Auto generate ECS fields #141152
Auto generate ECS fields #141152
Conversation
nkhristinin
added
the
release_note:skip
|
LGTM! |
|
@elasticmachine merge upstream |
|
I'm not seeing any version labels - what stack release are we targetting for this? |
@pmuellr The goal is to merge it for 8.5, but the branch not yet created, so I didn't add any specific label |
|
@elasticmachine merge upstream |
|
Do we actually need and benefit from all of these ECS fields added to the existing alerts-as-data indices? Prior to us minimizing the number of alert indices that are created as outlined by the future of alerts as data, we should be careful about adding new fields to the alerts-as-data indices. Each field we add to the mappings will increase Elasticsearch's data node heap usage. This isn't as bad for customers who don't have a large number of Kibana spaces, adding more fields isn't "that bad". For example, if the customer only has a single space, increasing from 1,500 to 2,000 fields will only increase the data node heap usage for alerts indices that are storing 12 months of data from 18.43 MB to 24.58 MB. However, if they have a 1,000 spaces this will increase the data node heap usage from 18.43 GB to 24.58 GB. |
@kobelb that's a complicated question. This PR does incorporate fields that we do not currently use, as this PR includes:
I think an argument can be made that the beta fields are more numerous than they should be (due to limitations with the ECS tooling), which I'm currently pursuing. That will limit the fields in the first data point to ones that we DO use. That still leaves the second question, however: if ECS introduces new fields, and users start adopting those fields in their data, when (if at all) do we start supporting that on the solution side? |
nkhristinin
added
the
backport:prev-minor
|
For clarity, can someone confirm how many new fields would actually be added to the alert index mappings with this PR? Here is some additional background:
The original design principle for the security signals index (now the Alerts index) was that it would always support the full set of ECS fields that were current at the time of release. This was driven by the draft RFC Guidelines for ensuring compatibility between Elastic ECS data producers and consumers #1 which states that the security solution "MUST work properly on any data that is compliant with the latest published version of ECS at the time of the Elastic Stack feature freeze for the app/content." Over approximately the past year The number of ECS fields had grown as follows:
Since approximately the 8.2 timeframe, we've been in an ambiguous state, agreeing to be intentional about adding new fields to keep the alert index mappings from exploding in size, but at the same time, living with the tension of possible user dissatisfaction because we've made an exception to the ECS "contract" to fully support users' ECS-compliant data in solutions (i.e. if user data is in ECS format, it will be added to detection Alerts.) In essence, we've created a de facto "exclude list" of ECS fields that are not supported in the Alert field mappings. AFAIK, this list is not documented in user-facing documents, and there seems to be some lack of clarity as to how to update alert index mappings with some new ECS fields, but not all ECS fields. At this point, there seems to be two options:
|
|
@MikePaquette Show fields |
|
Decision:
|
|
If end up doing a subset of fields, at a minimum we need:
|
@simianhacker is this specific to the More explicitly: are you saying that there are NEW ECS fields that o11y needs in 8.5, or are you just requesting that we not remove any of the existing fields? |
|
@rylnd I'm saying at a minimum, O11y needs those "top level" fields (objects) added to the mappings for Alert-As-Data. |
|
I updated PR, with only risk fields and some updates for fields that @simianhacker mention |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
* Auto generate ecs fields * Update field limits * Update ecs fields Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit e039e3e)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
* Auto generate ecs fields * Update field limits * Update ecs fields Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit e039e3e) Co-authored-by: Khristinin Nikita <nikita.khristinin@elastic.co>
How I did generate:
cd ${KIBANA_FOLDER}cd ..ecsfoder herecd kibananode x-pack/plugins/rule_registry/scripts/generate_ecs_fieldmap/index.js