Add common dynamic mappings and properties from ECS automatically

[mrodm]

Relates #1018

This PR adds support to include some dynamic templates and properties from ECS that are commonly used and can be a source of conflicts if they don't have any mapping.

These mappings are added if packages enable the flag import_mappings in _dev/build/build.yml. This flag is introduced in elastic/package-spec#455 , and it would be available in a future version 2.3.0 of the spec.

Option 1:
All the dynamic templates names are prefixed with _embedded_ecs, so they can be distinguished easily by Fleet in case it is needed. For instance:

elasticsearch:
  index_template:
    mappings:
      dynamic_templates:
        - _embedded_ecs.ecs_timestamp:
            mapping:
              ignore_malformed: false
              type: date
            path_match: '@timestamp'
        - _embedded_ecs.data_stream_to_constant:
            mapping:
              type: constant_keyword
            path_match: data_stream.*

Option 2 (Discarded for now):
All the mappings added by this flag are added into the _meta field. Thereby, they are marked in case it is needed to know which ones were automatically added. Properties and dynamic templates are added to ecs_properties_added and ecs_dynamic_templates_added keys, respectively.
Example:

    "mappings": {
      "_meta": {
        "ecs_properties_added": [
          "@timestamp"
        ],
        "package": {
          "name": "elastic_package_registry"
        },
        "managed_by": "fleet",
        "managed": true,
        "ecs_dynamic_templates_added": [
          "data_stream_to_constant",
          "resolved_ip_to_ip",
          "forwarded_ip_to_ip",
          "ip_to_ip",
          "port_to_long",
          "thread_id_to_long",
          "status_code_to_long",
          "line_to_long",
          "priority_to_long",
          "code_to_long",
          "code_to_long",
          "bytes_to_long",
          "packets_to_long",
          "public_key_exponent_to_long",
          "severity_to_long",
          "duration_to_long",
          "pid_to_long",
          "uptime_to_long",
          "sequence_to_long",
          "entropy_to_long",
          "size_to_long",
          "entrypoint_to_long",
          "ttl_to_long",
          "major_to_long",
          "minor_to_long",
          "as_number_to_long",
          "pgid_to_long",
          "exit_code_to_long",
          "chi_to_long",
          "args_count_to_long",
          "virtual_address_to_long",
          "io_text_to_wildcard",
          "strings_to_wildcard",
          "path_to_wildcard",
          "message_id_to_wildcard",
          "command_line_to_multifield",
          "error_stack_trace_to_multifield",
          "http_content_to_multifield",
          "url_full_to_multifield",
          "url_original_to_multifield",
          "user_agent_original_to_multifield",
          "error_message_to_match_only",
          "message_match_only_text",
          "agent_name_to_keyword",
          "service_name_to_keyword",
          "sections_name_to_keyword",
          "resource_name_to_keyword",
          "observer_name_to_keyword",
          "question_name_to_keyword",
          "group_name_to_keyword",
          "geo_name_to_keyword",
          "host_name_to_keyword",
          "severity_name_to_keyword",
          "title_to_multifield",
          "executable_to_multifield",
          "file_path_to_multifield",
          "file_target_path_to_multifield",
          "name_to_multifield",
          "full_name_to_multifield",
          "os_full_to_multifield",
          "working_directory_to_multifield",
          "timestamp_to_date",
          "delivery_timestamp_to_date",
          "not_after_to_date",
          "not_before_to_date",
          "accessed_to_date",
          "origination_timestamp_to_date",
          "created_to_date",
          "installed_to_date",
          "creation_date_to_date",
          "ctime_to_date",
          "mtime_to_date",
          "ingested_to_date",
          "start_to_date",
          "end_to_date",
          "score_base_to_float",
          "score_temporal_to_float",
          "score_to_float",
          "score_norm_to_float",
          "usage_to_float",
          "location_to_geo_point",
          "same_as_process_to_boolean",
          "established_to_boolean",
          "resumed_to_boolean",
          "max_bytes_per_process_exceeded_to_boolean",
          "interactive_to_boolean",
          "exists_to_boolean",
          "trusted_to_boolean",
          "valid_to_boolean",
          "go_stripped_to_boolean",
          "coldstart_to_boolean",
          "exports_to_flattened",
          "structured_data_to_flattened",
          "imports_to_flattened",
          "attachments_to_nested",
          "segments_to_nested",
          "elf_sections_to_nested",
          "pe_sections_to_nested",
          "macho_sections_to_nested",
          "trigger_to_nested"
        ]
      },   

