Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [Auto Import] Improve the ECS mapping extraction logic (#195167) (
#195586) # Backport This will backport the following commits from `main` to `8.x`: - [[Auto Import] Improve the ECS mapping extraction logic (#195167)](#195167) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ilya Nikokoshev","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-09T12:24:00Z","message":"[Auto Import] Improve the ECS mapping extraction logic (#195167)\n\n## Release Notes\r\n\r\nAutomatic Import is more forgiving if an LLM returns an ECS mapping in a\r\nslightly unexpected format.\r\n\r\n## Summary\r\n\r\nWhen implementing #194386 an issue\r\nhas been encountered where Claude returns the field name `date_format`\r\ninstead of expected `date_formats` and the ECS chain breaks down.\r\n\r\nWe add this case as a test to\r\n`x-pack/plugins/integration_assistant/server/graphs/ecs/validate.test`.\r\n\r\nWithout the changes in this PR the list returned by\r\n`findInvalidEcsFields` is\r\n\r\n```\r\n [\r\n 'Reserved ECS field mapping identified for event.created : ai_postgres_202410050058.logs.column1.target',\r\n 'Invalid ECS field mapping identified for 0.9 : ai_postgres_202410050058.logs.column1.confidence, ai_postgres_202410050058.logs.column5.confidence',\r\n 'Invalid ECS field mapping identified for date : ai_postgres_202410050058.logs.column1.type, ai_postgres_202410050058.logs.column9.type',\r\n 'Invalid ECS field mapping identified for 0.95 : ai_postgres_202410050058.logs.column12.confidence',\r\n 'Invalid ECS field mapping identified for string : ai_postgres_202410050058.logs.column12.type, ai_postgres_202410050058.logs.column14.type, ai_postgres_202410050058.logs.column24.type, ai_postgres_202410050058.logs.column5.type, ai_postgres_202410050058.logs.column3.type, ai_postgres_202410050058.logs.column2.type',\r\n 'Invalid ECS field mapping identified for 0.8 : ai_postgres_202410050058.logs.column9.confidence, ai_postgres_202410050058.logs.column3.confidence',\r\n 'Invalid ECS field mapping identified for 0.7 : ai_postgres_202410050058.logs.column14.confidence, ai_postgres_202410050058.logs.column2.confidence',\r\n 'Invalid ECS field mapping identified for 0.85 : ai_postgres_202410050058.logs.column24.confidence'\r\n ]\r\n```\r\n\r\nwhile with these changes the result does not contain any `Invalid ECS field` messages.\r\n\r\nThe key changes are in the `processMapping` function:\r\n\r\n1. We made function more forgiving in regards to the input, accepting\r\n`date_format` in lieu of `date_formats`.\r\n2. We have removed the collection of \"other paths\", that is, the reverse\r\nindex for simple values like `0.8`.\r\n\r\nThe latter change generally limits the impact of any other format issues\r\nin the ECS mapping in the future.\r\n\r\nAdditionally, the function has been renamed to `extractECSMapping`, its\r\noutput type validated, and documentation has been added.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"637d796071f067f8cab37165dd8f80111251ae81","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","backport:prev-major","Team:Security-Scalability","Feature:AutomaticImport"],"title":"[Auto Import] Improve the ECS mapping extraction logic","number":195167,"url":"https://github.com/elastic/kibana/pull/195167","mergeCommit":{"message":"[Auto Import] Improve the ECS mapping extraction logic (#195167)\n\n## Release Notes\r\n\r\nAutomatic Import is more forgiving if an LLM returns an ECS mapping in a\r\nslightly unexpected format.\r\n\r\n## Summary\r\n\r\nWhen implementing #194386 an issue\r\nhas been encountered where Claude returns the field name `date_format`\r\ninstead of expected `date_formats` and the ECS chain breaks down.\r\n\r\nWe add this case as a test to\r\n`x-pack/plugins/integration_assistant/server/graphs/ecs/validate.test`.