0 +1,24 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "log": {
+          "properties": {
+            "level": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "logger": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/metricset.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/component/metricset.json
@ -0,0 +1,18 @@
+{
+  "_meta": {
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "metricset": {
+          "properties": {
+            "interval": {
+              "type": "long"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/template.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/composable/template.json
@ -0,0 +1,52 @@
+{
+  "_meta": {
+    "description": "Sample composable template that includes all ECS fields",
+    "ecs_version": "8.0.0"
+  },
+  "composed_of": [
+    "ecs_8.0.0_base",
+    "ecs_8.0.0_event",
+    "ecs_8.0.0_log",
+    "ecs_8.0.0_host",
+    "ecs_8.0.0_metricset"
+  ],
+  "index_patterns": [
+    "kbn-data-forge-fake_logs.fake_logs-*"
+  ],
+  "priority": 1,
+  "template": {
+    "mappings": {
+      "_meta": {
+        "version": "1.6.0"
+      },
+      "date_detection": false,
+      "dynamic_templates": [
+        {
+          "strings_as_keyword": {
+            "mapping": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ]
+    },
+    "settings": {
+      "index": {
+        "codec": "best_compression",
+        "mapping": {
+          "total_fields": {
+            "limit": 2000
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/legacy/template.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/generated/elasticsearch/legacy/template.json
@ -0,0 +1,101 @@
+{
+  "index_patterns": [
+    "kbn-data-forge-fake_logs.fake_logs-*"
+  ],
+  "mappings": {
+    "_meta": {
+      "version": "1.6.0"
+    },
+    "date_detection": false,
+    "dynamic_templates": [
+      {
+        "strings_as_keyword": {
+          "mapping": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      }
+    ],
+    "properties": {
+      "@timestamp": {
+        "type": "date"
+      },
+      "event": {
+        "properties": {
+          "code": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "dataset": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "duration": {
+            "type": "long"
+          },
+          "module": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "host": {
+        "properties": {
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "labels": {
+        "type": "object"
+      },
+      "log": {
+        "properties": {
+          "level": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "logger": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "message": {
+        "type": "match_only_text"
+      },
+      "metricset": {
+        "properties": {
+          "interval": {
+            "type": "long"
+          }
+        }
+      },
+      "tags": {
+        "ignore_above": 1024,
+        "type": "keyword"
+      }
+    }
+  },
+  "order": 1,
+  "settings": {
+    "index": {
+      "codec": "best_compression",
+      "mapping": {
+        "total_fields": {
+          "limit": 2000
+        }
+      },
+      "refresh_interval": "2s"
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/index.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/ecs/index.ts
@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import base from './generated/elasticsearch/composable/component/base.json';
+import event from './generated/elasticsearch/composable/component/event.json';
+import host from './generated/elasticsearch/composable/component/host.json';
+import log from './generated/elasticsearch/composable/component/log.json';
+import metricset from './generated/elasticsearch/composable/component/metricset.json';
+
+import template from './generated/elasticsearch/composable/template.json';
+import { IndexTemplateDef } from '../../../types';
+
+const ECS_VERSION = template._meta.ecs_version;
+
+const components = [
+  { name: `fake_logs_${ECS_VERSION}_base`, template: base },
+  { name: `fake_logs_${ECS_VERSION}_event`, template: event },
+  { name: `fake_logs_${ECS_VERSION}_log`, template: log },
+  { name: `fake_logs_${ECS_VERSION}_host`, template: host },
+  { name: `fake_logs_${ECS_VERSION}_metricset`, template: metricset },
+];
+
+export const indexTemplate: IndexTemplateDef = {
+  namespace: 'fake_logs',
+  template: { ...template, composed_of: components.map(({ name }) => name) },
+  components,
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/index.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/index.ts
@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { random, sample } from 'lodash';
+import { GeneratorFunction } from '../../types';
+export { indexTemplate } from './ecs';
+
+const createGroupIndex = (index: number) => Math.floor(index / 1000) * 1000;
+export const generateEvent: GeneratorFunction = (config, schedule, index, timestamp) => {
+  const groupIndex = createGroupIndex(index);
+  const latency = random(150, 500);
+  const statusCode = sample([200, 500]);
+  const interval = schedule.interval ?? config.indexing.interval;
+  const scenario = config.indexing.scenario || 'fake_logs';
+  return [
+    {
+      namespace: 'fake_logs',
+      '@timestamp': timestamp.toISOString(),
+      event: {
+        module: 'high_cardinality',
+        dataset: 'high_cardinality.event',
+        duration: latency,
+        code: statusCode,
+      },
+      log: {
+        level: 'info',
+        logger: 'fake_logs',
+      },
+      host: {
+        name: `host-${random(1, 10)}`,
+      },
+      labels: {
+        groupId: `group-${groupIndex}`,
+        eventId: `event-${index}`,
+        scenario,
+      },
+      metricset: {
+        period: interval,
+      },
+      message: `[${timestamp.toISOString()}] Event ${index} was executed for group ${groupIndex}`,
+    },
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/template.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_logs/template.json
@ -0,0 +1,92 @@
+{
+  "order": 1,
+  "index_patterns": [
+    "kbn-data-forge-fake_logs.fake_logs-*"
+  ],
+  "settings": {
+    "index": {
+      "mapping": {
+        "total_fields": {
+          "limit": "10000"
+        }
+      },
+      "number_of_shards": "1",
+      "number_of_replicas": "0",
+      "query": {
+        "default_field": [
+          "message",
+          "labels.*",
+          "event.*"
+        ]
+      }
+    }
+  },
+  "mappings": {
+    "dynamic_templates": [
+      {
+        "labels": {
+          "path_match": "labels.*",
+          "mapping": {
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      },
+      {
+        "strings_as_keyword": {
+          "mapping": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      }
+    ],
+    "date_detection": false,
+    "properties": {
+      "@timestamp": {
+        "type": "date"
+      },
+      "metricset": {
+        "properties": {
+          "period": {
+            "type": "long"
+          }
+        }
+      },
+      "host": {
+        "properties": {
+          "name": {
+            "type": "keyword",
+            "ignore_above": 256
+          }
+        }
+      },
+      "event": {
+        "properties": {
+          "dataset": {
+            "type": "keyword",
+            "ignore_above": 256
+          },
+          "module": {
+            "type": "keyword",
+            "ignore_above": 256
+          }
+        }
+      },
+      "message": {
+        "type": "keyword",
+        "ignore_above": 256
+      },
+      "latency": {
+        "type": "long"
+      },
+      "status_code": {
+        "type": "long"
+      }
+    }
+  },
+  "aliases": {
+    "logs-fake_logs": {}
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/assets/admin_console.ndjson
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/assets/admin_console.ndjson
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/fields/mapping-settings.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/fields/mapping-settings.json
@ -0,0 +1,20 @@
+{
+  "_meta": {
+    "version": "1.6.0"
+  },
+  "date_detection": false,
+  "dynamic_templates": [
+    {
+      "strings_as_keyword": {
+        "mapping": {
+          "type": "keyword",
+          "ignore_above": 1024,
+          "fields": {
+            "text": { "type": "text", "norms" : false }
+          }
+        },
+        "match_mapping_type": "string"
+      }
+    }
+  ]
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/fields/subset.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/fields/subset.yml
@ -0,0 +1,30 @@
+---
+name: admin_console
+fields:
+  base:
+    fields: "*"
+  event:
+    fields:
+      category: {}
+      action: {}
+      duration: {}
+  http:
+    fields: "*"
+  url:
+    fields: "*"
+  user:
+    fields:
+      name: {}
+      id: {}
+      roles: {}
+  user_agent:
+    fields:
+      original: {}
+  log:
+    fields:
+      level: {}
+      logger: {}
+  host:
+    fields:
+      name: {}
+
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/fields/template-settings-legacy.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/fields/template-settings-legacy.json
@ -0,0 +1,17 @@
+{
+  "index_patterns": ["kbn-data-forge-fake_stack.admin-console-*"],
+  "order": 1,
+  "settings": {
+    "index": {
+      "codec" : "best_compression",
+      "mapping": {
+        "total_fields": {
+          "limit": 2000
+        }
+      },
+      "refresh_interval": "2s"
+    }
+  }
+}
+
+
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/fields/template-settings.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/fields/template-settings.json
@ -0,0 +1,16 @@
+{
+  "index_patterns": ["kbn-data-forge-fake_stack.admin-console-*"],
+  "priority": 1,
+  "template": {
+    "settings": {
+      "index": {
+        "codec" : "best_compression",
+        "mapping": {
+          "total_fields": {
+            "limit": 2000
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generate.sh
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generate.sh
@ -0,0 +1,14 @@
+#!/bin/sh
+
+cd ../../../../../../../../../ecs
+NAME=admin_console
+
+BASE=../kibana/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/$NAME
+ECS=$BASE/ecs
+
+python3 ./scripts/generator.py --ref v8.0.0 \
+  --subset                   $ECS/fields/subset.yml \
+  --out                      $ECS/ \
+  --template-settings-legacy $ECS/fields/template-settings-legacy.json \
+  --template-settings        $ECS/fields/template-settings.json \
+  --mapping-settings         $ECS/fields/mapping-settings.json
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/beats/fields.ecs.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/beats/fields.ecs.yml
@ -0,0 +1,471 @@
+# WARNING! Do not edit this file directly, it was generated by the ECS project,
+# based on ECS version 8.0.0.
+# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
+
+- key: ecs
+  title: ECS
+  description: ECS Fields.
+  fields:
+  - name: '@timestamp'
+    level: core
+    required: true
+    type: date
+    description: 'Date/time when the event originated.
+
+      This is the date/time extracted from the event, typically representing when
+      the event was generated by the source.
+
+      If the event source has no original timestamp, this value is typically populated
+      by the first time the event was received by the pipeline.
+
+      Required field for all events.'
+    example: '2016-05-23T08:05:34.853Z'
+    default_field: true
+  - name: labels
+    level: core
+    type: object
+    object_type: keyword
+    description: 'Custom key/value pairs.
+
+      Can be used to add meta information to events. Should not contain nested objects.
+      All values are stored as keyword.
+
+      Example: `docker` and `k8s` labels.'
+    example: '{"application": "foo-bar", "env": "production"}'
+    default_field: true
+  - name: message
+    level: core
+    type: match_only_text
+    description: 'For log events the message field contains the log message, optimized
+      for viewing in a log viewer.
+
+      For structured logs without an original message field, other fields can be concatenated
+      to form a human-readable summary of the event.
+
+      If multiple messages exist, they can be combined into one message.'
+    example: Hello World
+    default_field: true
+  - name: tags
+    level: core
+    type: keyword
+    ignore_above: 1024
+    description: List of keywords used to tag each event.
+    example: '["production", "env2"]'
+    default_field: true
+  - name: event
+    title: Event
+    group: 2
+    description: 'The event fields are used for context information about the log
+      or metric event itself.
+
+      A log is defined as an event containing details of something that happened.
+      Log events must include the time at which the thing happened. Examples of log
+      events include a process starting on a host, a network packet being sent from
+      a source to a destination, or a network connection between a client and a server
+      being initiated or closed. A metric is defined as an event containing one or
+      more numerical measurements and the time at which the measurement was taken.
+      Examples of metric events include memory pressure measured on a host and device
+      temperature. See the `event.kind` definition in this section for additional
+      details about metric and state events.'
+    type: group
+    default_field: true
+    fields:
+    - name: action
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The action captured by the event.
+
+        This describes the information in the event. It is more specific than `event.category`.
+        Examples are `group-add`, `process-started`, `file-created`. The value is
+        normally defined by the implementer.'
+      example: user-password-change
+    - name: category
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        second level in the ECS category hierarchy.
+
+        `event.category` represents the "big buckets" of ECS categories. For example,
+        filtering on `event.category:process` yields all events relating to process
+        activity. This field is closely related to `event.type`, which is used as
+        a subcategory.
+
+        This field is an array. This will allow proper categorization of some events
+        that fall in multiple categories.'
+      example: authentication
+    - name: duration
+      level: core
+      type: long
+      format: duration
+      input_format: nanoseconds
+      output_format: asMilliseconds
+      output_precision: 1
+      description: 'Duration of the event in nanoseconds.
+
+        If event.start and event.end are known this value should be the difference
+        between the end and start time.'
+  - name: host
+    title: Host
+    group: 2
+    description: 'A host is defined as a general computing instance.
+
+      ECS host.* fields should be populated with details about the host on which the
+      event happened, or from which the measurement was taken. Host types include
+      hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+    type: group
+    default_field: true
+    fields:
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+  - name: http
+    title: HTTP
+    group: 2
+    description: Fields related to HTTP activity. Use the `url` field set to store
+      the url of the request.
+    type: group
+    default_field: true
+    fields:
+    - name: request.body.bytes
+      level: extended
+      type: long
+      format: bytes
+      description: Size in bytes of the request body.
+      example: 887
+    - name: request.body.content
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: The full HTTP request body.
+      example: Hello world
+    - name: request.bytes
+      level: extended
+      type: long
+      format: bytes
+      description: Total size in bytes of the request (body and headers).
+      example: 1437
+    - name: request.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for each HTTP request to correlate logs between
+        clients and servers in transactions.
+
+        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+        or `X-Correlation-ID`.'
+      example: 123e4567-e89b-12d3-a456-426614174000
+      default_field: false
+    - name: request.method
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP request method.
+
+        The value should retain its casing from the original event. For example, `GET`,
+        `get`, and `GeT` are all considered valid values for this field.'
+      example: POST
+    - name: request.mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Mime type of the body of the request.
+
+        This value must only be populated based on the content of the request body,
+        not on the `Content-Type` header. Comparing the mime type of a request with
+        the request''s Content-Type header can be helpful in detecting threats or
+        misconfigured clients.'
+      example: image/gif
+      default_field: false
+    - name: request.referrer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+    - name: response.body.bytes
+      level: extended
+      type: long
+      format: bytes
+      description: Size in bytes of the response body.
+      example: 887
+    - name: response.body.content
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: The full HTTP response body.
+      example: Hello world
+    - name: response.bytes
+      level: extended
+      type: long
+      format: bytes
+      description: Total size in bytes of the response (body and headers).
+      example: 1437
+    - name: response.mime_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Mime type of the body of the response.
+
+        This value must only be populated based on the content of the response body,
+        not on the `Content-Type` header. Comparing the mime type of a response with
+        the response''s Content-Type header can be helpful in detecting misconfigured
+        servers.'
+      example: image/gif
+      default_field: false
+    - name: response.status_code
+      level: extended
+      type: long
+      format: string
+      description: HTTP response status code.
+      example: 404
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: HTTP version.
+      example: 1.1
+  - name: log
+    title: Log
+    group: 2
+    description: 'Details about the event''s logging mechanism or logging transport.
+
+      The log.* fields are typically populated with details about the logging mechanism
+      used to create and/or transport the event. For example, syslog details belong
+      under `log.syslog.*`.
+
+      The details specific to your event source are typically not logged under `log.*`,
+      but rather in `event.*` or in other ECS fields.'
+    type: group
+    default_field: true
+    fields:
+    - name: level
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Original log level of the log event.
+
+        If the source of the event provides a log level or textual severity, this
+        is the one that goes in `log.level`. If your source doesn''t specify one,
+        you may put your event transport''s severity here (e.g. Syslog severity).
+
+        Some examples are `warn`, `err`, `i`, `informational`.'
+      example: error
+    - name: logger
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The name of the logger inside an application. This is usually the
+        name of the class which initialized the logger, or can be a custom name.
+      example: org.elasticsearch.bootstrap.Bootstrap
+  - name: url
+    title: URL
+    group: 2
+    description: URL fields provide support for complete or partial URLs, and supports
+      the breaking down into scheme, domain, path, and so on.
+    type: group
+    default_field: true
+    fields:
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Domain of the url, such as "www.elastic.co".
+
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
+    - name: extension
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+    - name: fragment
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
+    - name: full
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+    - name: original
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+    - name: password
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Password of the request.
+    - name: path
+      level: extended
+      type: wildcard
+      description: Path of the request, such as "/search".
+    - name: port
+      level: extended
+      type: long
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
+    - name: query
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
+    - name: registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: scheme
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: username
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Username of the request.
+  - name: user
+    title: User
+    group: 2
+    description: 'The user fields describe information about the user that is relevant
+      to the event.
+
+      Fields can have one entry or multiple entries. If a user has more than one id,
+      provide an array that includes all of them.'
+    type: group
+    default_field: true
+    fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Short name or login of the user.
+      example: a.einstein
+    - name: roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: user_agent
+    title: User agent
+    group: 2
+    description: 'The user_agent fields normally come from a browser request.
+
+      They often show up in web service logs coming from the parsed user agent string.'
+    type: group
+    default_field: true
+    fields:
+    - name: original
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Unparsed user_agent string.
+      example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+        (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/csv/fields.csv
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/csv/fields.csv
@ -0,0 +1,48 @@
+ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
+8.0.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+8.0.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+8.0.0,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+8.0.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+8.0.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+8.0.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+8.0.0,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+8.0.0,true,host,host.name,keyword,core,,,Name of the host.
