Skip to content

Better out-of-the-box mappings for logs, metrics and synthetics #64978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 24 commits into from
May 4, 2021
Merged

Better out-of-the-box mappings for logs, metrics and synthetics #64978

Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
1100b95
Proposal: Default templates: Path match for ip and message
ruflin Nov 12, 2020
dae84d6
Update x-pack/plugin/core/src/main/resources/logs-mappings.json
ruflin Nov 12, 2020
90ca4b1
update mapping with discussion
ruflin Nov 20, 2020
35d0727
Update x-pack/plugin/core/src/main/resources/logs-mappings.json
ruflin Nov 26, 2020
ce72eef
Update x-pack/plugin/core/src/main/resources/logs-mappings.json
ruflin Nov 26, 2020
2e130a5
Put the most specific dynamic templates first.
jpountz Nov 26, 2020
7497f29
Add tests for dynamic templates.
jpountz Nov 26, 2020
ce711a7
add mappings to metrics and synthetics too
ruflin Dec 22, 2020
30e97b3
Merge branch 'master' into path-match-ip-message
ruflin Dec 22, 2020
74cb397
add index renaming
ruflin Dec 22, 2020
67bed57
Merge branch 'master' into path-match-ip-message
jpountz Apr 21, 2021
863bae7
Increment registry version.
jpountz Apr 21, 2021
5dc16be
Trim message field from metrics and synthetics templates.
jpountz Apr 21, 2021
9ea0a35
Fix tests.
jpountz Apr 21, 2021
4707606
Factor conventions that are the same for all types into a single file.
jpountz Apr 21, 2021
d6eb0af
Merge branch 'master' into path-match-ip-message
jpountz Apr 21, 2021
4c04815
Merge remote-tracking branch 'origin/master' into path-match-ip-message
jpountz Apr 22, 2021
c9249b5
Fix data_stream type.
jpountz Apr 22, 2021
db58ab9
Simplify host and observer mappings.
jpountz Apr 22, 2021
9950d8b
Fix indentation.
jpountz Apr 22, 2021
c4cb7fd
Fix test failure.
jpountz Apr 22, 2021
f7376e5
Move `message` dynamic template to the shared mapping template.
jpountz May 3, 2021
42c9f58
Remove `observer` field.
jpountz May 3, 2021
89eb06d
Merge branch 'master' into path-match-ip-message
jpountz May 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions x-pack/plugin/core/src/main/resources/data-streams-mappings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"match_ip": {
"match_mapping_type": "string",
"match": "ip",
"mapping": {
"type": "ip"
}
}
},
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"data_stream": {
"properties": {
"dataset": {
"type": "constant_keyword"
},
"namespace": {
"type": "constant_keyword"
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"type": "object"
},
"observer": {
Copy link
Contributor Author

@ruflin ruflin Apr 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could leave this one out.

"type": "object"
}
}
}
},
"_meta": {
"description": "general mapping conventions for data streams",
"managed": true
},
"version": ${xpack.stack.template.version}
}
38 changes: 5 additions & 33 deletions x-pack/plugin/core/src/main/resources/logs-mappings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,51 +3,23 @@
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"match_message": {
"match_mapping_type": "string",
"match": "message",
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
"type": "match_only_text"
Copy link
Contributor Author

@ruflin ruflin Apr 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a breaking change?

Copy link
Contributor

@jpountz jpountz Apr 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What aspect are you concerned with? I expect this to be transparent for the vast majority of our users, and I started discussions with the ECS team to make similar changes on ECS.

Copy link
Contributor Author

@ruflin ruflin Apr 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Read up on it by now a bit more. What happens if a user runs a non "supported" query across logs-* and some message fields are text and some are match_only_text. Is an error returned or the non supported fields are just skipped?

Copy link
Contributor

@jpountz jpountz May 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only unsupported queries are span queries. If a span query is run, then all shards that have the field mapped as match_only_text will be ignored from the search response and reported as "failed".