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-12-22T19:07:32.984+0000

• Duration: 35 min 8 sec

Test stats 🧪

Test	Results
Failed	0
Passed	870
Skipped	0
Total	870

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (35/35)	💚
Files	65.909% (87/132)	👎 -1.278
Classes	61.17% (115/188)	👎 -0.786
Methods	47.613% (379/796)	👎 -0.958
Lines	30.886% (3449/11167)	👎 -0.982
Conditionals	100.0% (0/0)	💚

[jsoriano]

Looks good, but added a couple of comments that may help to simplify this feature.

Ideally we will also need to take these mappings into account when validating field definitions on tests. Tests will start failing if developers remove their ECS definitions after enabling this import, although the final template will be correct.
But let's think about this in a followup. Current workaround would be to keep definitions required by tests.

[jsoriano]

Was there a strong reason to keep this field as an static property?

This single field forces us to maintain the special case of having also static properties defined here, requiring for example the additional meta field and so on. Would it be possible to define this as a dynamic template instead? It would be something like this:

   "dynamic_templates": [
      {
        "ecs_timestamp": {
          "path_match": "@timestamp",
          "mapping": {
            "type": "date",
            "ignore_malformed": false
          },
        },

And we could think on this feature as something like adds only dynamic templates. Also in the context of the spec change.

[mrodm]

I used the same json that was built here https://gist.github.com/P1llus/e0de7b3a7824a41a29660e253c6cce6b

I think it could be changed to be a dynamic template as you mentioned. @P1llus do you think in any inconvenient if it is changed ?

I would say there is no problem and it would simplify the code to just manage dynamic templates.

[mrodm]

For now I've moved that property to a dynamic template as suggested by @jsoriano.

If there is any inconvenient because of that, it could be re-introduced.

Currently, it has been followed the approach to add a prefix (_embedded_ecs.*) to all the names of the dynamic templates in the static file, so they can be identified easily. If properties are needed too, it should be added another way (using _meta field and lists as it was in a previous change?).

[mrodm]

to be removed before merging

[mrodm]

/test

[hop-dev]

I added one question but looks good to me, I like the new style of prefixing the name

[mrodm]

/test

[mrodm]

I've checked building and installing a test package in different versions of Kibana. In kibana 8.6.0-SNASPSHOT there was no issue. But in versions < 8.6.0 , the dot in the dynamic template names is causing this error:

Error installing elastic_package_registry 0.0.7: mapper_parsing_exception: [mapper_parsing_exception] Reason: Failed to parse mapping: Illegal dynamic template parameter: [ecs_timestamp]

I've updated how the name of each dynamic template is generated to replace the dot "." by a dash "-" @jsoriano @hop-dev

Thereby, the dynamic template generated would be like:

elasticsearch:
  index_template:
    mappings:
      dynamic_templates:
        - _embedded_ecs-ecs_timestamp:
            mapping:
              ignore_malformed: false
              type: date
            path_match: '@timestamp'
        - _embedded_ecs-data_stream_to_constant:
            mapping:
              type: constant_keyword
            path_match: data_stream.*
        - _embedded_ecs-resolved_ip_to_ip:
            mapping:
              type: ip
            match: resolved_ip

Tested with the following Kibana versions 7.17.8-SNAPSHOT, 8.0.0-SNAPSHOT, 8.5.0-SNAPSHOT and 8.6.0-SNAPSHOT