+8.0.0,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+8.0.0,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+8.0.0,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+8.0.0,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+8.0.0,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+8.0.0,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+8.0.0,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+8.0.0,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+8.0.0,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+8.0.0,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+8.0.0,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+8.0.0,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+8.0.0,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+8.0.0,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+8.0.0,true,http,http.version,keyword,extended,,1.1,HTTP version.
+8.0.0,true,log,log.level,keyword,core,,error,Log level of the log event.
+8.0.0,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+8.0.0,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+8.0.0,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+8.0.0,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+8.0.0,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.0.0,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+8.0.0,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.0.0,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+8.0.0,true,url,url.password,keyword,extended,,,Password of the request.
+8.0.0,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+8.0.0,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+8.0.0,true,url,url.query,keyword,extended,,,Query string of the request.
+8.0.0,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+8.0.0,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+8.0.0,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+8.0.0,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+8.0.0,true,url,url.username,keyword,extended,,,Username of the request.
+8.0.0,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+8.0.0,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+8.0.0,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+8.0.0,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.0.0,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+8.0.0,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/ecs/ecs_flat.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/ecs/ecs_flat.yml
@ -0,0 +1,749 @@
+'@timestamp':
+  dashed_name: timestamp
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: '@timestamp'
+  level: core
+  name: '@timestamp'
+  normalize: []
+  required: true
+  short: Date/time when the event originated.
+  type: date
+event.action:
+  dashed_name: event-action
+  description: 'The action captured by the event.
+
+    This describes the information in the event. It is more specific than `event.category`.
+    Examples are `group-add`, `process-started`, `file-created`. The value is normally
+    defined by the implementer.'
+  example: user-password-change
+  flat_name: event.action
+  ignore_above: 1024
+  level: core
+  name: action
+  normalize: []
+  short: The action captured by the event.
+  type: keyword
+event.category:
+  allowed_values:
+  - description: Events in this category are related to the challenge and response
+      process in which credentials are supplied and verified to allow the creation
+      of a session. Common sources for these logs are Windows event logs and ssh logs.
+      Visualize and analyze events in this category to look for failed logins, and
+      other authentication-related activity.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: authentication
+  - description: 'Events in the configuration category have to deal with creating,
+      modifying, or deleting the settings or parameters of an application, process,
+      or system.
+
+      Example sources include security policy change logs, configuration auditing
+      logging, and system integrity monitoring.'
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    - info
+    name: configuration
+  - description: The database category denotes events and metrics relating to a data
+      storage and retrieval system. Note that use of this category is not limited
+      to relational database systems. Examples include event logs from MS SQL, MySQL,
+      Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database
+      activity such as accesses and changes.
+    expected_event_types:
+    - access
+    - change
+    - info
+    - error
+    name: database
+  - description: 'Events in the driver category have to do with operating system device
+      drivers and similar software entities such as Windows drivers, kernel extensions,
+      kernel modules, etc.
+
+      Use events and metrics in this category to visualize and analyze driver-related
+      activity and status on hosts.'
+    expected_event_types:
+    - change
+    - end
+    - info
+    - start
+    name: driver
+  - description: Relating to a set of information that has been created on, or has
+      existed on a filesystem. Use this category of events to visualize and analyze
+      the creation, access, and deletions of files. Events in this category can come
+      from both host-based and network-based sources. An example source of a network-based
+      detection of a file transfer would be the Zeek file.log.
+    expected_event_types:
+    - change
+    - creation
+    - deletion
+    - info
+    name: file
+  - description: 'Use this category to visualize and analyze information such as host
+      inventory or host lifecycle events.
+
+      Most of the events in this category can usually be observed from the outside,
+      such as from a hypervisor or a control plane''s point of view. Some can also
+      be seen from within, such as "start" or "end".
+
+      Note that this category is for information about hosts themselves; it is not
+      meant to capture activity "happening on a host".'
+    expected_event_types:
+    - access
+    - change
+    - end
+    - info
+    - start
+    name: host
+  - description: Identity and access management (IAM) events relating to users, groups,
+      and administration. Use this category to visualize and analyze IAM-related logs
+      and data from active directory, LDAP, Okta, Duo, and other IAM systems.
+    expected_event_types:
+    - admin
+    - change
+    - creation
+    - deletion
+    - group
+    - info
+    - user
+    name: iam
+  - description: Relating to intrusion detections from IDS/IPS systems and functions,
+      both network and host-based. Use this category to visualize and analyze intrusion
+      detection alerts from systems such as Snort, Suricata, and Palo Alto threat
+      detections.
+    expected_event_types:
+    - allowed
+    - denied
+    - info
+    name: intrusion_detection
+  - description: Malware detection events and alerts. Use this category to visualize
+      and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
+      Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems
+      such as Suricata, or other sources of malware-related events such as Palo Alto
+      Networks threat logs and Wildfire logs.
+    expected_event_types:
+    - info
+    name: malware
+  - description: Relating to all network activity, including network connection lifecycle,
+      network traffic, and essentially any event that includes an IP address. Many
+      events containing decoded network protocol transactions fit into this category.
+      Use events in this category to visualize or analyze counts of network ports,
+      protocols, addresses, geolocation information, etc.
+    expected_event_types:
+    - access
+    - allowed
+    - connection
+    - denied
+    - end
+    - info
+    - protocol
+    - start
+    name: network
+  - description: Relating to software packages installed on hosts. Use this category
+      to visualize and analyze inventory of software installed on various hosts, or
+      to determine host vulnerability in the absence of vulnerability scan data.
+    expected_event_types:
+    - access
+    - change
+    - deletion
+    - info
+    - installation
+    - start
+    name: package
+  - description: Use this category of events to visualize and analyze process-specific
+      information such as lifecycle events or process ancestry.
+    expected_event_types:
+    - access
+    - change
+    - end
+    - info
+    - start
+    name: process
+  - description: Having to do with settings and assets stored in the Windows registry.
+      Use this category to visualize and analyze activity such as registry access
+      and modifications.
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    name: registry
+  - description: The session category is applied to events and metrics regarding logical
+      persistent connections to hosts and services. Use this category to visualize
+      and analyze interactive or automated persistent connections between assets.
+      Data for this category may come from Windows Event logs, SSH logs, or stateless
+      sessions such as HTTP cookie-based sessions, etc.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: session
+  - description: Use this category to visualize and analyze events describing threat
+      actors' targets, motives, or behaviors.
+    expected_event_types:
+    - indicator
+    name: threat
+  - description: 'Relating to web server access. Use this category to create a dashboard
+      of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
+      events from network observers such as Zeek http log may also be included in
+      this category.'
+    expected_event_types:
+    - access
+    - error
+    - info
+    name: web
+  dashed_name: event-category
+  description: 'This is one of four ECS Categorization Fields, and indicates the second
+    level in the ECS category hierarchy.
+
+    `event.category` represents the "big buckets" of ECS categories. For example,
+    filtering on `event.category:process` yields all events relating to process activity.
+    This field is closely related to `event.type`, which is used as a subcategory.
+
+    This field is an array. This will allow proper categorization of some events that
+    fall in multiple categories.'
+  example: authentication
+  flat_name: event.category
+  ignore_above: 1024
+  level: core
+  name: category
+  normalize:
+  - array
+  short: Event category. The second categorization field in the hierarchy.
+  type: keyword
+event.duration:
+  dashed_name: event-duration
+  description: 'Duration of the event in nanoseconds.
+
+    If event.start and event.end are known this value should be the difference between
+    the end and start time.'
+  flat_name: event.duration
+  format: duration
+  input_format: nanoseconds
+  level: core
+  name: duration
+  normalize: []
+  output_format: asMilliseconds
+  output_precision: 1
+  short: Duration of the event in nanoseconds.
+  type: long
+host.name:
+  dashed_name: host-name
+  description: 'Name of the host.
+
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain
+    name, or a name specified by the user. The sender decides which value to use.'
+  flat_name: host.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the host.
+  type: keyword
+http.request.body.bytes:
+  dashed_name: http-request-body-bytes
+  description: Size in bytes of the request body.
+  example: 887
+  flat_name: http.request.body.bytes
+  format: bytes
+  level: extended
+  name: request.body.bytes
+  normalize: []
+  short: Size in bytes of the request body.
+  type: long
+http.request.body.content:
+  dashed_name: http-request-body-content
+  description: The full HTTP request body.
+  example: Hello world
+  flat_name: http.request.body.content
+  level: extended
+  multi_fields:
+  - flat_name: http.request.body.content.text
+    name: text
+    type: match_only_text
+  name: request.body.content
+  normalize: []
+  short: The full HTTP request body.
+  type: wildcard
+http.request.bytes:
+  dashed_name: http-request-bytes
+  description: Total size in bytes of the request (body and headers).
+  example: 1437
+  flat_name: http.request.bytes
+  format: bytes
+  level: extended
+  name: request.bytes
+  normalize: []
+  short: Total size in bytes of the request (body and headers).
+  type: long
+http.request.id:
+  dashed_name: http-request-id
+  description: 'A unique identifier for each HTTP request to correlate logs between
+    clients and servers in transactions.
+
+    The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+    or `X-Correlation-ID`.'
+  example: 123e4567-e89b-12d3-a456-426614174000
+  flat_name: http.request.id
+  ignore_above: 1024
+  level: extended
+  name: request.id
+  normalize: []
+  short: HTTP request ID.
+  type: keyword
+http.request.method:
+  dashed_name: http-request-method
+  description: 'HTTP request method.
+
+    The value should retain its casing from the original event. For example, `GET`,
+    `get`, and `GeT` are all considered valid values for this field.'
+  example: POST
+  flat_name: http.request.method
+  ignore_above: 1024
+  level: extended
+  name: request.method
+  normalize: []
+  short: HTTP request method.
+  type: keyword
+http.request.mime_type:
+  dashed_name: http-request-mime-type
+  description: 'Mime type of the body of the request.
+
+    This value must only be populated based on the content of the request body, not
+    on the `Content-Type` header. Comparing the mime type of a request with the request''s
+    Content-Type header can be helpful in detecting threats or misconfigured clients.'
+  example: image/gif
+  flat_name: http.request.mime_type
+  ignore_above: 1024
+  level: extended
+  name: request.mime_type
+  normalize: []
+  short: Mime type of the body of the request.
+  type: keyword
+http.request.referrer:
+  dashed_name: http-request-referrer
+  description: Referrer for this HTTP request.
+  example: https://blog.example.com/
+  flat_name: http.request.referrer
+  ignore_above: 1024
+  level: extended
+  name: request.referrer
+  normalize: []
+  short: Referrer for this HTTP request.
+  type: keyword
+http.response.body.bytes:
+  dashed_name: http-response-body-bytes
+  description: Size in bytes of the response body.
+  example: 887
+  flat_name: http.response.body.bytes
+  format: bytes
+  level: extended
+  name: response.body.bytes
+  normalize: []
+  short: Size in bytes of the response body.
+  type: long
+http.response.body.content:
+  dashed_name: http-response-body-content
+  description: The full HTTP response body.
+  example: Hello world
+  flat_name: http.response.body.content
+  level: extended
+  multi_fields:
+  - flat_name: http.response.body.content.text
+    name: text
+    type: match_only_text
+  name: response.body.content
+  normalize: []
+  short: The full HTTP response body.
+  type: wildcard
+http.response.bytes:
+  dashed_name: http-response-bytes
+  description: Total size in bytes of the response (body and headers).
+  example: 1437
+  flat_name: http.response.bytes
+  format: bytes
+  level: extended
+  name: response.bytes
+  normalize: []
+  short: Total size in bytes of the response (body and headers).
+  type: long
+http.response.mime_type:
+  dashed_name: http-response-mime-type
+  description: 'Mime type of the body of the response.
+
+    This value must only be populated based on the content of the response body, not
+    on the `Content-Type` header. Comparing the mime type of a response with the response''s
+    Content-Type header can be helpful in detecting misconfigured servers.'
+  example: image/gif
+  flat_name: http.response.mime_type
+  ignore_above: 1024
+  level: extended
+  name: response.mime_type
+  normalize: []
+  short: Mime type of the body of the response.
+  type: keyword
+http.response.status_code:
+  dashed_name: http-response-status-code
+  description: HTTP response status code.
+  example: 404
+  flat_name: http.response.status_code
+  format: string
+  level: extended
+  name: response.status_code
+  normalize: []
+  short: HTTP response status code.
+  type: long
+http.version:
+  dashed_name: http-version
+  description: HTTP version.
+  example: 1.1
+  flat_name: http.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  short: HTTP version.
+  type: keyword
+labels:
+  dashed_name: labels
+  description: 'Custom key/value pairs.
+
+    Can be used to add meta information to events. Should not contain nested objects.
+    All values are stored as keyword.
+
+    Example: `docker` and `k8s` labels.'
+  example: '{"application": "foo-bar", "env": "production"}'
+  flat_name: labels
+  level: core
+  name: labels
+  normalize: []
+  object_type: keyword
+  short: Custom key/value pairs.
+  type: object
+log.level:
+  dashed_name: log-level
+  description: 'Original log level of the log event.
+
+    If the source of the event provides a log level or textual severity, this is the
+    one that goes in `log.level`. If your source doesn''t specify one, you may put
+    your event transport''s severity here (e.g. Syslog severity).
+
+    Some examples are `warn`, `err`, `i`, `informational`.'
+  example: error
+  flat_name: log.level
+  ignore_above: 1024
+  level: core
+  name: level
+  normalize: []
+  short: Log level of the log event.
+  type: keyword
+log.logger:
+  dashed_name: log-logger
+  description: The name of the logger inside an application. This is usually the name
+    of the class which initialized the logger, or can be a custom name.
+  example: org.elasticsearch.bootstrap.Bootstrap
+  flat_name: log.logger
+  ignore_above: 1024
+  level: core
+  name: logger
+  normalize: []
+  short: Name of the logger.
+  type: keyword
+message:
+  dashed_name: message
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+  flat_name: message
+  level: core
+  name: message
+  normalize: []
+  short: Log message optimized for viewing in a log viewer.
+  type: match_only_text
+tags:
+  dashed_name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  flat_name: tags
+  ignore_above: 1024
+  level: core
+  name: tags
+  normalize:
+  - array
+  short: List of keywords used to tag each event.
+  type: keyword
+url.domain:
+  dashed_name: url-domain
+  description: 'Domain of the url, such as "www.elastic.co".
+
+    In some cases a URL may refer to an IP and/or port directly, without a domain
+    name. In this case, the IP address would go to the `domain` field.
+
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732),
+    the `[` and `]` characters should also be captured in the `domain` field.'
+  example: www.elastic.co
+  flat_name: url.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  short: Domain of the url.
+  type: keyword
+url.extension:
+  dashed_name: url-extension
+  description: 'The field contains the file extension from the original request url,
+    excluding the leading dot.
+
+    The file extension is only set if it exists, as not every url has a file extension.
+
+    The leading period must not be included. For example, the value must be "png",
+    not ".png".
+
+    Note that when the file name has multiple extensions (example.tar.gz), only the
+    last one should be captured ("gz", not "tar.gz").'
+  example: png
+  flat_name: url.extension
+  ignore_above: 1024
+  level: extended
+  name: extension
+  normalize: []
+  short: File extension from the request url, excluding the leading dot.
+  type: keyword
+url.fragment:
+  dashed_name: url-fragment
+  description: 'Portion of the url after the `#`, such as "top".
+
+    The `#` is not part of the fragment.'
+  flat_name: url.fragment
+  ignore_above: 1024
+  level: extended
+  name: fragment
+  normalize: []
+  short: Portion of the url after the `#`.
+  type: keyword
+url.full:
+  dashed_name: url-full
+  description: If full URLs are important to your use case, they should be stored
+    in `url.full`, whether this field is reconstructed or present in the event source.
+  example: https://www.elastic.co:443/search?q=elasticsearch#top
+  flat_name: url.full
+  level: extended
+  multi_fields:
+  - flat_name: url.full.text
+    name: text
+    type: match_only_text
+  name: full
+  normalize: []
+  short: Full unparsed URL.
+  type: wildcard
+url.original:
+  dashed_name: url-original
+  description: 'Unmodified original url as seen in the event source.
+
+    Note that in network monitoring, the observed URL may be a full URL, whereas in
+    access logs, the URL is often just represented as a path.
+
+    This field is meant to represent the URL as it was observed, complete or not.'
+  example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  flat_name: url.original
+  level: extended
+  multi_fields:
+  - flat_name: url.original.text
+    name: text
+    type: match_only_text
+  name: original
+  normalize: []
+  short: Unmodified original url as seen in the event source.
+  type: wildcard
+url.password:
+  dashed_name: url-password
+  description: Password of the request.
+  flat_name: url.password
+  ignore_above: 1024
+  level: extended
+  name: password
+  normalize: []
+  short: Password of the request.
+  type: keyword
+url.path:
+  dashed_name: url-path
+  description: Path of the request, such as "/search".
+  flat_name: url.path
+  level: extended
+  name: path
+  normalize: []
+  short: Path of the request, such as "/search".
+  type: wildcard
+url.port:
+  dashed_name: url-port
+  description: Port of the request, such as 443.
