[Rule Registry] Remove constant_keyword field mappings from ECS component template (#123486) (#123497)

* Remove constant_keyword field mappings from ECS component template These ECS fields are meant for specific indices (datastreams), but do not make sense (especially as `constant_keyword`) on our alerts-as-data indices, as they will cause errors when attempting to ingest different values from different indices. * Filter out constant_keyword fields from ECS fieldmap The results of this were already applied to the fields themselves, but this ensures that the script does not accidentally repopulate them in the future. Implementation-wise, it was simpler to refactor this into a reduce() rather than explicitly using filter() and then generating a new object. (cherry picked from commit ee34a7a694) Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
2025-04-24 01:38:56 -04:00 · 2022-01-20 15:01:29 -05:00 · 2022-01-20 15:01:29 -05:00 · e603d50f6e
commit e603d50f6e
parent a3fc7ae8ce
2 changed files with 20 additions and 27 deletions
--- a/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts
@ -415,21 +415,6 @@ export const ecsFieldMap = {
    array: false,
    required: false,
  },
-  'data_stream.dataset': {
-    type: 'constant_keyword',
-    array: false,
-    required: false,
-  },
-  'data_stream.namespace': {
-    type: 'constant_keyword',
-    array: false,
-    required: false,
-  },
-  'data_stream.type': {
-    type: 'constant_keyword',
-    array: false,
-    required: false,
-  },
  'destination.address': {
    type: 'keyword',
    array: false,
--- a/x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js
+++ b/x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js
@ -9,7 +9,7 @@ const fs = require('fs');
 const util = require('util');
 const yaml = require('js-yaml');
 const { exec: execCb } = require('child_process');
-const { mapValues } = require('lodash');
+const { reduce } = require('lodash');

 const exists = util.promisify(fs.exists);
 const readFile = util.promisify(fs.readFile);
@ -32,19 +32,27 @@ async function generate() {

  const flatYaml = await yaml.safeLoad(await readFile(ecsYamlFilename));

-  const fields = mapValues(flatYaml, (description) => {
-    const field = {
-      type: description.type,
-      array: description.normalize.includes('array'),
-      required: !!description.required,
-    };
+  const fields = reduce(
+    flatYaml,
+    (fieldsObj, value, key) => {
+      const field = {
+        type: value.type,
+        array: value.normalize.includes('array'),
+        required: !!value.required,
+      };

-    if (description.scaling_factor) {
-      field.scaling_factor = description.scaling_factor;
-    }
+      if (value.scaling_factor) {
+        field.scaling_factor = value.scaling_factor;
+      }

-    return field;
-  });
+      if (field.type !== 'constant_keyword') {
+        fieldsObj[key] = field;
+      }
+
+      return fieldsObj;
+    },
+    {}
+  );

  await Promise.all([
    writeFile(