}
}
}
],
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"data_stream": {
"properties": {
"type": {
"type": "constant_keyword",
"value": "logs"
},
"dataset": {
"type": "constant_keyword"
},
"namespace": {
"type": "constant_keyword"
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"properties": {
"ip": {
"type": "ip"
}
}
},
"message": {
"type": "text"
}
}
}
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugin/core/src/main/resources/logs-template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
"data_stream": {},
"composed_of": [
"logs-mappings",
"data-streams-mappings",
"logs-settings"
Comment on lines 6 to 8
Copy link
Member

@dakrone dakrone Apr 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should apply the data-streams-mappings settings first, so that any changes made to the logs-mappings component template always take precedence over the generic data stream mappings.

Suggested change
"logs-mappings",
"data-streams-mappings",
"logs-settings"
"data-streams-mappings",
"logs-mappings",
"logs-settings"

What do you think?

Copy link
Contributor

@jpountz jpountz Apr 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually this would break tests because then the dynamic template that maps strings as keywords would take precedence over the dynamic template that maps message fields as match_only_text. In order to change the order, we would also need to configure unmatch:message on the default dynamic template that maps strings as keywords. What is your preference?

],
"allow_auto_create": true,
Expand Down
36 changes: 0 additions & 36 deletions x-pack/plugin/core/src/main/resources/metrics-mappings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,48 +1,12 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"data_stream": {
"properties": {
"type": {
"type": "constant_keyword",
"value": "metrics"
},
"dataset": {
"type": "constant_keyword"
},
"namespace": {
"type": "constant_keyword"
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"properties": {
"ip": {
"type": "ip"
}
}
}
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugin/core/src/main/resources/metrics-template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
"data_stream": {},
"composed_of": [
"metrics-mappings",
"data-streams-mappings",
Comment on lines 6 to +7
Copy link
Member

@dakrone dakrone Apr 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here with:

Suggested change
"metrics-mappings",
"data-streams-mappings",
"data-streams-mappings",
"metrics-mappings",

"metrics-settings"
],
"allow_auto_create": true,
Expand Down
43 changes: 0 additions & 43 deletions x-pack/plugin/core/src/main/resources/synthetics-mappings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,12 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"data_stream": {
"properties": {
"type": {
"type": "constant_keyword",
"value": "synthetics"
},
"dataset": {
"type": "constant_keyword"
},
"namespace": {
"type": "constant_keyword"
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"properties": {
"ip": {
"type": "ip"
}
}
},
"observer": {
"properties": {
"ip": {
"type": "ip"
}
}
}
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugin/core/src/main/resources/synthetics-template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
"data_stream": {},
"composed_of": [
"synthetics-mappings",
"data-streams-mappings",
Comment on lines 6 to +7
Copy link
Member

@dakrone dakrone Apr 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And same here with:

Suggested change
"synthetics-mappings",
"data-streams-mappings",
"data-streams-mappings",
"synthetics-mappings",

"synthetics-settings"
],
"allow_auto_create": true,
Expand Down
108 changes: 106 additions & 2 deletions x-pack/plugin/stack/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/stack/10_basic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ setup:
ilm.get_lifecycle:
policy: "metrics"

- do:
cluster.get_component_template:
name: data-streams-mappings

- do:
cluster.get_component_template:
name: logs-mappings
Expand Down Expand Up @@ -46,6 +50,11 @@ setup:
body:
"@timestamp": "2020-01-01"
message: "test-log-message"
source.ip: "10.1.2.3"
log.file.path: "/var/log/web/access.log"
data_stream.type: "logs"
data_stream.dataset: "foo"
data_stream.namespace: "bar"

- do:
indices.get_data_stream:
Expand All @@ -66,7 +75,16 @@ setup:
- is_true: .$idx0name.settings
- is_true: .$idx0name.mappings
- match: { .$idx0name.settings.index.lifecycle.name: "logs" }
- match: { .$idx0name.mappings.properties.data_stream.properties.type.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.type.value: "logs" }
- match: { .$idx0name.mappings.properties.data_stream.properties.dataset.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.dataset.value: "foo" }
- match: { .$idx0name.mappings.properties.data_stream.properties.namespace.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.namespace.value: "bar" }
- is_true: .$idx0name.mappings.properties.message
- match: { .$idx0name.mappings.properties.message.type: "match_only_text" }
- match: { .$idx0name.mappings.properties.source.properties.ip.type: "ip" }
- match: { .$idx0name.mappings.properties.log.properties.file.properties.path.type: "keyword" }
- match: { .$idx0name.data_stream: "logs-foo-bar" }