+  example: 443
+  flat_name: url.port
+  format: string
+  level: extended
+  name: port
+  normalize: []
+  short: Port of the request, such as 443.
+  type: long
+url.query:
+  dashed_name: url-query
+  description: 'The query field describes the query string of the request, such as
+    "q=elasticsearch".
+
+    The `?` is excluded from the query string. If a URL contains no `?`, there is
+    no query field. If there is a `?` but no query, the query field exists with an
+    empty string. The `exists` query can be used to differentiate between the two
+    cases.'
+  flat_name: url.query
+  ignore_above: 1024
+  level: extended
+  name: query
+  normalize: []
+  short: Query string of the request.
+  type: keyword
+url.registered_domain:
+  dashed_name: url-registered-domain
+  description: 'The highest registered url domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: url.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  short: The highest registered url domain, stripped of the subdomain.
+  type: keyword
+url.scheme:
+  dashed_name: url-scheme
+  description: 'Scheme of the request, such as "https".
+
+    Note: The `:` is not part of the scheme.'
+  example: https
+  flat_name: url.scheme
+  ignore_above: 1024
+  level: extended
+  name: scheme
+  normalize: []
+  short: Scheme of the url.
+  type: keyword
+url.subdomain:
+  dashed_name: url-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: url.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
+url.top_level_domain:
+  dashed_name: url-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: url.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+url.username:
+  dashed_name: url-username
+  description: Username of the request.
+  flat_name: url.username
+  ignore_above: 1024
+  level: extended
+  name: username
+  normalize: []
+  short: Username of the request.
+  type: keyword
+user.id:
+  dashed_name: user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier of the user.
+  type: keyword
+user.name:
+  dashed_name: user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  short: Short name or login of the user.
+  type: keyword
+user.roles:
+  dashed_name: user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  short: Array of user roles at the time of the event.
+  type: keyword
+user_agent.original:
+  dashed_name: user-agent-original
+  description: Unparsed user_agent string.
+  example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+    (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+  flat_name: user_agent.original
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user_agent.original.text
+    name: text
+    type: match_only_text
+  name: original
+  normalize: []
+  short: Unparsed user_agent string.
+  type: keyword
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/ecs/ecs_nested.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/ecs/ecs_nested.yml
@ -0,0 +1,932 @@
+base:
+  description: The `base` field set contains all fields which are at the root of the
+    events. These fields are common across all types of events.
+  fields:
+    '@timestamp':
+      dashed_name: timestamp
+      description: 'Date/time when the event originated.
+
+        This is the date/time extracted from the event, typically representing when
+        the event was generated by the source.
+
+        If the event source has no original timestamp, this value is typically populated
+        by the first time the event was received by the pipeline.
+
+        Required field for all events.'
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: '@timestamp'
+      level: core
+      name: '@timestamp'
+      normalize: []
+      required: true
+      short: Date/time when the event originated.
+      type: date
+    labels:
+      dashed_name: labels
+      description: 'Custom key/value pairs.
+
+        Can be used to add meta information to events. Should not contain nested objects.
+        All values are stored as keyword.
+
+        Example: `docker` and `k8s` labels.'
+      example: '{"application": "foo-bar", "env": "production"}'
+      flat_name: labels
+      level: core
+      name: labels
+      normalize: []
+      object_type: keyword
+      short: Custom key/value pairs.
+      type: object
+    message:
+      dashed_name: message
+      description: 'For log events the message field contains the log message, optimized
+        for viewing in a log viewer.
+
+        For structured logs without an original message field, other fields can be
+        concatenated to form a human-readable summary of the event.
+
+        If multiple messages exist, they can be combined into one message.'
+      example: Hello World
+      flat_name: message
+      level: core
+      name: message
+      normalize: []
+      short: Log message optimized for viewing in a log viewer.
+      type: match_only_text
+    tags:
+      dashed_name: tags
+      description: List of keywords used to tag each event.
+      example: '["production", "env2"]'
+      flat_name: tags
+      ignore_above: 1024
+      level: core
+      name: tags
+      normalize:
+      - array
+      short: List of keywords used to tag each event.
+      type: keyword
+  group: 1
+  name: base
+  prefix: ''
+  root: true
+  short: All fields defined directly at the root of the events.
+  title: Base
+  type: group
+event:
+  description: 'The event fields are used for context information about the log or
+    metric event itself.
+
+    A log is defined as an event containing details of something that happened. Log
+    events must include the time at which the thing happened. Examples of log events
+    include a process starting on a host, a network packet being sent from a source
+    to a destination, or a network connection between a client and a server being
+    initiated or closed. A metric is defined as an event containing one or more numerical
+    measurements and the time at which the measurement was taken. Examples of metric
+    events include memory pressure measured on a host and device temperature. See
+    the `event.kind` definition in this section for additional details about metric
+    and state events.'
+  fields:
+    event.action:
+      dashed_name: event-action
+      description: 'The action captured by the event.
+
+        This describes the information in the event. It is more specific than `event.category`.
+        Examples are `group-add`, `process-started`, `file-created`. The value is
+        normally defined by the implementer.'
+      example: user-password-change
+      flat_name: event.action
+      ignore_above: 1024
+      level: core
+      name: action
+      normalize: []
+      short: The action captured by the event.
+      type: keyword
+    event.category:
+      allowed_values:
+      - description: Events in this category are related to the challenge and response
+          process in which credentials are supplied and verified to allow the creation
+          of a session. Common sources for these logs are Windows event logs and ssh
+          logs. Visualize and analyze events in this category to look for failed logins,
+          and other authentication-related activity.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: authentication
+      - description: 'Events in the configuration category have to deal with creating,
+          modifying, or deleting the settings or parameters of an application, process,
+          or system.
+
+          Example sources include security policy change logs, configuration auditing
+          logging, and system integrity monitoring.'
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        - info
+        name: configuration
+      - description: The database category denotes events and metrics relating to
+          a data storage and retrieval system. Note that use of this category is not
+          limited to relational database systems. Examples include event logs from
+          MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize
+          and analyze database activity such as accesses and changes.
+        expected_event_types:
+        - access
+        - change
+        - info
+        - error
+        name: database
+      - description: 'Events in the driver category have to do with operating system
+          device drivers and similar software entities such as Windows drivers, kernel
+          extensions, kernel modules, etc.
+
+          Use events and metrics in this category to visualize and analyze driver-related
+          activity and status on hosts.'
+        expected_event_types:
+        - change
+        - end
+        - info
+        - start
+        name: driver
+      - description: Relating to a set of information that has been created on, or
+          has existed on a filesystem. Use this category of events to visualize and
+          analyze the creation, access, and deletions of files. Events in this category
+          can come from both host-based and network-based sources. An example source
+          of a network-based detection of a file transfer would be the Zeek file.log.
+        expected_event_types:
+        - change
+        - creation
+        - deletion
+        - info
+        name: file
+      - description: 'Use this category to visualize and analyze information such
+          as host inventory or host lifecycle events.
+
+          Most of the events in this category can usually be observed from the outside,
+          such as from a hypervisor or a control plane''s point of view. Some can
+          also be seen from within, such as "start" or "end".
+
+          Note that this category is for information about hosts themselves; it is
+          not meant to capture activity "happening on a host".'
+        expected_event_types:
+        - access
+        - change
+        - end
+        - info
+        - start
+        name: host
+      - description: Identity and access management (IAM) events relating to users,
+          groups, and administration. Use this category to visualize and analyze IAM-related
+          logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.
+        expected_event_types:
+        - admin
+        - change
+        - creation
+        - deletion
+        - group
+        - info
+        - user
+        name: iam
+      - description: Relating to intrusion detections from IDS/IPS systems and functions,
+          both network and host-based. Use this category to visualize and analyze
+          intrusion detection alerts from systems such as Snort, Suricata, and Palo
+          Alto threat detections.
+        expected_event_types:
+        - allowed
+        - denied
+        - info
+        name: intrusion_detection
+      - description: Malware detection events and alerts. Use this category to visualize
+          and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
+          Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS
+          systems such as Suricata, or other sources of malware-related events such
+          as Palo Alto Networks threat logs and Wildfire logs.
+        expected_event_types:
+        - info
+        name: malware
+      - description: Relating to all network activity, including network connection
+          lifecycle, network traffic, and essentially any event that includes an IP
+          address. Many events containing decoded network protocol transactions fit
+          into this category. Use events in this category to visualize or analyze
+          counts of network ports, protocols, addresses, geolocation information,
+          etc.
+        expected_event_types:
+        - access
+        - allowed
+        - connection
+        - denied
+        - end
+        - info
+        - protocol
+        - start
+        name: network
+      - description: Relating to software packages installed on hosts. Use this category
+          to visualize and analyze inventory of software installed on various hosts,
+          or to determine host vulnerability in the absence of vulnerability scan
+          data.
+        expected_event_types:
+        - access
+        - change
+        - deletion
+        - info
+        - installation
+        - start
+        name: package
+      - description: Use this category of events to visualize and analyze process-specific
+          information such as lifecycle events or process ancestry.
+        expected_event_types:
+        - access
+        - change
+        - end
+        - info
+        - start
+        name: process
+      - description: Having to do with settings and assets stored in the Windows registry.
+          Use this category to visualize and analyze activity such as registry access
+          and modifications.
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        name: registry
+      - description: The session category is applied to events and metrics regarding
+          logical persistent connections to hosts and services. Use this category
+          to visualize and analyze interactive or automated persistent connections
+          between assets. Data for this category may come from Windows Event logs,
+          SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: session
+      - description: Use this category to visualize and analyze events describing
+          threat actors' targets, motives, or behaviors.
+        expected_event_types:
+        - indicator
+        name: threat
+      - description: 'Relating to web server access. Use this category to create a
+          dashboard of web server/proxy activity from apache, IIS, nginx web servers,
+          etc. Note: events from network observers such as Zeek http log may also
+          be included in this category.'
+        expected_event_types:
+        - access
+        - error
+        - info
+        name: web
+      dashed_name: event-category
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        second level in the ECS category hierarchy.
+
+        `event.category` represents the "big buckets" of ECS categories. For example,
+        filtering on `event.category:process` yields all events relating to process
+        activity. This field is closely related to `event.type`, which is used as
+        a subcategory.
+
+        This field is an array. This will allow proper categorization of some events
+        that fall in multiple categories.'
+      example: authentication
+      flat_name: event.category
+      ignore_above: 1024
+      level: core
+      name: category
+      normalize:
+      - array
+      short: Event category. The second categorization field in the hierarchy.
+      type: keyword
+    event.duration:
+      dashed_name: event-duration
+      description: 'Duration of the event in nanoseconds.
+
+        If event.start and event.end are known this value should be the difference
+        between the end and start time.'
+      flat_name: event.duration
+      format: duration
+      input_format: nanoseconds
+      level: core
+      name: duration
+      normalize: []
+      output_format: asMilliseconds
+      output_precision: 1
+      short: Duration of the event in nanoseconds.
+      type: long
+  group: 2
+  name: event
+  prefix: event.
+  short: Fields breaking down the event details.
+  title: Event
+  type: group
+host:
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the
+    event happened, or from which the measurement was taken. Host types include hardware,
+    virtual machines, Docker containers, and Kubernetes nodes.'
+  fields:
+    host.name:
+      dashed_name: host-name
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+      flat_name: host.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the host.
+      type: keyword
+  group: 2
+  name: host
+  nestings:
+  - host.geo
+  - host.os
+  prefix: host.
+  reused_here:
+  - full: host.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: host.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields describing the relevant computing instance.
+  title: Host
+  type: group
+http:
+  description: Fields related to HTTP activity. Use the `url` field set to store the
+    url of the request.
+  fields:
+    http.request.body.bytes:
+      dashed_name: http-request-body-bytes
+      description: Size in bytes of the request body.
+      example: 887
+      flat_name: http.request.body.bytes
+      format: bytes
+      level: extended
+      name: request.body.bytes
+      normalize: []
+      short: Size in bytes of the request body.
+      type: long
+    http.request.body.content:
+      dashed_name: http-request-body-content
+      description: The full HTTP request body.
+      example: Hello world
+      flat_name: http.request.body.content
+      level: extended
+      multi_fields:
+      - flat_name: http.request.body.content.text
+        name: text
+        type: match_only_text
+      name: request.body.content
+      normalize: []
+      short: The full HTTP request body.
+      type: wildcard
+    http.request.bytes:
+      dashed_name: http-request-bytes
+      description: Total size in bytes of the request (body and headers).
+      example: 1437
+      flat_name: http.request.bytes
+      format: bytes
+      level: extended
+      name: request.bytes
+      normalize: []
+      short: Total size in bytes of the request (body and headers).
+      type: long
+    http.request.id:
+      dashed_name: http-request-id
+      description: 'A unique identifier for each HTTP request to correlate logs between
+        clients and servers in transactions.
+
+        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+        or `X-Correlation-ID`.'
+      example: 123e4567-e89b-12d3-a456-426614174000
+      flat_name: http.request.id
+      ignore_above: 1024
+      level: extended
+      name: request.id
+      normalize: []
+      short: HTTP request ID.
+      type: keyword
+    http.request.method:
+      dashed_name: http-request-method
+      description: 'HTTP request method.
+
+        The value should retain its casing from the original event. For example, `GET`,
+        `get`, and `GeT` are all considered valid values for this field.'
+      example: POST
+      flat_name: http.request.method
+      ignore_above: 1024
+      level: extended
+      name: request.method
+      normalize: []
+      short: HTTP request method.
+      type: keyword
+    http.request.mime_type:
+      dashed_name: http-request-mime-type
+      description: 'Mime type of the body of the request.
+
+        This value must only be populated based on the content of the request body,
+        not on the `Content-Type` header. Comparing the mime type of a request with
+        the request''s Content-Type header can be helpful in detecting threats or
+        misconfigured clients.'
+      example: image/gif
+      flat_name: http.request.mime_type
+      ignore_above: 1024
+      level: extended
+      name: request.mime_type
+      normalize: []
+      short: Mime type of the body of the request.
+      type: keyword
+    http.request.referrer:
+      dashed_name: http-request-referrer
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+      flat_name: http.request.referrer
+      ignore_above: 1024
+      level: extended
+      name: request.referrer
+      normalize: []
+      short: Referrer for this HTTP request.
+      type: keyword
+    http.response.body.bytes:
+      dashed_name: http-response-body-bytes
+      description: Size in bytes of the response body.
+      example: 887
+      flat_name: http.response.body.bytes
+      format: bytes
+      level: extended
+      name: response.body.bytes
+      normalize: []
+      short: Size in bytes of the response body.
+      type: long
+    http.response.body.content:
+      dashed_name: http-response-body-content
+      description: The full HTTP response body.
+      example: Hello world
+      flat_name: http.response.body.content
+      level: extended
+      multi_fields:
+      - flat_name: http.response.body.content.text
+        name: text
+        type: match_only_text
+      name: response.body.content
+      normalize: []
+      short: The full HTTP response body.
+      type: wildcard
+    http.response.bytes:
+      dashed_name: http-response-bytes
+      description: Total size in bytes of the response (body and headers).
+      example: 1437
+      flat_name: http.response.bytes
+      format: bytes
+      level: extended
+      name: response.bytes
+      normalize: []
+      short: Total size in bytes of the response (body and headers).
+      type: long
+    http.response.mime_type:
+      dashed_name: http-response-mime-type
+      description: 'Mime type of the body of the response.
+
+        This value must only be populated based on the content of the response body,
+        not on the `Content-Type` header. Comparing the mime type of a response with
+        the response''s Content-Type header can be helpful in detecting misconfigured
+        servers.'
+      example: image/gif
+      flat_name: http.response.mime_type
+      ignore_above: 1024
+      level: extended
+      name: response.mime_type
+      normalize: []
+      short: Mime type of the body of the response.
+      type: keyword
+    http.response.status_code:
+      dashed_name: http-response-status-code
+      description: HTTP response status code.
+      example: 404
+      flat_name: http.response.status_code
+      format: string
+      level: extended
+      name: response.status_code
+      normalize: []
+      short: HTTP response status code.
+      type: long
+    http.version:
+      dashed_name: http-version
+      description: HTTP version.
+      example: 1.1
+      flat_name: http.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      short: HTTP version.
+      type: keyword
+  group: 2
+  name: http
+  prefix: http.
+  short: Fields describing an HTTP request.
+  title: HTTP
+  type: group
+log:
+  description: 'Details about the event''s logging mechanism or logging transport.
+
+    The log.* fields are typically populated with details about the logging mechanism
+    used to create and/or transport the event. For example, syslog details belong
+    under `log.syslog.*`.
+
+    The details specific to your event source are typically not logged under `log.*`,
+    but rather in `event.*` or in other ECS fields.'
+  fields:
+    log.level:
+      dashed_name: log-level
+      description: 'Original log level of the log event.
+
+        If the source of the event provides a log level or textual severity, this
+        is the one that goes in `log.level`. If your source doesn''t specify one,
+        you may put your event transport''s severity here (e.g. Syslog severity).
+
+        Some examples are `warn`, `err`, `i`, `informational`.'
