Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add missing properties to fields.yml spec #314

Merged
merged 18 commits into from
May 9, 2022
Merged
Show file tree
Hide file tree
Changes from 17 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions test/packages/good/data_stream/foo/fields/some_fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,15 @@
- name: error.message
description: Error message.
type: match_only_text
- name: metric.*_bytes
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit. Is this an intentional test case? We don't use to have wildcards mixed with suffixes, not sure if everything works as expected with this.

Suggested change
- name: metric.*_bytes
- name: metric.*.bytes

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was intentional to test the pattern specified for name. It really is an area of unspecified behavior at the moment. I was operating under the assumption that wildcards will be used to implement behavior similar to path_match. But for now this is a test case just to check that the pattern matches fields like this:

https://github.com/elastic/integrations/blob/3c88555054fd24a461babebe624d8645b5feea6c/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml#L16

We should refine this area of the spec for dynamic fields.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could remove the pattern for now. Then when we get to dynamic fields add it back to match the definition there.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh ok, lets leave it. Thanks.

type: long
- name: a
type: nested
include_in_parent: true
- name: a.b
type: keyword
- name: c
type: nested
include_in_root: true
- name: c.d
type: keyword
3 changes: 3 additions & 0 deletions versions/1/changelog.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@
- description: Prepare for support of multiple, independent package types. Require "type" to be present in manifest.
type: enhancement
link: https://github.com/elastic/package-spec/pull/323
- description: Define all fields properties currently supported.
type: enhancement
link: https://github.com/elastic/package-spec/pull/314
- version: 1.7.0
changes:
- description: Add kibana/osquery-pack-asset
Expand Down
193 changes: 184 additions & 9 deletions versions/1/integration/data_stream/fields/fields.spec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ spec:
additionalProperties: true
properties:
name:
description: Name of field
type: string
title:
description: Title of field
description: >
Name of field. Names containing dots are automatically split into
sub-fields.
type: string
pattern: '^[*_@A-Za-z0-9]+(\.[*_@A-Za-z0-9]+)*$'
type:
description: Datatype of field
type: string
Expand All @@ -25,7 +25,7 @@ spec:
- match_only_text
- keyword
- long
- integer
- integer # Fleet always maps this as 'long'.
- short
- byte
- double
Expand All @@ -52,20 +52,33 @@ spec:
- wildcard
- version
- unsigned_long

description:
description: Short description of field
type: string

value:
description: The value to associate with a constant_keyword field.
type: string

metric_type:
description: Metric type
description: >
The metric type of a numeric field. This is attached to the
field as a `time_series_metric` mapping parameter. A gauge is a
single-value measurement that can go up or down over time, such as a
temperature. A counter is a single-value cumulative counter that only
goes up, such as the number of requests processed by a web server. By
default, no metric type is associated with a field.
type: string
enum:
- counter
- gauge

unit:
description: Unit
description: >
Unit type to associate with a numeric field. This is attached to the
field as metadata (via `meta`). By default, a field does not have a
unit. The convention for percents is to use value 1 to mean 100%.
type: string
enum:
- byte
Expand All @@ -77,22 +90,184 @@ spec:
- ms
- micros
- nanos

dimension:
description: Declare a field as dimension of time series
description: >
Declare a field as dimension of time series. This is
attached to the field as a `time_series_dimension` mapping parameter.
type: boolean
default: false

pattern:
description: Regular expression pattern of the field value
description: >
Regular expression pattern matching the allowed values for the field.
This is used for development-time data validation.
type: string
examples:
- '^[a-zA-Z]$'

external:
description: External source reference
type: string
enum:
- ecs

fields:
description: Sub-fields, when type is group
$ref: "#" # JSON-schema syntax for pointing to the root of the schema

doc_values:
description: >
Controls whether doc values are enabled for a field. All fields which
support doc values have them enabled by default. If you are sure that
you don’t need to sort or aggregate on a field, or access the field
value from a script, you can disable doc values in order to save disk
space. You cannot disable doc values for wildcard fields.
type: boolean