\r\n\r\nWithout the changes in this PR the list returned by\r\n`findInvalidEcsFields` is\r\n\r\n```\r\n [\r\n 'Reserved ECS field mapping identified for event.created : ai_postgres_202410050058.logs.column1.target',\r\n 'Invalid ECS field mapping identified for 0.9 : ai_postgres_202410050058.logs.column1.confidence, ai_postgres_202410050058.logs.column5.confidence',\r\n 'Invalid ECS field mapping identified for date : ai_postgres_202410050058.logs.column1.type, ai_postgres_202410050058.logs.column9.type',\r\n 'Invalid ECS field mapping identified for 0.95 : ai_postgres_202410050058.logs.column12.confidence',\r\n 'Invalid ECS field mapping identified for string : ai_postgres_202410050058.logs.column12.type, ai_postgres_202410050058.logs.column14.type, ai_postgres_202410050058.logs.column24.type, ai_postgres_202410050058.logs.column5.type, ai_postgres_202410050058.logs.column3.type, ai_postgres_202410050058.logs.column2.type',\r\n 'Invalid ECS field mapping identified for 0.8 : ai_postgres_202410050058.logs.column9.confidence, ai_postgres_202410050058.logs.column3.confidence',\r\n 'Invalid ECS field mapping identified for 0.7 : ai_postgres_202410050058.logs.column14.confidence, ai_postgres_202410050058.logs.column2.confidence',\r\n 'Invalid ECS field mapping identified for 0.85 : ai_postgres_202410050058.logs.column24.confidence'\r\n ]\r\n```\r\n\r\nwhile with these changes the result does not contain any `Invalid ECS field` messages.\r\n\r\nThe key changes are in the `processMapping` function:\r\n\r\n1. We made function more forgiving in regards to the input, accepting\r\n`date_format` in lieu of `date_formats`.\r\n2. We have removed the collection of \"other paths\", that is, the reverse\r\nindex for simple values like `0.8`.\r\n\r\nThe latter change generally limits the impact of any other format issues\r\nin the ECS mapping in the future.\r\n\r\nAdditionally, the function has been renamed to `extractECSMapping`, its\r\noutput type validated, and documentation has been added.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"637d796071f067f8cab37165dd8f80111251ae81"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/195167","number":195167,"mergeCommit":{"message":"[Auto Import] Improve the ECS mapping extraction logic (#195167)\n\n## Release Notes\r\n\r\nAutomatic Import is more forgiving if an LLM returns an ECS mapping in a\r\nslightly unexpected format.\r\n\r\n## Summary\r\n\r\nWhen implementing #194386 an issue\r\nhas been encountered where Claude returns the field name `date_format`\r\ninstead of expected `date_formats` and the ECS chain breaks down.\r\n\r\nWe add this case as a test to\r\n`x-pack/plugins/integration_assistant/server/graphs/ecs/validate.test`.\r\n\r\nWithout the changes in this PR the list returned by\r\n`findInvalidEcsFields` is\r\n\r\n```\r\n [\r\n 'Reserved ECS field mapping identified for event.created : ai_postgres_202410050058.logs.column1.target',\r\n 'Invalid ECS field mapping identified for 0.9 : ai_postgres_202410050058.logs.column1.confidence, ai_postgres_202410050058.logs.column5.confidence',\r\n 'Invalid ECS field mapping identified for date : ai_postgres_202410050058.logs.column1.type, ai_postgres_202410050058.logs.column9.type',\r\n 'Invalid ECS field mapping identified for 0.95 : ai_postgres_202410050058.logs.column12.confidence',\r\n 'Invalid ECS field mapping identified for string : ai_postgres_202410050058.logs.column12.type, ai_postgres_202410050058.logs.column14.type, ai_postgres_202410050058.logs.column24.type, ai_postgres_202410050058.logs.column5.type, ai_postgres_202410050058.logs.column3.type, ai_postgres_202410050058.logs.column2.type',\r\n 'Invalid ECS field mapping identified for 0.8 : ai_postgres_202410050058.logs.column9.confidence, ai_postgres_202410050058.logs.column3.confidence',\r\n 'Invalid ECS field mapping identified for 0.7 : ai_postgres_202410050058.logs.column14.confidence, ai_postgres_202410050058.logs.column2.confidence',\r\n 'Invalid ECS field mapping identified for 0.85 : ai_postgres_202410050058.logs.column24.confidence'\r\n ]\r\n```\r\n\r\nwhile with these changes the result does not contain any `Invalid ECS field` messages.\r\n\r\nThe key changes are in the `processMapping` function:\r\n\r\n1. We made function more forgiving in regards to the input, accepting\r\n`date_format` in lieu of `date_formats`.\r\n2. We have removed the collection of \"other paths\", that is, the reverse\r\nindex for simple values like `0.8`.\r\n\r\nThe latter change generally limits the impact of any other format issues\r\nin the ECS mapping in the future.\r\n\r\nAdditionally, the function has been renamed to `extractECSMapping`, its\r\noutput type validated, and documentation has been added.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"637d796071f067f8cab37165dd8f80111251ae81"}}]}] BACKPORT--> Co-authored-by: Ilya Nikokoshev <[email protected]>
- Loading branch information