+      example: error
+      flat_name: log.level
+      ignore_above: 1024
+      level: core
+      name: level
+      normalize: []
+      short: Log level of the log event.
+      type: keyword
+    log.logger:
+      dashed_name: log-logger
+      description: The name of the logger inside an application. This is usually the
+        name of the class which initialized the logger, or can be a custom name.
+      example: org.elasticsearch.bootstrap.Bootstrap
+      flat_name: log.logger
+      ignore_above: 1024
+      level: core
+      name: logger
+      normalize: []
+      short: Name of the logger.
+      type: keyword
+  group: 2
+  name: log
+  prefix: log.
+  short: Details about the event's logging mechanism.
+  title: Log
+  type: group
+url:
+  description: URL fields provide support for complete or partial URLs, and supports
+    the breaking down into scheme, domain, path, and so on.
+  fields:
+    url.domain:
+      dashed_name: url-domain
+      description: 'Domain of the url, such as "www.elastic.co".
+
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
+      flat_name: url.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      short: Domain of the url.
+      type: keyword
+    url.extension:
+      dashed_name: url-extension
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+      flat_name: url.extension
+      ignore_above: 1024
+      level: extended
+      name: extension
+      normalize: []
+      short: File extension from the request url, excluding the leading dot.
+      type: keyword
+    url.fragment:
+      dashed_name: url-fragment
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
+      flat_name: url.fragment
+      ignore_above: 1024
+      level: extended
+      name: fragment
+      normalize: []
+      short: Portion of the url after the `#`.
+      type: keyword
+    url.full:
+      dashed_name: url-full
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      flat_name: url.full
+      level: extended
+      multi_fields:
+      - flat_name: url.full.text
+        name: text
+        type: match_only_text
+      name: full
+      normalize: []
+      short: Full unparsed URL.
+      type: wildcard
+    url.original:
+      dashed_name: url-original
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+      flat_name: url.original
+      level: extended
+      multi_fields:
+      - flat_name: url.original.text
+        name: text
+        type: match_only_text
+      name: original
+      normalize: []
+      short: Unmodified original url as seen in the event source.
+      type: wildcard
+    url.password:
+      dashed_name: url-password
+      description: Password of the request.
+      flat_name: url.password
+      ignore_above: 1024
+      level: extended
+      name: password
+      normalize: []
+      short: Password of the request.
+      type: keyword
+    url.path:
+      dashed_name: url-path
+      description: Path of the request, such as "/search".
+      flat_name: url.path
+      level: extended
+      name: path
+      normalize: []
+      short: Path of the request, such as "/search".
+      type: wildcard
+    url.port:
+      dashed_name: url-port
+      description: Port of the request, such as 443.
+      example: 443
+      flat_name: url.port
+      format: string
+      level: extended
+      name: port
+      normalize: []
+      short: Port of the request, such as 443.
+      type: long
+    url.query:
+      dashed_name: url-query
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
+      flat_name: url.query
+      ignore_above: 1024
+      level: extended
+      name: query
+      normalize: []
+      short: Query string of the request.
+      type: keyword
+    url.registered_domain:
+      dashed_name: url-registered-domain
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: url.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      short: The highest registered url domain, stripped of the subdomain.
+      type: keyword
+    url.scheme:
+      dashed_name: url-scheme
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
+      flat_name: url.scheme
+      ignore_above: 1024
+      level: extended
+      name: scheme
+      normalize: []
+      short: Scheme of the url.
+      type: keyword
+    url.subdomain:
+      dashed_name: url-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: url.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
+    url.top_level_domain:
+      dashed_name: url-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: url.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    url.username:
+      dashed_name: url-username
+      description: Username of the request.
+      flat_name: url.username
+      ignore_above: 1024
+      level: extended
+      name: username
+      normalize: []
+      short: Username of the request.
+      type: keyword
+  group: 2
+  name: url
+  prefix: url.
+  reusable:
+    expected:
+    - as: url
+      at: threat.indicator
+      full: threat.indicator.url
+    - as: url
+      at: threat.enrichments.indicator
+      beta: Reusing the `url` fields in this location is currently considered beta.
+      full: threat.enrichments.indicator.url
+    top_level: true
+  short: Fields that let you store URLs in various forms.
+  title: URL
+  type: group
+user:
+  description: 'The user fields describe information about the user that is relevant
+    to the event.
+
+    Fields can have one entry or multiple entries. If a user has more than one id,
+    provide an array that includes all of them.'
+  fields:
+    user.id:
+      dashed_name: user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier of the user.
+      type: keyword
+    user.name:
+      dashed_name: user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      short: Short name or login of the user.
+      type: keyword
+    user.roles:
+      dashed_name: user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: user
+  nestings:
+  - user.changes
+  - user.effective
+  - user.group
+  - user.target
+  prefix: user.
+  reusable:
+    expected:
+    - as: user
+      at: client
+      full: client.user
+    - as: user
+      at: destination
+      full: destination.user
+    - as: user
+      at: server
+      full: server.user
+    - as: user
+      at: source
+      full: source.user
+    - as: target
+      at: user
+      full: user.target
+      short_override: Targeted user of action taken.
+    - as: effective
+      at: user
+      full: user.effective
+      short_override: User whose privileges were assumed.
+    - as: changes
+      at: user
+      full: user.changes
+      short_override: Captures changes made to a user.
+    top_level: true
+  reused_here:
+  - full: user.group
+    schema_name: group
+    short: User's group relevant to the event.
+  - full: user.target
+    schema_name: user
+    short: Targeted user of action taken.
+  - full: user.effective
+    schema_name: user
+    short: User whose privileges were assumed.
+  - full: user.changes
+    schema_name: user
+    short: Captures changes made to a user.
+  short: Fields to describe the user relevant to the event.
+  title: User
+  type: group
+user_agent:
+  description: 'The user_agent fields normally come from a browser request.
+
+    They often show up in web service logs coming from the parsed user agent string.'
+  fields:
+    user_agent.original:
+      dashed_name: user-agent-original
+      description: Unparsed user_agent string.
+      example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+        (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+      flat_name: user_agent.original
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user_agent.original.text
+        name: text
+        type: match_only_text
+      name: original
+      normalize: []
+      short: Unparsed user_agent string.
+      type: keyword
+  group: 2
+  name: user_agent
+  nestings:
+  - user_agent.os
+  prefix: user_agent.
+  reused_here:
+  - full: user_agent.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields to describe a browser user_agent string.
+  title: User agent
+  type: group
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/ecs/subset/admin_console/ecs_flat.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/ecs/subset/admin_console/ecs_flat.yml
@ -0,0 +1,749 @@
+'@timestamp':
+  dashed_name: timestamp
+  description: 'Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when the
+    event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events.'
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: '@timestamp'
+  level: core
+  name: '@timestamp'
+  normalize: []
+  required: true
+  short: Date/time when the event originated.
+  type: date
+event.action:
+  dashed_name: event-action
+  description: 'The action captured by the event.
+
+    This describes the information in the event. It is more specific than `event.category`.
+    Examples are `group-add`, `process-started`, `file-created`. The value is normally
+    defined by the implementer.'
+  example: user-password-change
+  flat_name: event.action
+  ignore_above: 1024
+  level: core
+  name: action
+  normalize: []
+  short: The action captured by the event.
+  type: keyword
+event.category:
+  allowed_values:
+  - description: Events in this category are related to the challenge and response
+      process in which credentials are supplied and verified to allow the creation
+      of a session. Common sources for these logs are Windows event logs and ssh logs.
+      Visualize and analyze events in this category to look for failed logins, and
+      other authentication-related activity.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: authentication
+  - description: 'Events in the configuration category have to deal with creating,
+      modifying, or deleting the settings or parameters of an application, process,
+      or system.
+
+      Example sources include security policy change logs, configuration auditing
+      logging, and system integrity monitoring.'
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    - info
+    name: configuration
+  - description: The database category denotes events and metrics relating to a data
+      storage and retrieval system. Note that use of this category is not limited
+      to relational database systems. Examples include event logs from MS SQL, MySQL,
+      Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database
+      activity such as accesses and changes.
+    expected_event_types:
+    - access
+    - change
+    - info
+    - error
+    name: database
+  - description: 'Events in the driver category have to do with operating system device
+      drivers and similar software entities such as Windows drivers, kernel extensions,
+      kernel modules, etc.
+
+      Use events and metrics in this category to visualize and analyze driver-related
+      activity and status on hosts.'
+    expected_event_types:
+    - change
+    - end
+    - info
+    - start
+    name: driver
+  - description: Relating to a set of information that has been created on, or has
+      existed on a filesystem. Use this category of events to visualize and analyze
+      the creation, access, and deletions of files. Events in this category can come
+      from both host-based and network-based sources. An example source of a network-based
+      detection of a file transfer would be the Zeek file.log.
+    expected_event_types:
+    - change
+    - creation
+    - deletion
+    - info
+    name: file
+  - description: 'Use this category to visualize and analyze information such as host
+      inventory or host lifecycle events.
+
+      Most of the events in this category can usually be observed from the outside,
+      such as from a hypervisor or a control plane''s point of view. Some can also
+      be seen from within, such as "start" or "end".
+
+      Note that this category is for information about hosts themselves; it is not
+      meant to capture activity "happening on a host".'
+    expected_event_types:
+    - access
+    - change
+    - end
+    - info
+    - start
+    name: host
+  - description: Identity and access management (IAM) events relating to users, groups,
+      and administration. Use this category to visualize and analyze IAM-related logs
+      and data from active directory, LDAP, Okta, Duo, and other IAM systems.
+    expected_event_types:
+    - admin
+    - change
+    - creation
+    - deletion
+    - group
+    - info
+    - user
+    name: iam
+  - description: Relating to intrusion detections from IDS/IPS systems and functions,
+      both network and host-based. Use this category to visualize and analyze intrusion
+      detection alerts from systems such as Snort, Suricata, and Palo Alto threat
+      detections.
+    expected_event_types:
+    - allowed
+    - denied
+    - info
+    name: intrusion_detection
+  - description: Malware detection events and alerts. Use this category to visualize
+      and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
+      Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems
+      such as Suricata, or other sources of malware-related events such as Palo Alto
+      Networks threat logs and Wildfire logs.
+    expected_event_types:
+    - info
+    name: malware
+  - description: Relating to all network activity, including network connection lifecycle,
+      network traffic, and essentially any event that includes an IP address. Many
+      events containing decoded network protocol transactions fit into this category.
+      Use events in this category to visualize or analyze counts of network ports,
+      protocols, addresses, geolocation information, etc.
+    expected_event_types:
+    - access
+    - allowed
+    - connection
+    - denied
+    - end
+    - info
+    - protocol
+    - start
+    name: network
+  - description: Relating to software packages installed on hosts. Use this category
+      to visualize and analyze inventory of software installed on various hosts, or
+      to determine host vulnerability in the absence of vulnerability scan data.
+    expected_event_types:
+    - access
+    - change
+    - deletion
+    - info
+    - installation
+    - start
+    name: package
+  - description: Use this category of events to visualize and analyze process-specific
+      information such as lifecycle events or process ancestry.
+    expected_event_types:
+    - access
+    - change
+    - end
+    - info
+    - start
+    name: process
+  - description: Having to do with settings and assets stored in the Windows registry.
+      Use this category to visualize and analyze activity such as registry access
+      and modifications.
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    name: registry
+  - description: The session category is applied to events and metrics regarding logical
+      persistent connections to hosts and services. Use this category to visualize
+      and analyze interactive or automated persistent connections between assets.
+      Data for this category may come from Windows Event logs, SSH logs, or stateless
+      sessions such as HTTP cookie-based sessions, etc.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: session
+  - description: Use this category to visualize and analyze events describing threat
+      actors' targets, motives, or behaviors.
+    expected_event_types:
+    - indicator
+    name: threat
+  - description: 'Relating to web server access. Use this category to create a dashboard
+      of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
+      events from network observers such as Zeek http log may also be included in
+      this category.'
+    expected_event_types:
+    - access
+    - error
+    - info
+    name: web
+  dashed_name: event-category
+  description: 'This is one of four ECS Categorization Fields, and indicates the second
+    level in the ECS category hierarchy.
+
+    `event.category` represents the "big buckets" of ECS categories. For example,
+    filtering on `event.category:process` yields all events relating to process activity.
+    This field is closely related to `event.type`, which is used as a subcategory.
+
+    This field is an array. This will allow proper categorization of some events that
+    fall in multiple categories.'
+  example: authentication
+  flat_name: event.category
+  ignore_above: 1024
+  level: core
+  name: category
+  normalize:
+  - array
+  short: Event category. The second categorization field in the hierarchy.
+  type: keyword
+event.duration:
+  dashed_name: event-duration
+  description: 'Duration of the event in nanoseconds.
+
+    If event.start and event.end are known this value should be the difference between
+    the end and start time.'
+  flat_name: event.duration
+  format: duration
+  input_format: nanoseconds
+  level: core
+  name: duration
+  normalize: []
+  output_format: asMilliseconds
+  output_precision: 1
+  short: Duration of the event in nanoseconds.
+  type: long
+host.name:
+  dashed_name: host-name
+  description: 'Name of the host.
+
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain
+    name, or a name specified by the user. The sender decides which value to use.'
+  flat_name: host.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  short: Name of the host.
+  type: keyword
+http.request.body.bytes:
+  dashed_name: http-request-body-bytes
+  description: Size in bytes of the request body.
+  example: 887
+  flat_name: http.request.body.bytes
+  format: bytes
+  level: extended
+  name: request.body.bytes
+  normalize: []
+  short: Size in bytes of the request body.
+  type: long
+http.request.body.content:
+  dashed_name: http-request-body-content
+  description: The full HTTP request body.
+  example: Hello world
+  flat_name: http.request.body.content
+  level: extended
+  multi_fields:
+  - flat_name: http.request.body.content.text
+    name: text
+    type: match_only_text
+  name: request.body.content
+  normalize: []
+  short: The full HTTP request body.
+  type: wildcard
+http.request.bytes:
+  dashed_name: http-request-bytes
+  description: Total size in bytes of the request (body and headers).
+  example: 1437
+  flat_name: http.request.bytes
+  format: bytes
+  level: extended
+  name: request.bytes
+  normalize: []
+  short: Total size in bytes of the request (body and headers).
+  type: long
+http.request.id:
+  dashed_name: http-request-id
+  description: 'A unique identifier for each HTTP request to correlate logs between
+    clients and servers in transactions.
+
+    The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+    or `X-Correlation-ID`.'
+  example: 123e4567-e89b-12d3-a456-426614174000
+  flat_name: http.request.id
+  ignore_above: 1024
+  level: extended
+  name: request.id
+  normalize: []
+  short: HTTP request ID.
+  type: keyword
+http.request.method:
+  dashed_name: http-request-method
+  description: 'HTTP request method.
+
+    The value should retain its casing from the original event. For example, `GET`,
+    `get`, and `GeT` are all considered valid values for this field.'
+  example: POST
+  flat_name: http.request.method
+  ignore_above: 1024
+  level: extended
+  name: request.method
+  normalize: []
+  short: HTTP request method.
+  type: keyword
+http.request.mime_type:
+  dashed_name: http-request-mime-type
+  description: 'Mime type of the body of the request.
+
+    This value must only be populated based on the content of the request body, not
+    on the `Content-Type` header. Comparing the mime type of a request with the request''s
+    Content-Type header can be helpful in detecting threats or misconfigured clients.'
+  example: image/gif
+  flat_name: http.request.mime_type
+  ignore_above: 1024
+  level: extended
+  name: request.mime_type
+  normalize: []
+  short: Mime type of the body of the request.
+  type: keyword
+http.request.referrer:
+  dashed_name: http-request-referrer
+  description: Referrer for this HTTP request.
+  example: https://blog.example.com/
+  flat_name: http.request.referrer
+  ignore_above: 1024
+  level: extended
+  name: request.referrer
+  normalize: []
+  short: Referrer for this HTTP request.
+  type: keyword
+http.response.body.bytes:
+  dashed_name: http-response-body-bytes
+  description: Size in bytes of the response body.
+  example: 887
+  flat_name: http.response.body.bytes
+  format: bytes
+  level: extended
+  name: response.body.bytes
+  normalize: []
+  short: Size in bytes of the response body.
+  type: long
+http.response.body.content:
+  dashed_name: http-response-body-content
+  description: The full HTTP response body.
+  example: Hello world
+  flat_name: http.response.body.content
+  level: extended
+  multi_fields:
+  - flat_name: http.response.body.content.text
+    name: text
+    type: match_only_text
+  name: response.body.content
+  normalize: []
+  short: The full HTTP response body.
+  type: wildcard
+http.response.bytes:
+  dashed_name: http-response-bytes
+  description: Total size in bytes of the response (body and headers).
+  example: 1437
+  flat_name: http.response.bytes
+  format: bytes
+  level: extended
+  name: response.bytes
+  normalize: []
+  short: Total size in bytes of the response (body and headers).
+  type: long
+http.response.mime_type:
+  dashed_name: http-response-mime-type
+  description: 'Mime type of the body of the response.