index:
description: >
The index option controls whether field values are indexed. Fields
that are not indexed are typically not queryable.
type: boolean
default: true

copy_to:
description: >
The copy_to parameter allows you to copy the values of multiple fields
into a group field, which can then be queried as a single field.
type: string

enabled:
description: >
The enabled setting, which can be applied only to the top-level
mapping definition and to object fields, causes Elasticsearch to skip
parsing of the contents of the field entirely. The JSON can still be
retrieved from the _source field, but it is not searchable or stored
in any other way.
type: boolean

dynamic:
description: >
The dynamic parameter controls whether new fields are added
dynamically. It accepts the following values:

true - New fields are added to the mapping (default).

runtime - New fields are added to the mapping as runtime fields. These
fields are not indexed, and are loaded from _source at query time.

false - New fields are ignored. These fields will not be indexed or
searchable, but will still appear in the _source field of returned
hits. These fields will not be added to the mapping, and new fields
must be added explicitly.

strict - If new fields are detected, an exception is thrown and the
document is rejected. New fields must be explicitly added to the
mapping.
default: true
enum:
- true
- false
- strict
- runtime # Not supported at this time by Fleet.

scaling_factor:
description: >
The scaling factor to use when encoding values. Values will be
multiplied by this factor at index time and rounded to the closest
long value. For instance, a scaled_float with a scaling_factor of 10
would internally store 2.34 as 23 and all search-time operations
(queries, aggregations, sorting) will behave as if the document had a
value of 2.3. High values of scaling_factor improve accuracy but also
increase space requirements. Only valid for 'type: scaled_float'.
type: integer
default: 1000

analyzer:
description: >
Name of the analyzer to use for indexing. Unless search_analyzer is
specified this analyzer is used for both indexing and searching.
Only valid for 'type: text'.
type: string

search_analyzer:
description: >
Name of the analyzer to use for searching. Only valid for 'type: text'.
type: string

multi_fields:
description: >
It is often useful to index the same field in different ways for
different purposes. This is the purpose of multi-fields. For instance,
a string field could be mapped as a text field for full-text search,
and as a keyword field for sorting or aggregations.

Fleet honors this for `keyword`, `text`, and `wildcard` types.
$ref: "#" # JSON-schema syntax for pointing to the root of the schema

null_value:
description: >
The null_value parameter allows you to replace explicit null values
with the specified value so that it can be indexed and searched.

A null value cannot be indexed or searched. When a field is set to
null, (or an empty array or an array of null values) it is treated as
though that field has no values.

The null_value needs to be the same data type as the field. For
instance, a long field cannot have a string null_value.

The null_value only influences how data is indexed, it doesn’t modify
the _source document.
examples:
- "NULL"

ignore_above:
description: >
Strings longer than the ignore_above setting will not be indexed or
stored. For arrays of strings, ignore_above will be applied for each
array element separately and string elements longer than ignore_above
will not be indexed or stored. Fleet honors this for `keyword` and
`wildcard` types. Defaults to 1024.
type: integer
default: 1024

object_type:
description: >
Required for `type: array` to specify the data type in the array.
type: string

path:
description: >
For alias type fields this is the path to the target field. Note that
this must be the full path, including any parent objects
(e.g. object1.object2.field).
type: string

normalizer:
description: >
Specifies the name of a normalizer to apply to keyword fields. A
simple normalizer called lowercase ships with elasticsearch and can be
used. Custom normalizers can be defined as part of analysis index
settings.
type: string

include_in_parent:
description: >
For nested field types, this specifies if all fields in the nested
object are also added to the parent document as standard (flat)
fields.
type: boolean
default: false

include_in_root:
description: >
For nested field types, this specifies if all fields in the nested
object are also added to the root document as standard (flat)
fields.
type: boolean
default: false

required:
- name