- do:
Expand All @@ -80,7 +98,10 @@ setup:
index: metrics-foo-bar
body:
"@timestamp": "2020-01-01"
message: "test-log-message"
source.ip: "10.1.2.3"
data_stream.type: "metrics"
data_stream.dataset: "foo"
data_stream.namespace: "bar"

- do:
indices.get_data_stream:
Expand All @@ -101,9 +122,92 @@ setup:
- is_true: .$idx0name.settings
- is_true: .$idx0name.mappings
- match: { .$idx0name.settings.index.lifecycle.name: "metrics" }
- is_true: .$idx0name.mappings.properties.message
- match: { .$idx0name.mappings.properties.data_stream.properties.type.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.type.value: "metrics" }
- match: { .$idx0name.mappings.properties.data_stream.properties.dataset.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.dataset.value: "foo" }
- match: { .$idx0name.mappings.properties.data_stream.properties.namespace.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.namespace.value: "bar" }
- match: { .$idx0name.mappings.properties.source.properties.ip.type: "ip" }
- match: { .$idx0name.data_stream: "metrics-foo-bar" }

- do:
indices.delete_data_stream:
name: metrics-foo-bar

---
"Test synthetics index auto creation":
- do:
index:
index: synthetics-foo-bar
body:
"@timestamp": "2020-01-01"
source.ip: "10.1.2.3"
data_stream.type: "synthetics"
data_stream.dataset: "foo"
data_stream.namespace: "bar"

- do:
indices.get_data_stream:
name: synthetics-foo-bar

- match: { data_streams.0.name: synthetics-foo-bar }
- match: { data_streams.0.timestamp_field.name: '@timestamp' }
- match: { data_streams.0.generation: 1 }
- length: { data_streams.0.indices: 1 }
- match: { data_streams.0.indices.0.index_name: '/\.ds-synthetics-foo-bar-(\d{4}\.\d{2}\.\d{2}-)?000001/' }

- set: { data_streams.0.indices.0.index_name: idx0name }

- do:
indices.get:
index: $idx0name

- is_true: .$idx0name.settings
- is_true: .$idx0name.mappings
- match: { .$idx0name.settings.index.lifecycle.name: "synthetics" }
- match: { .$idx0name.mappings.properties.data_stream.properties.type.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.type.value: "synthetics" }
- match: { .$idx0name.mappings.properties.data_stream.properties.dataset.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.dataset.value: "foo" }
- match: { .$idx0name.mappings.properties.data_stream.properties.namespace.type: "constant_keyword" }
- match: { .$idx0name.mappings.properties.data_stream.properties.namespace.value: "bar" }
- match: { .$idx0name.mappings.properties.source.properties.ip.type: "ip" }
- match: { .$idx0name.data_stream: "synthetics-foo-bar" }

- do:
indices.delete_data_stream:
name: synthetics-foo-bar

---
"Test wrong data_stream type":

- do:
catch: bad_request
index:
index: synthetics-dataset0-namespace1
body:
"@timestamp": "2020-01-01"
data_stream.type: "logs"
data_stream.dataset: "dataset0"
data_stream.namespace: "namespace1"

- do:
catch: bad_request
index:
index: logs-dataset0-namespace1
body:
"@timestamp": "2020-01-01"
data_stream.type: "metrics"
data_stream.dataset: "dataset0"
data_stream.namespace: "namespace1"

- do:
catch: bad_request
index:
index: metrics-dataset0-namespace1
body:
"@timestamp": "2020-01-01"
data_stream.type: "synthetics"
data_stream.dataset: "dataset0"
data_stream.namespace: "namespace1"
Loading