+
+    This value must only be populated based on the content of the response body, not
+    on the `Content-Type` header. Comparing the mime type of a response with the response''s
+    Content-Type header can be helpful in detecting misconfigured servers.'
+  example: image/gif
+  flat_name: http.response.mime_type
+  ignore_above: 1024
+  level: extended
+  name: response.mime_type
+  normalize: []
+  short: Mime type of the body of the response.
+  type: keyword
+http.response.status_code:
+  dashed_name: http-response-status-code
+  description: HTTP response status code.
+  example: 404
+  flat_name: http.response.status_code
+  format: string
+  level: extended
+  name: response.status_code
+  normalize: []
+  short: HTTP response status code.
+  type: long
+http.version:
+  dashed_name: http-version
+  description: HTTP version.
+  example: 1.1
+  flat_name: http.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  normalize: []
+  short: HTTP version.
+  type: keyword
+labels:
+  dashed_name: labels
+  description: 'Custom key/value pairs.
+
+    Can be used to add meta information to events. Should not contain nested objects.
+    All values are stored as keyword.
+
+    Example: `docker` and `k8s` labels.'
+  example: '{"application": "foo-bar", "env": "production"}'
+  flat_name: labels
+  level: core
+  name: labels
+  normalize: []
+  object_type: keyword
+  short: Custom key/value pairs.
+  type: object
+log.level:
+  dashed_name: log-level
+  description: 'Original log level of the log event.
+
+    If the source of the event provides a log level or textual severity, this is the
+    one that goes in `log.level`. If your source doesn''t specify one, you may put
+    your event transport''s severity here (e.g. Syslog severity).
+
+    Some examples are `warn`, `err`, `i`, `informational`.'
+  example: error
+  flat_name: log.level
+  ignore_above: 1024
+  level: core
+  name: level
+  normalize: []
+  short: Log level of the log event.
+  type: keyword
+log.logger:
+  dashed_name: log-logger
+  description: The name of the logger inside an application. This is usually the name
+    of the class which initialized the logger, or can be a custom name.
+  example: org.elasticsearch.bootstrap.Bootstrap
+  flat_name: log.logger
+  ignore_above: 1024
+  level: core
+  name: logger
+  normalize: []
+  short: Name of the logger.
+  type: keyword
+message:
+  dashed_name: message
+  description: 'For log events the message field contains the log message, optimized
+    for viewing in a log viewer.
+
+    For structured logs without an original message field, other fields can be concatenated
+    to form a human-readable summary of the event.
+
+    If multiple messages exist, they can be combined into one message.'
+  example: Hello World
+  flat_name: message
+  level: core
+  name: message
+  normalize: []
+  short: Log message optimized for viewing in a log viewer.
+  type: match_only_text
+tags:
+  dashed_name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  flat_name: tags
+  ignore_above: 1024
+  level: core
+  name: tags
+  normalize:
+  - array
+  short: List of keywords used to tag each event.
+  type: keyword
+url.domain:
+  dashed_name: url-domain
+  description: 'Domain of the url, such as "www.elastic.co".
+
+    In some cases a URL may refer to an IP and/or port directly, without a domain
+    name. In this case, the IP address would go to the `domain` field.
+
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732),
+    the `[` and `]` characters should also be captured in the `domain` field.'
+  example: www.elastic.co
+  flat_name: url.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  short: Domain of the url.
+  type: keyword
+url.extension:
+  dashed_name: url-extension
+  description: 'The field contains the file extension from the original request url,
+    excluding the leading dot.
+
+    The file extension is only set if it exists, as not every url has a file extension.
+
+    The leading period must not be included. For example, the value must be "png",
+    not ".png".
+
+    Note that when the file name has multiple extensions (example.tar.gz), only the
+    last one should be captured ("gz", not "tar.gz").'
+  example: png
+  flat_name: url.extension
+  ignore_above: 1024
+  level: extended
+  name: extension
+  normalize: []
+  short: File extension from the request url, excluding the leading dot.
+  type: keyword
+url.fragment:
+  dashed_name: url-fragment
+  description: 'Portion of the url after the `#`, such as "top".
+
+    The `#` is not part of the fragment.'
+  flat_name: url.fragment
+  ignore_above: 1024
+  level: extended
+  name: fragment
+  normalize: []
+  short: Portion of the url after the `#`.
+  type: keyword
+url.full:
+  dashed_name: url-full
+  description: If full URLs are important to your use case, they should be stored
+    in `url.full`, whether this field is reconstructed or present in the event source.
+  example: https://www.elastic.co:443/search?q=elasticsearch#top
+  flat_name: url.full
+  level: extended
+  multi_fields:
+  - flat_name: url.full.text
+    name: text
+    type: match_only_text
+  name: full
+  normalize: []
+  short: Full unparsed URL.
+  type: wildcard
+url.original:
+  dashed_name: url-original
+  description: 'Unmodified original url as seen in the event source.
+
+    Note that in network monitoring, the observed URL may be a full URL, whereas in
+    access logs, the URL is often just represented as a path.
+
+    This field is meant to represent the URL as it was observed, complete or not.'
+  example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+  flat_name: url.original
+  level: extended
+  multi_fields:
+  - flat_name: url.original.text
+    name: text
+    type: match_only_text
+  name: original
+  normalize: []
+  short: Unmodified original url as seen in the event source.
+  type: wildcard
+url.password:
+  dashed_name: url-password
+  description: Password of the request.
+  flat_name: url.password
+  ignore_above: 1024
+  level: extended
+  name: password
+  normalize: []
+  short: Password of the request.
+  type: keyword
+url.path:
+  dashed_name: url-path
+  description: Path of the request, such as "/search".
+  flat_name: url.path
+  level: extended
+  name: path
+  normalize: []
+  short: Path of the request, such as "/search".
+  type: wildcard
+url.port:
+  dashed_name: url-port
+  description: Port of the request, such as 443.
+  example: 443
+  flat_name: url.port
+  format: string
+  level: extended
+  name: port
+  normalize: []
+  short: Port of the request, such as 443.
+  type: long
+url.query:
+  dashed_name: url-query
+  description: 'The query field describes the query string of the request, such as
+    "q=elasticsearch".
+
+    The `?` is excluded from the query string. If a URL contains no `?`, there is
+    no query field. If there is a `?` but no query, the query field exists with an
+    empty string. The `exists` query can be used to differentiate between the two
+    cases.'
+  flat_name: url.query
+  ignore_above: 1024
+  level: extended
+  name: query
+  normalize: []
+  short: Query string of the request.
+  type: keyword
+url.registered_domain:
+  dashed_name: url-registered-domain
+  description: 'The highest registered url domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: url.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  short: The highest registered url domain, stripped of the subdomain.
+  type: keyword
+url.scheme:
+  dashed_name: url-scheme
+  description: 'Scheme of the request, such as "https".
+
+    Note: The `:` is not part of the scheme.'
+  example: https
+  flat_name: url.scheme
+  ignore_above: 1024
+  level: extended
+  name: scheme
+  normalize: []
+  short: Scheme of the url.
+  type: keyword
+url.subdomain:
+  dashed_name: url-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: url.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  short: The subdomain of the domain.
+  type: keyword
+url.top_level_domain:
+  dashed_name: url-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (http://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: url.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+url.username:
+  dashed_name: url-username
+  description: Username of the request.
+  flat_name: url.username
+  ignore_above: 1024
+  level: extended
+  name: username
+  normalize: []
+  short: Username of the request.
+  type: keyword
+user.id:
+  dashed_name: user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier of the user.
+  type: keyword
+user.name:
+  dashed_name: user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  short: Short name or login of the user.
+  type: keyword
+user.roles:
+  dashed_name: user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  short: Array of user roles at the time of the event.
+  type: keyword
+user_agent.original:
+  dashed_name: user-agent-original
+  description: Unparsed user_agent string.
+  example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+    (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+  flat_name: user_agent.original
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user_agent.original.text
+    name: text
+    type: match_only_text
+  name: original
+  normalize: []
+  short: Unparsed user_agent string.
+  type: keyword
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/ecs/subset/admin_console/ecs_nested.yml
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/ecs/subset/admin_console/ecs_nested.yml
@ -0,0 +1,932 @@
+base:
+  description: The `base` field set contains all fields which are at the root of the
+    events. These fields are common across all types of events.
+  fields:
+    '@timestamp':
+      dashed_name: timestamp
+      description: 'Date/time when the event originated.
+
+        This is the date/time extracted from the event, typically representing when
+        the event was generated by the source.
+
+        If the event source has no original timestamp, this value is typically populated
+        by the first time the event was received by the pipeline.
+
+        Required field for all events.'
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: '@timestamp'
+      level: core
+      name: '@timestamp'
+      normalize: []
+      required: true
+      short: Date/time when the event originated.
+      type: date
+    labels:
+      dashed_name: labels
+      description: 'Custom key/value pairs.
+
+        Can be used to add meta information to events. Should not contain nested objects.
+        All values are stored as keyword.
+
+        Example: `docker` and `k8s` labels.'
+      example: '{"application": "foo-bar", "env": "production"}'
+      flat_name: labels
+      level: core
+      name: labels
+      normalize: []
+      object_type: keyword
+      short: Custom key/value pairs.
+      type: object
+    message:
+      dashed_name: message
+      description: 'For log events the message field contains the log message, optimized
+        for viewing in a log viewer.
+
+        For structured logs without an original message field, other fields can be
+        concatenated to form a human-readable summary of the event.
+
+        If multiple messages exist, they can be combined into one message.'
+      example: Hello World
+      flat_name: message
+      level: core
+      name: message
+      normalize: []
+      short: Log message optimized for viewing in a log viewer.
+      type: match_only_text
+    tags:
+      dashed_name: tags
+      description: List of keywords used to tag each event.
+      example: '["production", "env2"]'
+      flat_name: tags
+      ignore_above: 1024
+      level: core
+      name: tags
+      normalize:
+      - array
+      short: List of keywords used to tag each event.
+      type: keyword
+  group: 1
+  name: base
+  prefix: ''
+  root: true
+  short: All fields defined directly at the root of the events.
+  title: Base
+  type: group
+event:
+  description: 'The event fields are used for context information about the log or
+    metric event itself.
+
+    A log is defined as an event containing details of something that happened. Log
+    events must include the time at which the thing happened. Examples of log events
+    include a process starting on a host, a network packet being sent from a source
+    to a destination, or a network connection between a client and a server being
+    initiated or closed. A metric is defined as an event containing one or more numerical
+    measurements and the time at which the measurement was taken. Examples of metric
+    events include memory pressure measured on a host and device temperature. See
+    the `event.kind` definition in this section for additional details about metric
+    and state events.'
+  fields:
+    event.action:
+      dashed_name: event-action
+      description: 'The action captured by the event.
+
+        This describes the information in the event. It is more specific than `event.category`.
+        Examples are `group-add`, `process-started`, `file-created`. The value is
+        normally defined by the implementer.'
+      example: user-password-change
+      flat_name: event.action
+      ignore_above: 1024
+      level: core
+      name: action
+      normalize: []
+      short: The action captured by the event.
+      type: keyword
+    event.category:
+      allowed_values:
+      - description: Events in this category are related to the challenge and response
+          process in which credentials are supplied and verified to allow the creation
+          of a session. Common sources for these logs are Windows event logs and ssh
+          logs. Visualize and analyze events in this category to look for failed logins,
+          and other authentication-related activity.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: authentication
+      - description: 'Events in the configuration category have to deal with creating,
+          modifying, or deleting the settings or parameters of an application, process,
+          or system.
+
+          Example sources include security policy change logs, configuration auditing
+          logging, and system integrity monitoring.'
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        - info
+        name: configuration
+      - description: The database category denotes events and metrics relating to
+          a data storage and retrieval system. Note that use of this category is not
+          limited to relational database systems. Examples include event logs from
+          MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize
+          and analyze database activity such as accesses and changes.
+        expected_event_types:
+        - access
+        - change
+        - info
+        - error
+        name: database
+      - description: 'Events in the driver category have to do with operating system
+          device drivers and similar software entities such as Windows drivers, kernel
+          extensions, kernel modules, etc.
+
+          Use events and metrics in this category to visualize and analyze driver-related
+          activity and status on hosts.'
+        expected_event_types:
+        - change
+        - end
+        - info
+        - start
+        name: driver
+      - description: Relating to a set of information that has been created on, or
+          has existed on a filesystem. Use this category of events to visualize and
+          analyze the creation, access, and deletions of files. Events in this category
+          can come from both host-based and network-based sources. An example source
+          of a network-based detection of a file transfer would be the Zeek file.log.
+        expected_event_types:
+        - change
+        - creation
+        - deletion
+        - info
+        name: file
+      - description: 'Use this category to visualize and analyze information such
+          as host inventory or host lifecycle events.
+
+          Most of the events in this category can usually be observed from the outside,
+          such as from a hypervisor or a control plane''s point of view. Some can
+          also be seen from within, such as "start" or "end".
+
+          Note that this category is for information about hosts themselves; it is
+          not meant to capture activity "happening on a host".'
+        expected_event_types:
+        - access
+        - change
+        - end
+        - info
+        - start
+        name: host
+      - description: Identity and access management (IAM) events relating to users,
+          groups, and administration. Use this category to visualize and analyze IAM-related
+          logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.
+        expected_event_types:
+        - admin
+        - change
+        - creation
+        - deletion
+        - group
+        - info
+        - user
+        name: iam
+      - description: Relating to intrusion detections from IDS/IPS systems and functions,
+          both network and host-based. Use this category to visualize and analyze
+          intrusion detection alerts from systems such as Snort, Suricata, and Palo
+          Alto threat detections.
+        expected_event_types:
+        - allowed
+        - denied
+        - info
+        name: intrusion_detection
+      - description: Malware detection events and alerts. Use this category to visualize
+          and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
+          Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS
+          systems such as Suricata, or other sources of malware-related events such
+          as Palo Alto Networks threat logs and Wildfire logs.
+        expected_event_types:
+        - info
+        name: malware
+      - description: Relating to all network activity, including network connection
+          lifecycle, network traffic, and essentially any event that includes an IP
+          address. Many events containing decoded network protocol transactions fit
+          into this category. Use events in this category to visualize or analyze
+          counts of network ports, protocols, addresses, geolocation information,
+          etc.
+        expected_event_types:
+        - access
+        - allowed
+        - connection
+        - denied
+        - end
+        - info
+        - protocol
+        - start
+        name: network
+      - description: Relating to software packages installed on hosts. Use this category
+          to visualize and analyze inventory of software installed on various hosts,
+          or to determine host vulnerability in the absence of vulnerability scan
+          data.
+        expected_event_types:
+        - access
+        - change
+        - deletion
+        - info
+        - installation
+        - start
+        name: package
+      - description: Use this category of events to visualize and analyze process-specific
+          information such as lifecycle events or process ancestry.
+        expected_event_types:
+        - access
+        - change
+        - end
+        - info
+        - start
+        name: process
+      - description: Having to do with settings and assets stored in the Windows registry.
+          Use this category to visualize and analyze activity such as registry access
+          and modifications.
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        name: registry
+      - description: The session category is applied to events and metrics regarding
+          logical persistent connections to hosts and services. Use this category
+          to visualize and analyze interactive or automated persistent connections
+          between assets. Data for this category may come from Windows Event logs,
+          SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: session
+      - description: Use this category to visualize and analyze events describing
+          threat actors' targets, motives, or behaviors.
+        expected_event_types:
+        - indicator
+        name: threat
+      - description: 'Relating to web server access. Use this category to create a
+          dashboard of web server/proxy activity from apache, IIS, nginx web servers,
+          etc. Note: events from network observers such as Zeek http log may also
+          be included in this category.'
+        expected_event_types:
+        - access
+        - error
+        - info
+        name: web
+      dashed_name: event-category
+      description: 'This is one of four ECS Categorization Fields, and indicates the
+        second level in the ECS category hierarchy.
+
+        `event.category` represents the "big buckets" of ECS categories. For example,
+        filtering on `event.category:process` yields all events relating to process
+        activity. This field is closely related to `event.type`, which is used as
+        a subcategory.
+
+        This field is an array. This will allow proper categorization of some events
+        that fall in multiple categories.'
+      example: authentication
+      flat_name: event.category
+      ignore_above: 1024
+      level: core
+      name: category
+      normalize:
+      - array
+      short: Event category. The second categorization field in the hierarchy.
+      type: keyword
+    event.duration:
+      dashed_name: event-duration
+      description: 'Duration of the event in nanoseconds.
+
+        If event.start and event.end are known this value should be the difference
+        between the end and start time.'
+      flat_name: event.duration
+      format: duration
+      input_format: nanoseconds
+      level: core
+      name: duration
+      normalize: []
+      output_format: asMilliseconds
+      output_precision: 1
+      short: Duration of the event in nanoseconds.
+      type: long
+  group: 2
+  name: event
+  prefix: event.
+  short: Fields breaking down the event details.
+  title: Event
+  type: group
+host:
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the
+    event happened, or from which the measurement was taken. Host types include hardware,
+    virtual machines, Docker containers, and Kubernetes nodes.'
