Skip to content

Commit

Permalink
[Automatic Import] add timestamp to ECS constants (elastic#204931)
Browse files Browse the repository at this point in the history
## Summary

Ensure mapping contains `@timestamp` field whenever possible.
elastic#196040

Tested cases:
| test case | has `@timestamp` | is expected result |
|---|---|---|
| sample logs with datetime value for `time` and `expires` fields | yes
(picked `time` as `@timestamp`) | ✅ |
| sample logs with datetime value for `expires` field only | no | ✅ |
| sample logs with no datetime values | no | ✅ |
| sample logs with `created_at` field that does not contain datetime
value | no | ✅ |


Tested values for `time` field:

| value  | match correctly `@timestamp` |
|---|---|
| `2024-02-24T06:56:50.648137154Z` | ✅ |
| `10/01/2023 12:34:56`  | ✅ |
| `01-10-2023 12:34:56` | ✅ |
| `Thu, 25 December 2023 10:15:00GMT` | ✅ 

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Ilya Nikokoshev <[email protected]>
  • Loading branch information
3 people authored and cqliu1 committed Jan 2, 2025
1 parent f9564c7 commit f426d8c
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -1681,6 +1681,7 @@ export const ECS_TYPES: EcsFields = {
};

export const ECS_FIELDS: EcsFields = {
'@timestamp': 'Date/time when the event originated.',
'as.number': 'Unique number allocated to the autonomous system.',
'as.organization.name': 'Organization name of the autonomous system.',
'client.address': 'Client network address.',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ Go through each value step by step and modify it with the following process:
9. When you want to use an ECS field as a value for a target, but another field already has the same ECS field as its target, try to find another fitting ECS field. If none is found then the one you are least confident about should have the object replaced with null.
10. If you are not confident for a specific field, you should always set the value to null.
11. These {package_name} log samples are based on source and destination type data, prioritize these compared to other related ECS fields like host.* and observer.*.
12. Whenever possible, map the @timestamp field to the relevant field that contains the event creation date.
You ALWAYS follow these guidelines when writing your response:
<guidelines>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,15 @@
* 2.0.
*/

import { ecsTestState } from '../../../__jest__/fixtures/ecs_mapping';
import { ECS_RESERVED } from './constants';

import { EcsMappingState } from '../../types';
import {
extractECSMapping,
findDuplicateFields,
findInvalidEcsFields,
handleValidateMappings,
removeReservedFields,
} from './validate';

Expand Down Expand Up @@ -286,3 +289,48 @@ describe('removeReservedFields', () => {
expect(ecsMapping).not.toEqual(result);
});
});

describe('handleValidateMappings', () => {
it('should return empty missing fields if none found', () => {
const state: EcsMappingState = ecsTestState;
state.currentMapping = {
test: {
test: {
event: { target: 'event.action', confidence: 0.95, type: 'string' },
},
},
};
state.combinedSamples = JSON.stringify({
test: {
test: {
event: 'cert.create',
},
},
});
const { missingKeys } = handleValidateMappings({ state });

expect(missingKeys).toEqual([]);
});

it('should return missing fields list if any', () => {
const state: EcsMappingState = ecsTestState;
state.currentMapping = {
test: {
test: {
event: { target: 'event.action', confidence: 0.95, type: 'string' },
},
},
};
state.combinedSamples = JSON.stringify({
test: {
test: {
event: 'cert.create',
version: '1',
},
},
});
const { missingKeys } = handleValidateMappings({ state });

expect(missingKeys).toEqual(['test.test.version']);
});
});
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,6 @@
"@kbn/kibana-utils-plugin",
"@kbn/utils",
"@kbn/zod",
"@kbn/tooling-log"
"@kbn/tooling-log",
]
}

0 comments on commit f426d8c

Please sign in to comment.