+  fields:
+    host.name:
+      dashed_name: host-name
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified
+        domain name, or a name specified by the user. The sender decides which value
+        to use.'
+      flat_name: host.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      short: Name of the host.
+      type: keyword
+  group: 2
+  name: host
+  nestings:
+  - host.geo
+  - host.os
+  prefix: host.
+  reused_here:
+  - full: host.geo
+    schema_name: geo
+    short: Fields describing a location.
+  - full: host.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields describing the relevant computing instance.
+  title: Host
+  type: group
+http:
+  description: Fields related to HTTP activity. Use the `url` field set to store the
+    url of the request.
+  fields:
+    http.request.body.bytes:
+      dashed_name: http-request-body-bytes
+      description: Size in bytes of the request body.
+      example: 887
+      flat_name: http.request.body.bytes
+      format: bytes
+      level: extended
+      name: request.body.bytes
+      normalize: []
+      short: Size in bytes of the request body.
+      type: long
+    http.request.body.content:
+      dashed_name: http-request-body-content
+      description: The full HTTP request body.
+      example: Hello world
+      flat_name: http.request.body.content
+      level: extended
+      multi_fields:
+      - flat_name: http.request.body.content.text
+        name: text
+        type: match_only_text
+      name: request.body.content
+      normalize: []
+      short: The full HTTP request body.
+      type: wildcard
+    http.request.bytes:
+      dashed_name: http-request-bytes
+      description: Total size in bytes of the request (body and headers).
+      example: 1437
+      flat_name: http.request.bytes
+      format: bytes
+      level: extended
+      name: request.bytes
+      normalize: []
+      short: Total size in bytes of the request (body and headers).
+      type: long
+    http.request.id:
+      dashed_name: http-request-id
+      description: 'A unique identifier for each HTTP request to correlate logs between
+        clients and servers in transactions.
+
+        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
+        or `X-Correlation-ID`.'
+      example: 123e4567-e89b-12d3-a456-426614174000
+      flat_name: http.request.id
+      ignore_above: 1024
+      level: extended
+      name: request.id
+      normalize: []
+      short: HTTP request ID.
+      type: keyword
+    http.request.method:
+      dashed_name: http-request-method
+      description: 'HTTP request method.
+
+        The value should retain its casing from the original event. For example, `GET`,
+        `get`, and `GeT` are all considered valid values for this field.'
+      example: POST
+      flat_name: http.request.method
+      ignore_above: 1024
+      level: extended
+      name: request.method
+      normalize: []
+      short: HTTP request method.
+      type: keyword
+    http.request.mime_type:
+      dashed_name: http-request-mime-type
+      description: 'Mime type of the body of the request.
+
+        This value must only be populated based on the content of the request body,
+        not on the `Content-Type` header. Comparing the mime type of a request with
+        the request''s Content-Type header can be helpful in detecting threats or
+        misconfigured clients.'
+      example: image/gif
+      flat_name: http.request.mime_type
+      ignore_above: 1024
+      level: extended
+      name: request.mime_type
+      normalize: []
+      short: Mime type of the body of the request.
+      type: keyword
+    http.request.referrer:
+      dashed_name: http-request-referrer
+      description: Referrer for this HTTP request.
+      example: https://blog.example.com/
+      flat_name: http.request.referrer
+      ignore_above: 1024
+      level: extended
+      name: request.referrer
+      normalize: []
+      short: Referrer for this HTTP request.
+      type: keyword
+    http.response.body.bytes:
+      dashed_name: http-response-body-bytes
+      description: Size in bytes of the response body.
+      example: 887
+      flat_name: http.response.body.bytes
+      format: bytes
+      level: extended
+      name: response.body.bytes
+      normalize: []
+      short: Size in bytes of the response body.
+      type: long
+    http.response.body.content:
+      dashed_name: http-response-body-content
+      description: The full HTTP response body.
+      example: Hello world
+      flat_name: http.response.body.content
+      level: extended
+      multi_fields:
+      - flat_name: http.response.body.content.text
+        name: text
+        type: match_only_text
+      name: response.body.content
+      normalize: []
+      short: The full HTTP response body.
+      type: wildcard
+    http.response.bytes:
+      dashed_name: http-response-bytes
+      description: Total size in bytes of the response (body and headers).
+      example: 1437
+      flat_name: http.response.bytes
+      format: bytes
+      level: extended
+      name: response.bytes
+      normalize: []
+      short: Total size in bytes of the response (body and headers).
+      type: long
+    http.response.mime_type:
+      dashed_name: http-response-mime-type
+      description: 'Mime type of the body of the response.
+
+        This value must only be populated based on the content of the response body,
+        not on the `Content-Type` header. Comparing the mime type of a response with
+        the response''s Content-Type header can be helpful in detecting misconfigured
+        servers.'
+      example: image/gif
+      flat_name: http.response.mime_type
+      ignore_above: 1024
+      level: extended
+      name: response.mime_type
+      normalize: []
+      short: Mime type of the body of the response.
+      type: keyword
+    http.response.status_code:
+      dashed_name: http-response-status-code
+      description: HTTP response status code.
+      example: 404
+      flat_name: http.response.status_code
+      format: string
+      level: extended
+      name: response.status_code
+      normalize: []
+      short: HTTP response status code.
+      type: long
+    http.version:
+      dashed_name: http-version
+      description: HTTP version.
+      example: 1.1
+      flat_name: http.version
+      ignore_above: 1024
+      level: extended
+      name: version
+      normalize: []
+      short: HTTP version.
+      type: keyword
+  group: 2
+  name: http
+  prefix: http.
+  short: Fields describing an HTTP request.
+  title: HTTP
+  type: group
+log:
+  description: 'Details about the event''s logging mechanism or logging transport.
+
+    The log.* fields are typically populated with details about the logging mechanism
+    used to create and/or transport the event. For example, syslog details belong
+    under `log.syslog.*`.
+
+    The details specific to your event source are typically not logged under `log.*`,
+    but rather in `event.*` or in other ECS fields.'
+  fields:
+    log.level:
+      dashed_name: log-level
+      description: 'Original log level of the log event.
+
+        If the source of the event provides a log level or textual severity, this
+        is the one that goes in `log.level`. If your source doesn''t specify one,
+        you may put your event transport''s severity here (e.g. Syslog severity).
+
+        Some examples are `warn`, `err`, `i`, `informational`.'
+      example: error
+      flat_name: log.level
+      ignore_above: 1024
+      level: core
+      name: level
+      normalize: []
+      short: Log level of the log event.
+      type: keyword
+    log.logger:
+      dashed_name: log-logger
+      description: The name of the logger inside an application. This is usually the
+        name of the class which initialized the logger, or can be a custom name.
+      example: org.elasticsearch.bootstrap.Bootstrap
+      flat_name: log.logger
+      ignore_above: 1024
+      level: core
+      name: logger
+      normalize: []
+      short: Name of the logger.
+      type: keyword
+  group: 2
+  name: log
+  prefix: log.
+  short: Details about the event's logging mechanism.
+  title: Log
+  type: group
+url:
+  description: URL fields provide support for complete or partial URLs, and supports
+    the breaking down into scheme, domain, path, and so on.
+  fields:
+    url.domain:
+      dashed_name: url-domain
+      description: 'Domain of the url, such as "www.elastic.co".
+
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
+      flat_name: url.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      short: Domain of the url.
+      type: keyword
+    url.extension:
+      dashed_name: url-extension
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+      flat_name: url.extension
+      ignore_above: 1024
+      level: extended
+      name: extension
+      normalize: []
+      short: File extension from the request url, excluding the leading dot.
+      type: keyword
+    url.fragment:
+      dashed_name: url-fragment
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
+      flat_name: url.fragment
+      ignore_above: 1024
+      level: extended
+      name: fragment
+      normalize: []
+      short: Portion of the url after the `#`.
+      type: keyword
+    url.full:
+      dashed_name: url-full
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      flat_name: url.full
+      level: extended
+      multi_fields:
+      - flat_name: url.full.text
+        name: text
+        type: match_only_text
+      name: full
+      normalize: []
+      short: Full unparsed URL.
+      type: wildcard
+    url.original:
+      dashed_name: url-original
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+      flat_name: url.original
+      level: extended
+      multi_fields:
+      - flat_name: url.original.text
+        name: text
+        type: match_only_text
+      name: original
+      normalize: []
+      short: Unmodified original url as seen in the event source.
+      type: wildcard
+    url.password:
+      dashed_name: url-password
+      description: Password of the request.
+      flat_name: url.password
+      ignore_above: 1024
+      level: extended
+      name: password
+      normalize: []
+      short: Password of the request.
+      type: keyword
+    url.path:
+      dashed_name: url-path
+      description: Path of the request, such as "/search".
+      flat_name: url.path
+      level: extended
+      name: path
+      normalize: []
+      short: Path of the request, such as "/search".
+      type: wildcard
+    url.port:
+      dashed_name: url-port
+      description: Port of the request, such as 443.
+      example: 443
+      flat_name: url.port
+      format: string
+      level: extended
+      name: port
+      normalize: []
+      short: Port of the request, such as 443.
+      type: long
+    url.query:
+      dashed_name: url-query
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
+      flat_name: url.query
+      ignore_above: 1024
+      level: extended
+      name: query
+      normalize: []
+      short: Query string of the request.
+      type: keyword
+    url.registered_domain:
+      dashed_name: url-registered-domain
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: url.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      short: The highest registered url domain, stripped of the subdomain.
+      type: keyword
+    url.scheme:
+      dashed_name: url-scheme
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
+      flat_name: url.scheme
+      ignore_above: 1024
+      level: extended
+      name: scheme
+      normalize: []
+      short: Scheme of the url.
+      type: keyword
+    url.subdomain:
+      dashed_name: url-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: url.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      short: The subdomain of the domain.
+      type: keyword
+    url.top_level_domain:
+      dashed_name: url-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (http://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: url.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    url.username:
+      dashed_name: url-username
+      description: Username of the request.
+      flat_name: url.username
+      ignore_above: 1024
+      level: extended
+      name: username
+      normalize: []
+      short: Username of the request.
+      type: keyword
+  group: 2
+  name: url
+  prefix: url.
+  reusable:
+    expected:
+    - as: url
+      at: threat.indicator
+      full: threat.indicator.url
+    - as: url
+      at: threat.enrichments.indicator
+      beta: Reusing the `url` fields in this location is currently considered beta.
+      full: threat.enrichments.indicator.url
+    top_level: true
+  short: Fields that let you store URLs in various forms.
+  title: URL
+  type: group
+user:
+  description: 'The user fields describe information about the user that is relevant
+    to the event.
+
+    Fields can have one entry or multiple entries. If a user has more than one id,
+    provide an array that includes all of them.'
+  fields:
+    user.id:
+      dashed_name: user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier of the user.
+      type: keyword
+    user.name:
+      dashed_name: user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      short: Short name or login of the user.
+      type: keyword
+    user.roles:
+      dashed_name: user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      short: Array of user roles at the time of the event.
+      type: keyword
+  group: 2
+  name: user
+  nestings:
+  - user.changes
+  - user.effective
+  - user.group
+  - user.target
+  prefix: user.
+  reusable:
+    expected:
+    - as: user
+      at: client
+      full: client.user
+    - as: user
+      at: destination
+      full: destination.user
+    - as: user
+      at: server
+      full: server.user
+    - as: user
+      at: source
+      full: source.user
+    - as: target
+      at: user
+      full: user.target
+      short_override: Targeted user of action taken.
+    - as: effective
+      at: user
+      full: user.effective
+      short_override: User whose privileges were assumed.
+    - as: changes
+      at: user
+      full: user.changes
+      short_override: Captures changes made to a user.
+    top_level: true
+  reused_here:
+  - full: user.group
+    schema_name: group
+    short: User's group relevant to the event.
+  - full: user.target
+    schema_name: user
+    short: Targeted user of action taken.
+  - full: user.effective
+    schema_name: user
+    short: User whose privileges were assumed.
+  - full: user.changes
+    schema_name: user
+    short: Captures changes made to a user.
+  short: Fields to describe the user relevant to the event.
+  title: User
+  type: group
+user_agent:
+  description: 'The user_agent fields normally come from a browser request.
+
+    They often show up in web service logs coming from the parsed user agent string.'
+  fields:
+    user_agent.original:
+      dashed_name: user-agent-original
+      description: Unparsed user_agent string.
+      example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
+        (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+      flat_name: user_agent.original
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user_agent.original.text
+        name: text
+        type: match_only_text
+      name: original
+      normalize: []
+      short: Unparsed user_agent string.
+      type: keyword
+  group: 2
+  name: user_agent
+  nestings:
+  - user_agent.os
+  prefix: user_agent.
+  reused_here:
+  - full: user_agent.os
+    schema_name: os
+    short: OS fields contain information about the operating system.
+  short: Fields to describe a browser user_agent string.
+  title: User agent
+  type: group
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/base.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/base.json
@ -0,0 +1,25 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "labels": {
+          "type": "object"
+        },
+        "message": {
+          "type": "match_only_text"
+        },
+        "tags": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/event.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/event.json
@ -0,0 +1,27 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "event": {
+          "properties": {
+            "action": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "category": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "duration": {
+              "type": "long"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/host.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/host.json
@ -0,0 +1,20 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "host": {
+          "properties": {
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/http.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/http.json
@ -0,0 +1,87 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "http": {
+          "properties": {
+            "request": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "type": "wildcard"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "method": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "mime_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "referrer": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "response": {
+              "properties": {
+                "body": {
+                  "properties": {
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "content": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "type": "wildcard"
+                    }
+                  }
+                },
+                "bytes": {
+                  "type": "long"
+                },
+                "mime_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "status_code": {
+                  "type": "long"
+                }
+              }
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/log.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/log.json
@ -0,0 +1,24 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "log": {
+          "properties": {
+            "level": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "logger": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/server.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/server.json
@ -0,0 +1,22 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "server": {
+          "properties": {
+            "ip": {
+              "type": "ip"
+            },
+            "port": {
+              "type": "long"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/url.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/url.json
@ -0,0 +1,78 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "url": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "extension": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "fragment": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "full": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "original": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "type": "wildcard"
+            },
+            "password": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "type": "wildcard"
+            },
+            "port": {
+              "type": "long"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "registered_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "scheme": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "subdomain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "top_level_domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "username": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/user.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/user.json
@ -0,0 +1,33 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "user": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "roles": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/user_agent.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/component/user_agent.json
@ -0,0 +1,25 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
+    "ecs_version": "8.0.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "user_agent": {
+          "properties": {
+            "original": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/template.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/composable/template.json
@ -0,0 +1,55 @@
+{
+  "_meta": {
+    "description": "Sample composable template that includes all ECS fields",
+    "ecs_version": "8.0.0"
+  },
+  "composed_of": [
+    "ecs_8.0.0_base",
+    "ecs_8.0.0_event",
+    "ecs_8.0.0_http",
+    "ecs_8.0.0_url",
+    "ecs_8.0.0_user",
+    "ecs_8.0.0_user_agent",
+    "ecs_8.0.0_log",
+    "ecs_8.0.0_host"
+  ],
+  "index_patterns": [
+    "kbn-data-forge-fake_stack.admin-console-*"
+  ],
+  "priority": 1,
+  "template": {
+    "mappings": {
+      "_meta": {
+        "version": "1.6.0"
+      },
+      "date_detection": false,
+      "dynamic_templates": [
+        {
+          "strings_as_keyword": {
+            "mapping": {
+              "fields": {
+                "text": {
+                  "norms": false,
+                  "type": "text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ]
+    },
+    "settings": {
+      "index": {
+        "codec": "best_compression",
+        "mapping": {
+          "total_fields": {
+            "limit": 2000
+          }
+        }
+      }
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/legacy/template.json
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/generated/elasticsearch/legacy/template.json
@ -0,0 +1,265 @@
+{
+  "index_patterns": [
+    "kbn-data-forge-fake_stack.admin-console-*"
+  ],
+  "mappings": {
+    "_meta": {
+      "version": "1.6.0"
+    },
+    "date_detection": false,
+    "dynamic_templates": [
+      {
+        "strings_as_keyword": {
+          "mapping": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "match_mapping_type": "string"
+        }
+      }
+    ],
+    "properties": {
+      "@timestamp": {
+        "type": "date"
+      },
+      "event": {
+        "properties": {
+          "action": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "category": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "duration": {
+            "type": "long"
+          }
+        }
+      },
+      "host": {
+        "properties": {
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "http": {
+        "properties": {
+          "request": {
+            "properties": {
+              "body": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "content": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              },
+              "bytes": {
+                "type": "long"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "method": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "mime_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "referrer": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "response": {
+            "properties": {
+              "body": {
+                "properties": {
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "content": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  }
+                }
+              },
+              "bytes": {
+                "type": "long"
+              },
+              "mime_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "status_code": {
+                "type": "long"
+              }
+            }
+          },
+          "version": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "labels": {
+        "type": "object"
+      },
+      "log": {
+        "properties": {
+          "level": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "logger": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "message": {
+        "type": "match_only_text"
+      },
+      "tags": {
+        "ignore_above": 1024,
+        "type": "keyword"
+      },
+      "url": {
+        "properties": {
+          "domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "extension": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "fragment": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "full": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "original": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "password": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "type": "wildcard"
+          },
+          "port": {
+            "type": "long"
+          },
+          "query": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "registered_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "scheme": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "username": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "user": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "roles": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
+      "user_agent": {
+        "properties": {
+          "original": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      }
+    }
+  },
+  "order": 1,
+  "settings": {
+    "index": {
+      "codec": "best_compression",
+      "mapping": {
+        "total_fields": {
+          "limit": 2000
+        }
+      },
+      "refresh_interval": "2s"
+    }
+  }
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/index.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/ecs/index.ts
@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ADMIN_CONSOLE } from '../../common/constants';
+
+import base from './generated/elasticsearch/composable/component/base.json';
+import event from './generated/elasticsearch/composable/component/event.json';
+import http from './generated/elasticsearch/composable/component/http.json';
+import url from './generated/elasticsearch/composable/component/url.json';
+import user from './generated/elasticsearch/composable/component/user.json';
+import userAgent from './generated/elasticsearch/composable/component/user_agent.json';
+import log from './generated/elasticsearch/composable/component/log.json';
+import host from './generated/elasticsearch/composable/component/host.json';
+
+import template from './generated/elasticsearch/composable/template.json';
+import { IndexTemplateDef } from '../../../../types';
+
+const ECS_VERSION = template._meta.ecs_version;
+
+const components = [
+  { name: `${ADMIN_CONSOLE}_${ECS_VERSION}_base`, template: base },
+  { name: `${ADMIN_CONSOLE}_${ECS_VERSION}_event`, template: event },
+  { name: `${ADMIN_CONSOLE}_${ECS_VERSION}_http`, template: http },
+  { name: `${ADMIN_CONSOLE}_${ECS_VERSION}_url`, template: url },
+  { name: `${ADMIN_CONSOLE}_${ECS_VERSION}_user`, template: user },
+  { name: `${ADMIN_CONSOLE}_${ECS_VERSION}_user_agent`, template: userAgent },
+  { name: `${ADMIN_CONSOLE}_${ECS_VERSION}_log`, template: log },
+  { name: `${ADMIN_CONSOLE}_${ECS_VERSION}_host`, template: host },
+];
+
+export const indexTemplate: IndexTemplateDef = {
+  namespace: ADMIN_CONSOLE,
+  template: {
+    ...template,
+    composed_of: components.map(({ name }) => name),
+  },
+  components,
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/index.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/index.ts
@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createStartupEvents } from './lib/events/startup';
+import { login } from './lib/events/login';
+import { loginError } from './lib/events/login_error';
+import { internalError } from './lib/events/internal_error';
+import { weightedSample } from '../common/weighted_sample';
+import { listCustomers } from './lib/events/list_customers';
+import { mongodbConnectionError } from './lib/events/mongodb_connection_error';
+import { viewUsers } from './lib/events/view_user';
+import { deleteUser } from './lib/events/delete_user';
+import { createUser } from './lib/events/create_user';
+import { editUser } from './lib/events/edit_user';
+import { Doc, EventFunction, EventTemplate, GeneratorFunction } from '../../../types';
+import { qaDeployedToProduction } from './lib/events/qa_deployed_to_production';
+import { mongodbProxyTimeout } from './lib/events/mongodb_proxy_timeout';
+import { addEphemeralProjectId } from '../../../lib/add_ephemeral_project_id';
+
+const GOOD_EVENT_TEMPLATES: EventTemplate = [
+  [mongodbProxyTimeout, 1],
+  [loginError, 1],
+  [login, 10],
+  [listCustomers, 20],
+  [viewUsers, 20],
+  [deleteUser, 20],
+  [createUser, 20],
+  [editUser, 20],
+];
+
+const BAD_EVENT_TEMPLATES: EventTemplate = [[mongodbConnectionError, 1]];
+
+const INTERNAL_ERRORS_EVENT_TEMPLATES: EventTemplate = [[internalError, 1]];
+
+const CONNECTION_TIMEOUT_EVENT_TEMPLATES: EventTemplate = [[qaDeployedToProduction, 1]];
+
+function getTemplate(name: string) {
+  if (name === 'bad') {
+    return BAD_EVENT_TEMPLATES;
+  }
+  if (name === 'internalErrors') {
+    return INTERNAL_ERRORS_EVENT_TEMPLATES;
+  }
+  if (name === 'connectionTimeout') {
+    return CONNECTION_TIMEOUT_EVENT_TEMPLATES;
+  }
+  return GOOD_EVENT_TEMPLATES;
+}
+
+let firstRun = true;
+export const kibanaAssets = `${__dirname}/assets/admin_console.ndjson`;
+
+export const generateEvent: GeneratorFunction = (config, schedule, _index, timestamp) => {
+  let startupEvents: Doc[] = [];
+  if (firstRun && schedule.template !== 'internalErrors') {
+    firstRun = false;
+    startupEvents = createStartupEvents(schedule, timestamp);
+  }
+
+  const template = getTemplate(schedule.template);
+  const fn = weightedSample(template) as EventFunction;
+  const events = addEphemeralProjectId(
+    config.indexing.ephemeralProjectIds || 0,
+    fn(schedule, timestamp).flat()
+  );
+
+  return [...startupEvents, ...events];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/create_base_event.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/create_base_event.ts
@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample } from 'lodash';
+import { set } from '@kbn/safer-lodash-set';
+import { faker } from '@faker-js/faker';
+import { Moment } from 'moment';
+import { ADMIN_CONSOLE_HOSTS, DOMAINS } from '../../../common/constants';
+import { User } from '../login_cache';
+
+export function createEvent(
+  timestamp: Moment,
+  source: string,
+  method: string,
+  path: string,
+  user: User,
+  level: 'ERROR' | 'INFO' = 'INFO',
+  statusCode = 200,
+  overrides?: Record<string, unknown>
+) {
+  const domain = sample(DOMAINS);
+  const port = 6000;
+  const full = `https://${source}.${domain}:${port}${path}`;
+  const userAgent = faker.internet.userAgent();
+  const baseEvent = {
+    namespace: source,
+    '@timestamp': timestamp.toISOString(),
+    tags: [`infra:${source}`],
+    host: { name: sample(ADMIN_CONSOLE_HOSTS) },
+    log: {
+      level,
+      logger: source,
+    },
+    server: {
+      port,
+    },
+    http: {
+      request: {
+        bytes: parseInt(faker.string.numeric(4), 10),
+        method,
+        mime_type: 'application/json',
+      },
+      response: {
+        status_code: statusCode,
+        mime_type: 'application/json',
+        bytes: parseInt(faker.string.numeric(3), 10),
+      },
+    },
+    url: {
+      domain,
+      subdomain: source,
+      full,
+      port,
+      path,
+      username: user.id,
+    },
+    user,
+    user_agent: {
+      original: userAgent,
+    },
+  };
+
+  return overrides != null
+    ? Object.keys(overrides).reduce((acc, key) => {
+        const value = overrides[key];
+        return set(acc, key, value);
+      }, baseEvent)
+    : baseEvent;
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/create_user.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/create_user.ts
@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample, camelCase, random } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { ADMIN_CONSOLE, ADMIN_CONSOLE_HOSTS, DOMAINS } from '../../../common/constants';
+import { getLoggedInUser, createUser as createNewUser } from '../login_cache';
+import { createEvent } from './create_base_event';
+import { createWriteEvent } from '../../../mongodb/lib/events/mongo_actions';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+export const createUser: EventFunction = (_schedule, timestamp) => {
+  const user = getLoggedInUser();
+  const domain = sample(DOMAINS) as string;
+  const method = 'POST';
+  const statusCode = 200;
+  const port = 6000;
+  const path = '/api/createUser';
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}`;
+  const userAgent = faker.internet.userAgent();
+  const bytes = parseInt(faker.string.numeric(3), 10);
+
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+
+  const event = createEvent(timestamp, ADMIN_CONSOLE, method, path, user, 'INFO', statusCode, {
+    message: `${method} ${path} ${statusCode} ${bytes} - ${userAgent}`,
+    event: {
+      action: 'createUser',
+      category: 'administrative',
+      duration: random(10, 150) * 1000000,
+    },
+    'http.response.bytes': bytes,
+    host: { name: host },
+    url: {
+      domain,
+      subdomain: ADMIN_CONSOLE,
+      port,
+      full,
+      path,
+      username: user.id,
+    },
+    user_agent: {
+      original: userAgent,
+    },
+  });
+
+  return [
+    event,
+    ...createWriteEvent(
+      timestamp,
+      host,
+      camelCase(`${ADMIN_CONSOLE}-agent`),
+      camelCase(ADMIN_CONSOLE),
+      'users',
+      createNewUser()
+    ),
+    ...createNginxLog(
+      timestamp,
+      method,
+      statusCode,
+      bytes,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/delete_user.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/delete_user.ts
@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample, camelCase, random } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { ADMIN_CONSOLE_HOSTS, ADMIN_CONSOLE, DOMAINS } from '../../../common/constants';
+import { getLoggedInUser } from '../login_cache';
+import { createEvent } from './create_base_event';
+import { createDeleteEvent } from '../../../mongodb/lib/events/mongo_actions';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+export const deleteUser: EventFunction = (_schedule, timestamp) => {
+  const user = getLoggedInUser();
+  const domain = sample(DOMAINS) as string;
+  const method = 'POST';
+  const statusCode = 200;
+  const port = 6000;
+  const path = '/api/deleteUser';
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}`;
+  const userAgent = faker.internet.userAgent();
+  const bytes = parseInt(faker.string.numeric(2), 10);
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+
+  const event = createEvent(timestamp, ADMIN_CONSOLE, method, path, user, 'INFO', statusCode, {
+    message: `${method} ${path} ${statusCode} ${bytes} - ${userAgent}`,
+    event: {
+      action: 'deleteUser',
+      category: 'administrative',
+      duration: random(10, 150) * 1000000,
+    },
+    'http.response.bytes': bytes,
+    host: { name: host },
+    url: {
+      domain,
+      subdomain: ADMIN_CONSOLE,
+      port,
+      full,
+      path,
+      username: user.id,
+    },
+    user_agent: {
+      original: userAgent,
+    },
+  });
+
+  return [
+    event,
+    ...createDeleteEvent(
+      timestamp,
+      host,
+      camelCase(`${ADMIN_CONSOLE}-agent`),
+      camelCase(ADMIN_CONSOLE),
+      'users'
+    ),
+    ...createNginxLog(
+      timestamp,
+      method,
+      statusCode,
+      bytes,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/edit_user.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/edit_user.ts
@ -0,0 +1,77 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample, camelCase, random } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { ADMIN_CONSOLE, DOMAINS, ADMIN_CONSOLE_HOSTS } from '../../../common/constants';
+import { getLoggedInUser } from '../login_cache';
+import { createEvent } from './create_base_event';
+import { createUpdateEvent } from '../../../mongodb/lib/events/mongo_actions';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+export const editUser: EventFunction = (_schedule, timestamp) => {
+  const user = getLoggedInUser();
+  const domain = sample(DOMAINS) as string;
+  const action = 'editUser';
+  const method = 'POST';
+  const statusCode = 200;
+  const port = 6000;
+  const path = `/api/${action}`;
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}`;
+  const userAgent = faker.internet.userAgent();
+  const bytes = parseInt(faker.string.numeric(2), 10);
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+
+  const event = createEvent(timestamp, ADMIN_CONSOLE, method, path, user, 'INFO', statusCode, {
+    message: `${method} ${path} ${statusCode} ${bytes} - ${userAgent}`,
+    event: {
+      action,
+      category: 'administrative',
+      duration: random(10, 150) * 1000000,
+    },
+    'http.response.bytes': bytes,
+    host: { name: host },
+    url: {
+      domain,
+      subdomain: ADMIN_CONSOLE,
+      port,
+      full,
+      path,
+      username: user.id,
+    },
+    user_agent: {
+      original: userAgent,
+    },
+  });
+
+  return [
+    event,
+    ...createUpdateEvent(
+      timestamp,
+      host,
+      camelCase(`${ADMIN_CONSOLE}-agent`),
+      camelCase(ADMIN_CONSOLE),
+      'users',
+      {
+        country: faker.location.country(),
+      }
+    ),
+    ...createNginxLog(
+      timestamp,
+      method,
+      statusCode,
+      bytes,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/internal_error.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/internal_error.ts
@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample, random } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { ADMIN_CONSOLE, DOMAINS } from '../../../common/constants';
+import { createEvent } from './create_base_event';
+import { EventFunction } from '../../../../../types';
+
+export const internalError: EventFunction = (_schedule, timestamp) => {
+  const user = {
+    id: 'superuser',
+    name: 'Superuser',
+    roles: ['admin'],
+  };
+  const hackerNoun = faker.helpers.slugify(faker.hacker.noun());
+  const domain = sample(DOMAINS) as string;
+  const port = 6000;
+  const path = '/api/listCustomers';
+  const query = `view=${hackerNoun}`;
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}?${query}`;
+
+  return [
+    createEvent(timestamp, ADMIN_CONSOLE, 'GET', path, user, 'ERROR', 500, {
+      message: `ReferenceError: aggregateBy.${hackerNoun} is not defined`,
+      event: {
+        action: 'listCustomers',
+        category: 'administrative',
+        duration: random(100, 200) * 1000000,
+      },
+      url: {
+        domain,
+        subdomain: ADMIN_CONSOLE,
+        port,
+        full,
+        path,
+        query,
+        username: user.id,
+      },
+      user_agent: {
+        original: 'AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 637FCK3D',
+      },
+    }),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/list_customers.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/list_customers.ts
@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample, camelCase, random } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { ADMIN_CONSOLE_HOSTS, ADMIN_CONSOLE, DOMAINS } from '../../../common/constants';
+import { getLoggedInUser } from '../login_cache';
+import { createEvent } from './create_base_event';
+import { createReadEvent } from '../../../mongodb/lib/events/mongo_actions';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+export const listCustomers: EventFunction = (_schedule, timestamp) => {
+  const user = getLoggedInUser();
+  const domain = sample(DOMAINS) as string;
+  const port = 6000;
+  const path = '/api/listCustomers';
+  const query = 'view=count';
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}?${query}`;
+  const userAgent = faker.internet.userAgent();
+  const bytes = parseInt(faker.string.numeric(3), 10);
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+  const method = 'GET';
+  const statusCode = 200;
+
+  const event = createEvent(timestamp, ADMIN_CONSOLE, method, path, user, 'INFO', statusCode, {
+    message: `${method} ${path}?${query} ${statusCode} ${bytes} - ${userAgent}`,
+    event: {
+      action: 'listCustomers',
+      category: 'administrative',
+      duration: random(10, 100) * 1000000,
+    },
+    'http.response.bytes': bytes,
+    host: { name: host },
+    url: {
+      domain,
+      subdomain: ADMIN_CONSOLE,
+      port,
+      full,
+      path,
+      query,
+      username: user.id,
+    },
+    user_agent: {
+      original: userAgent,
+    },
+  });
+
+  return [
+    event,
+    ...createReadEvent(
+      timestamp,
+      host,
+      camelCase(`${ADMIN_CONSOLE}-agent`),
+      camelCase(ADMIN_CONSOLE),
+      'customers'
+    ),
+    ...createNginxLog(
+      timestamp,
+      method,
+      statusCode,
+      bytes,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/login.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/login.ts
@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample, camelCase, random } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { createUser, loginUser } from '../login_cache';
+import { createEvent } from './create_base_event';
+import { ADMIN_CONSOLE_HOSTS, ADMIN_CONSOLE, DOMAINS } from '../../../common/constants';
+import { createReadEvent } from '../../../mongodb/lib/events/mongo_actions';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+export const login: EventFunction = (_schedule, timestamp) => {
+  const user = createUser();
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+  const domain = sample(DOMAINS) as string;
+  const port = 6000;
+  const method = 'POST';
+  const path = '/api/login';
+  const statusCode = 201;
+  loginUser(user);
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}`;
+  const userAgent = faker.internet.userAgent();
+  const bytes = parseInt(faker.string.numeric(3), 10);
+  const event = createEvent(timestamp, ADMIN_CONSOLE, method, path, user, 'INFO', statusCode, {
+    message: `${user.id} successfully logged in.`,
+    'event.action': 'login',
+    'event.category': 'authentication',
+    'event.duration': random(10, 100) * 1000000,
+    host: { name: host },
+    url: {
+      domain,
+      subdomain: ADMIN_CONSOLE,
+      port,
+      full,
+      path,
+      username: user.id,
+    },
+    user_agent: {
+      original: userAgent,
+    },
+  });
+
+  return [
+    event,
+    ...createReadEvent(
+      timestamp,
+      host,
+      camelCase(`${ADMIN_CONSOLE}-agent`),
+      camelCase(ADMIN_CONSOLE),
+      'users'
+    ),
+    ...createNginxLog(
+      timestamp,
+      method,
+      statusCode,
+      bytes,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/login_error.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/login_error.ts
@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample, camelCase, random } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { ADMIN_CONSOLE_HOSTS, ADMIN_CONSOLE, DOMAINS } from '../../../common/constants';
+import { createUser } from '../login_cache';
+import { createEvent } from './create_base_event';
+import { createReadEvent } from '../../../mongodb/lib/events/mongo_actions';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+export const loginError: EventFunction = (_schedule, timestamp) => {
+  const user = createUser();
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+  const domain = sample(DOMAINS) as string;
+  const port = 6000;
+  const method = 'POST';
+  const path = '/api/login';
+  const statusCode = 401;
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}`;
+  const userAgent = faker.internet.userAgent();
+  const bytes = parseInt(faker.string.numeric(3), 10);
+  const event = createEvent(timestamp, ADMIN_CONSOLE, method, path, user, 'ERROR', statusCode, {
+    message: `${user.id} login failed.`,
+    'event.action': 'login',
+    'event.category': 'authentication',
+    'event.duration': random(100, 200) * 1000000,
+    host: { name: host },
+    url: {
+      domain,
+      subdomain: ADMIN_CONSOLE,
+      port,
+      full,
+      path,
+      username: user.id,
+    },
+    user_agent: {
+      original: userAgent,
+    },
+  });
+
+  return [
+    event,
+    ...createReadEvent(
+      timestamp,
+      host,
+      camelCase(`${ADMIN_CONSOLE}-agent`),
+      camelCase(ADMIN_CONSOLE),
+      'users'
+    ),
+    ...createNginxLog(
+      timestamp,
+      method,
+      statusCode,
+      bytes,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/mongodb_connection_error.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/mongodb_connection_error.ts
@ -0,0 +1,85 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample } from 'lodash';
+import { faker } from '@faker-js/faker';
+import {
+  MONGO_DB_GATEWAY,
+  ADMIN_CONSOLE,
+  ADMIN_CONSOLE_HOSTS,
+  DOMAINS,
+} from '../../../common/constants';
+import { createEvent } from './create_base_event';
+import { getLoggedInUser } from '../login_cache';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+interface Endpoint {
+  path: string;
+  method: 'GET' | 'POST';
+  action: string;
+  category: string;
+}
+
+const ENDPOINTS: Endpoint[] = [
+  {
+    path: '/api/listCustomers',
+    method: 'GET',
+    action: 'listCustomers',
+    category: 'administrative',
+  },
+  { path: '/api/viewUsers', method: 'GET', action: 'viewUsers', category: 'administrative' },
+  { path: '/api/deleteUser', method: 'POST', action: 'deleteUser', category: 'administrative' },
+  { path: '/api/createUser', method: 'POST', action: 'createUser', category: 'administrative' },
+  { path: '/api/editUser', method: 'POST', action: 'editUser', category: 'administrative' },
+];
+
+export const mongodbConnectionError: EventFunction = (_schedule, timestamp) => {
+  const endpoint = sample(ENDPOINTS) as Endpoint;
+  const user = getLoggedInUser();
+  const { path, method } = endpoint;
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+  const domain = sample(DOMAINS) as string;
+  const port = 6000;
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}`;
+  const userAgent = faker.internet.userAgent();
+
+  return [
+    createEvent(timestamp, ADMIN_CONSOLE, method, path, user, 'ERROR', 500, {
+      message: `MongoNetworkError: failed to connect to server [${MONGO_DB_GATEWAY}] on first connect [MongoNetworkError: connect ECONNREFUSED ${MONGO_DB_GATEWAY}]`,
+      event: {
+        action: endpoint.action,
+        category: endpoint.category,
+        duration: 60000 * 1000000,
+      },
+      host: { name: host },
+      url: {
+        domain,
+        subdomain: ADMIN_CONSOLE,
+        port,
+        full,
+        path,
+        username: user.id,
+      },
+      user_agent: {
+        original: userAgent,
+      },
+    }),
+    ...createNginxLog(
+      timestamp,
+      method,
+      500,
+      0,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/mongodb_proxy_timeout.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/mongodb_proxy_timeout.ts
@ -0,0 +1,80 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { ADMIN_CONSOLE, ADMIN_CONSOLE_HOSTS, DOMAINS } from '../../../common/constants';
+import { createEvent } from './create_base_event';
+import { getLoggedInUser } from '../login_cache';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+interface Endpoint {
+  path: string;
+  method: 'GET' | 'POST';
+  action: string;
+  category: string;
+}
+
+const ENDPOINTS: Endpoint[] = [
+  {
+    path: '/api/listCustomers',
+    method: 'GET',
+    action: 'listCustomers',
+    category: 'administrative',
+  },
+  { path: '/api/viewUsers', method: 'GET', action: 'viewUsers', category: 'administrative' },
+  { path: '/api/deleteUser', method: 'POST', action: 'deleteUser', category: 'administrative' },
+  { path: '/api/createUser', method: 'POST', action: 'createUser', category: 'administrative' },
+  { path: '/api/editUser', method: 'POST', action: 'editUser', category: 'administrative' },
+];
+
+export const mongodbProxyTimeout: EventFunction = (_schedule, timestamp) => {
+  const endpoint = sample(ENDPOINTS) as Endpoint;
+  const user = getLoggedInUser();
+  const { path, method } = endpoint;
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+  const domain = sample(DOMAINS) as string;
+  const port = 6000;
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}`;
+  const userAgent = faker.internet.userAgent();
+
+  return [
+    createEvent(timestamp, ADMIN_CONSOLE, method, path, user, 'ERROR', 500, {
+      message: `WARNING: MongoDB Connection Timeout - Failed to connect to the database`,
+      event: {
+        action: endpoint.action,
+        category: endpoint.category,
+        duration: 60000 * 1000000,
+      },
+      host: { name: host },
+      url: {
+        domain,
+        subdomain: ADMIN_CONSOLE,
+        port,
+        full,
+        path,
+        username: user.id,
+      },
+      user_agent: {
+        original: userAgent,
+      },
+    }),
+    ...createNginxLog(
+      timestamp,
+      method,
+      500,
+      0,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/qa_deployed_to_production.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/qa_deployed_to_production.ts
@ -0,0 +1,67 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { ADMIN_CONSOLE, ADMIN_CONSOLE_QA_HOSTS, DOMAINS } from '../../../common/constants';
+import { getLoggedInUser } from '../login_cache';
+import { EventFunction } from '../../../../../types';
+import { createUpstreamTimeout } from '../../../nginx_proxy/lib/events/create_upstream_timedout';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+interface Endpoint {
+  path: string;
+  method: 'GET' | 'POST';
+  action: string;
+  category: string;
+}
+
+const ENDPOINTS: Endpoint[] = [
+  {
+    path: '/api/listCustomers',
+    method: 'GET',
+    action: 'listCustomers',
+    category: 'administrative',
+  },
+  { path: '/api/viewUsers', method: 'GET', action: 'viewUsers', category: 'administrative' },
+  { path: '/api/deleteUser', method: 'POST', action: 'deleteUser', category: 'administrative' },
+  { path: '/api/createUser', method: 'POST', action: 'createUser', category: 'administrative' },
+  { path: '/api/editUser', method: 'POST', action: 'editUser', category: 'administrative' },
+];
+
+export const qaDeployedToProduction: EventFunction = (_schedule, timestamp) => {
+  const endpoint = sample(ENDPOINTS) as Endpoint;
+  const user = getLoggedInUser();
+  const { path, method } = endpoint;
+  const host = sample(ADMIN_CONSOLE_QA_HOSTS) as string;
+  const domain = sample(DOMAINS) as string;
+  const port = 3333;
+  const userAgent = faker.internet.userAgent();
+
+  return [
+    ...createUpstreamTimeout(
+      timestamp,
+      method,
+      path,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+    ...createNginxLog(
+      timestamp,
+      method,
+      502,
+      0,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/startup.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/startup.ts
@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Doc, EventFunction } from '../../../../../types';
+import { ADMIN_CONSOLE, ADMIN_CONSOLE_HOSTS } from '../../../common/constants';
+
+export const createStartupEvents: EventFunction = (_schedule, timestamp) =>
+  ADMIN_CONSOLE_HOSTS.reduce((acc: Doc[], name: string) => {
+    const events = [
+      {
+        namespace: ADMIN_CONSOLE,
+        '@timestamp': timestamp.toISOString(),
+        tags: [`infra:${ADMIN_CONSOLE}`],
+        event: {
+          action: 'startup',
+          category: 'initialization',
+        },
+        message: 'Admin console starting up...',
+        host: { name },
+        log: {
+          level: 'INFO',
+          logger: ADMIN_CONSOLE,
+        },
+      },
+    ];
+    return [...acc, ...events];
+  }, [] as Doc[]);
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/view_user.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/events/view_user.ts
@ -0,0 +1,74 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { sample, camelCase, random } from 'lodash';
+import { faker } from '@faker-js/faker';
+import { DOMAINS, ADMIN_CONSOLE, ADMIN_CONSOLE_HOSTS } from '../../../common/constants';
+import { getLoggedInUser } from '../login_cache';
+import { createEvent } from './create_base_event';
+import { createReadEvent } from '../../../mongodb/lib/events/mongo_actions';
+import { EventFunction } from '../../../../../types';
+import { createNginxLog } from '../../../nginx_proxy/lib/events/create_nginx_log';
+
+export const viewUsers: EventFunction = (_schedule, timestamp) => {
+  const user = getLoggedInUser();
+  const domain = sample(DOMAINS) as string;
+  const port = 6000;
+  const path = '/api/viewUsers';
+  const query = `customerId=${faker.helpers.slugify(faker.company.name())}`;
+  const full = `https://${ADMIN_CONSOLE}.${domain}:${port}${path}?${query}`;
+  const userAgent = faker.internet.userAgent();
+  const bytes = parseInt(faker.string.numeric(3), 10);
+  const host = sample(ADMIN_CONSOLE_HOSTS) as string;
+  const method = 'GET';
+  const statusCode = 200;
+
+  const event = createEvent(timestamp, ADMIN_CONSOLE, 'GET', path, user, 'INFO', 200, {
+    message: `${method} ${path}?${query} ${statusCode} ${bytes} - ${userAgent}`,
+    event: {
+      action: 'viewUsers',
+      category: 'administrative',
+      duration: random(10, 100) * 1000000,
+    },
+    'http.response.bytes': bytes,
+    url: {
+      domain,
+      subdomain: ADMIN_CONSOLE,
+      port,
+      full,
+      path,
+      query,
+      username: user.id,
+    },
+    user_agent: {
+      original: userAgent,
+    },
+  });
+
+  return [
+    event,
+    ...createReadEvent(
+      timestamp,
+      host,
+      camelCase(`${ADMIN_CONSOLE}-agent`),
+      camelCase(ADMIN_CONSOLE),
+      'users'
+    ),
+    ...createNginxLog(
+      timestamp,
+      method,
+      statusCode,
+      bytes,
+      path,
+      `https://${ADMIN_CONSOLE}.${domain}`,
+      userAgent,
+      `${ADMIN_CONSOLE}.${domain}`,
+      `${host}:${port}`,
+      user.id
+    ),
+  ];
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/login_cache.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/admin_console/lib/login_cache.ts
@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { faker } from '@faker-js/faker';
+import { sample } from 'lodash';
+
+export interface User {
+  id: string;
+  name: string;
+  roles: string[];
+}
+
+export const loginCache = new Map();
+
+export function loginUser(user: User) {
+  return Boolean(loginCache.set(user.id, user));
+}
+
+export function logoutUser(user: User) {
+  return Boolean(loginCache.delete(user.id));
+}
+
+export function isLoggedIn(user: User) {
+  return loginCache.has(user.id);
+}
+
+export function createUser(): User {
+  const firstName = faker.person.firstName();
+  const lastName = faker.person.lastName();
+  const userName = faker.internet.userName({ firstName, lastName });
+  return {
+    id: userName,
+    name: `${firstName} ${lastName}`,
+    roles: [sample(['admin', 'customer']) as string],
+  };
+}
+
+export function getLoggedInUser(): User {
+  if (loginCache.size > 200) {
+    const existingUser = sample(Array.from(loginCache.values()));
+    if (existingUser) {
+      return existingUser;
+    }
+  }
+  const newUser = createUser();
+  loginUser(newUser);
+  return newUser;
+}
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/assets/transaction_rates.ndjson
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/assets/transaction_rates.ndjson
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/common/constants.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/common/constants.ts
@ -0,0 +1,39 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { times, padStart } from 'lodash';
+
+export const ADMIN_CONSOLE = 'admin-console';
+
+export const ADMIN_CONSOLE_HOSTS = times(20).map(
+  (n) => `${ADMIN_CONSOLE}.prod.${padStart(`${n + 1}`, 3, '0')}`
+);
+export const ADMIN_CONSOLE_QA_HOSTS = times(5).map(
+  (n) => `${ADMIN_CONSOLE}.qa.${padStart(`${n + 1}`, 3, '0')}`
+);
+export const ADMIN_CONSOLE_STAGING_HOSTS = times(5).map(
+  (n) => `${ADMIN_CONSOLE}.staging.${padStart(`${n + 1}`, 3, '0')}`
+);
+
+export const MONGODB = 'mongodb';
+
+export const MONGODB_HOSTS = times(3).map((n) => `${MONGODB}.prod.${padStart(`${n + 1}`, 3, '0')}`);
+
+export const MESSAGE_PROCESSOR = 'message_processor';
+
+export const MESSAGE_PROCESSOR_HOSTS = times(10).map(
+  (n) => `${MESSAGE_PROCESSOR}.prod.${padStart(`${n + 1}`, 3, '0')}`
+);
+
+export const DOMAINS = ['blast-mail.co', 'mail.at', 'the-post.box', 'you-got.mail'];
+
+export const MONGO_DB_GATEWAY = 'mongodb-gateway.mail-sass.co:27017';
+
+export const NGINX_PROXY = 'nginx_proxy';
+export const NGINX_PROXY_HOSTS = times(5).map(
+  (n) => `${NGINX_PROXY}.prod.${padStart(`${n + 1}`, 3, '0')}`
+);
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/common/weighted_sample.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/common/weighted_sample.ts
@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { times, sample } from 'lodash';
+
+export const weightedSample = <F>(collection: Array<[F, number]>) => {
+  const samples = collection.reduce((acc, row) => {
+    const [item, weight] = row;
+    return [...acc, ...times(weight).map(() => item)];
+  }, [] as F[]);
+  return sample(samples);
+};
--- a/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/index.ts
+++ b/x-pack/packages/kbn-data-forge/src/data_sources/fake_stack/index.ts
@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { isArray } from 'lodash';
+import {
+  generateEvent as generateAdminConsole,
+  kibanaAssets as kibanaAssetsAdminConsole,
+} from './admin_console';
+import { generateEvent as generateMongoDB, kibanaAssets as kibanaAssetsMongoDB } from './mongodb';
+import {
+  generateEvent as generateMessageProcessor,
+  kibanaAssets as kibanaAssetsMessageProcessor,
+} from './message_processor';
+import {
+  generateEvent as generateNginxProxy,
+  kibanaAssets as kibanaAssetsNginxProxy,
+} from './nginx_proxy';
+import { GeneratorFunction } from '../../types';
+
+import { indexTemplate as adminConsoleIndexTemplate } from './admin_console/ecs';
+import { indexTemplate as messageProcessorIndexTemplate } from './message_processor/ecs';
+import { indexTemplate as mongodbIndexTemplate } from './mongodb/ecs';
+import { indexTemplate as nginxProxyIndexTemplate } from './nginx_proxy/ecs';
+
+export const indexTemplate = [
+  adminConsoleIndexTemplate,
+  messageProcessorIndexTemplate,
+  mongodbIndexTemplate,
+  nginxProxyIndexTemplate,
+];
+
+export const kibanaAssets = [
+  kibanaAssetsAdminConsole,
+  kibanaAssetsMongoDB,
+  kibanaAssetsMessageProcessor,
+  kibanaAssetsNginxProxy,
+  `${__dirname}/assets/transaction_rates.ndjson`,
+];
+
+export const generteEvent: GeneratorFunction = (config, schedule, index, timestamp) => {
+  const scenario = config.indexing.scenario || 'fake_stack';
+  const adminConsoleEvents = generateAdminConsole(config, schedule, index, timestamp);
+  const mongodbEvents = generateMongoDB(config, schedule, index, timestamp);
+  const messageProcessorEvents = generateMessageProcessor(config, schedule, index, timestamp);
+  const nginxProxyEvents = generateNginxProxy(config, schedule, index, timestamp);
+  return [
+    ...(isArray(adminConsoleEvents) ? adminConsoleEvents : [adminConsoleEvents]),
+    ...(isArray(mongodbEvents) ? mongodbEvents : [mongodbEvents]),
+    ...(isArray(messageProcessorEvents) ? messageProcessorEvents : [messageProcessorEvents]),
+    ...(isArray(nginxProxyEvents) ? nginxProxyEvents : [nginxProxyEvents]),
+  ].map((event) => {
+    const labels = event.labels ?? {};
+    return { ...event, labels: { ...labels, scenario } };
+  });
+};
--- a/Show more
+++ b/Show more