diff --git a/package/endpoint/elasticsearch/index_template/metrics-metadata-current.json b/package/endpoint/elasticsearch/index_template/metrics-metadata-current.json deleted file mode 100644 index dabc7078d..000000000 --- a/package/endpoint/elasticsearch/index_template/metrics-metadata-current.json +++ /dev/null @@ -1,310 +0,0 @@ -{ - "index_patterns": [ - "metrics-endpoint.metadata_current_*" - ], - "priority": 200, - "template": { - "mappings": { - "dynamic": "false", - "_meta": {}, - "dynamic_templates": [ - { - "strings_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "updated_at": { - "type": "alias", - "path": "event.ingested" - }, - "Endpoint": { - "properties": { - "configuration": { - "properties": { - "isolation": { - "type": "boolean", - "null_value": false - } - } - }, - "policy": { - "properties": { - "applied": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "state": { - "properties": { - "isolation": { - "type": "boolean", - "null_value": false - } - } - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "capabilities": { - "type": "keyword", - "ignore_above": 128, - "doc_values": false - } - } - }, - "agent": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "type": "constant_keyword", - "value": "endpoint.metadata" - }, - "namespace": { - "type": "keyword" - }, - "type": { - "type": "constant_keyword", - "value": "metrics" - } - } - }, - "ecs": { - "properties": { - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "elastic": { - "properties": { - "agent": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "Ext": { - "properties": { - "variant": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "caseless": { - "ignore_above": 1024, - "normalizer": "lowercase", - "type": "keyword" - }, - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "caseless": { - "ignore_above": 1024, - "normalizer": "lowercase", - "type": "keyword" - }, - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - } - } - }, - "settings": { - "index": { - "codec": "best_compression", - "refresh_interval": "5s", - "number_of_shards": "1", - "number_of_routing_shards": "30", - "sort.field": [ - "@timestamp", - "agent.id" - ], - "sort.order": [ - "desc", - "asc" - ] - } - }, - "aliases": {} - } -} \ No newline at end of file diff --git a/package/endpoint/elasticsearch/index_template/metrics-metadata-united.json b/package/endpoint/elasticsearch/index_template/metrics-metadata-united.json deleted file mode 100644 index f3d0c766f..000000000 --- a/package/endpoint/elasticsearch/index_template/metrics-metadata-united.json +++ /dev/null @@ -1,546 +0,0 @@ -{ - "index_patterns": [ - ".metrics-endpoint.metadata_united_*" - ], - "priority": 200, - "template": { - "mappings": { - "dynamic": "false", - "_meta": {}, - "dynamic_templates": [ - { - "strings_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - ], - "date_detection": false, - "properties": { - "agent": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "united": { - "properties": { - "endpoint": { - "properties": { - "@timestamp": { - "type": "date" - }, - "Endpoint": { - "properties": { - "configuration": { - "properties": { - "isolation": { - "type": "boolean", - "null_value": false - } - } - }, - "policy": { - "properties": { - "applied": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "state": { - "properties": { - "isolation": { - "type": "boolean", - "null_value": false - } - } - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "capabilities": { - "type": "keyword", - "ignore_above": 128, - "doc_values": false - } - } - }, - "agent": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "type": "constant_keyword", - "value": "endpoint.metadata" - }, - "namespace": { - "type": "keyword" - }, - "type": { - "type": "constant_keyword", - "value": "metrics" - } - } - }, - "ecs": { - "properties": { - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "elastic": { - "properties": { - "agent": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "Ext": { - "properties": { - "variant": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "caseless": { - "ignore_above": 1024, - "normalizer": "lowercase", - "type": "keyword" - }, - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "caseless": { - "ignore_above": 1024, - "normalizer": "lowercase", - "type": "keyword" - }, - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - } - } - }, - "agent": { - "properties": { - "access_api_key_id": { - "type": "keyword" - }, - "action_seq_no": { - "type": "integer", - "index": false - }, - "active": { - "type": "boolean" - }, - "agent": { - "properties": { - "id": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "default_api_key": { - "type": "keyword" - }, - "default_api_key_id": { - "type": "keyword" - }, - "enrolled_at": { - "type": "date" - }, - "last_checkin": { - "type": "date" - }, - "last_checkin_status": { - "type": "keyword" - }, - "last_checkin_message": { - "type": "text", - "index": false - }, - "last_updated": { - "type": "date" - }, - "local_metadata": { - "properties": { - "elastic": { - "properties": { - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "id": { - "type": "keyword" - }, - "log_level": { - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - }, - "upgradeable": { - "type": "boolean" - }, - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 16 - } - } - } - } - } - } - }, - "host": { - "properties": { - "architecture": { - "type": "keyword" - }, - "hostname": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "keyword" - }, - "ip": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 64 - } - } - }, - "mac": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 17 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "os": { - "properties": { - "family": { - "type": "keyword" - }, - "full": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 128 - } - } - }, - "kernel": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 128 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "platform": { - "type": "keyword" - }, - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 32 - } - } - } - } - } - } - }, - "packages": { - "type": "keyword" - }, - "policy_coordinator_idx": { - "type": "integer" - }, - "policy_id": { - "type": "keyword" - }, - "policy_output_permissions_hash": { - "type": "keyword" - }, - "policy_revision_idx": { - "type": "integer" - }, - "shared_id": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "unenrolled_at": { - "type": "date" - }, - "unenrolled_reason": { - "type": "keyword" - }, - "unenrollment_started_at": { - "type": "date" - }, - "updated_at": { - "type": "date" - }, - "upgrade_started_at": { - "type": "date" - }, - "upgraded_at": { - "type": "date" - }, - "user_provided_metadata": { - "type": "object", - "enabled": false - }, - "components": { - "type": "object", - "enabled": false - } - } - } - } - } - } - }, - "settings": { - "index": { - "codec": "best_compression", - "refresh_interval": "5s", - "number_of_shards": "1", - "number_of_routing_shards": "30", - "hidden": true - } - }, - "aliases": {} - } -} \ No newline at end of file diff --git a/package/endpoint/elasticsearch/transform/metadata_current/default.json b/package/endpoint/elasticsearch/transform/metadata_current/default.json deleted file mode 100644 index fe4e5f7c3..000000000 --- a/package/endpoint/elasticsearch/transform/metadata_current/default.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "source": { - "index": "metrics-endpoint.metadata-*", - "query": { - "range": { - "@timestamp": { - "gt": "now-90d/d" - } - } - } - }, - "dest": { - "index": "metrics-endpoint.metadata_current_default" - }, - "latest": { - "unique_key": [ - "elastic.agent.id" - ], - "sort": "@timestamp" - }, - "description": "Latest Endpoint metadata document per host", - "_meta": { - "managed": true - }, - "frequency": "1s", - "sync": { - "time": { - "field": "event.ingested", - "delay": "1s" - } - } -} \ No newline at end of file diff --git a/package/endpoint/elasticsearch/transform/metadata_current/fields/fields.yml b/package/endpoint/elasticsearch/transform/metadata_current/fields/fields.yml new file mode 100644 index 000000000..8faab25b2 --- /dev/null +++ b/package/endpoint/elasticsearch/transform/metadata_current/fields/fields.yml @@ -0,0 +1,198 @@ +- name: "@timestamp" + type: date +- name: updated_at + type: alias + path: event.ingested +- name: Endpoint + type: group + fields: + - name: configuration + type: group + fields: + - name: isolation + type: boolean + null_value: false + - name: policy + type: group + fields: + - name: applied + type: group + fields: + - name: id + type: keyword + ignore_above: 1024 + - name: name + type: keyword + ignore_above: 1024 + - name: status + type: keyword + ignore_above: 1024 + - name: state + type: group + fields: + - name: isolation + type: boolean + null_value: false + - name: status + type: keyword + ignore_above: 1024 + - name: capabilities + type: keyword + ignore_above: 128 + doc_values: false +- name: agent + type: group + fields: + - name: id + type: keyword + ignore_above: 1024 + - name: name + type: keyword + ignore_above: 1024 + - name: type + type: keyword + ignore_above: 1024 + - name: version + type: keyword + ignore_above: 1024 +- name: data_stream + type: group + fields: + - name: dataset + type: constant_keyword + value: endpoint.metadata + - name: namespace + type: keyword + - name: type + type: constant_keyword + value: metrics +- name: ecs + type: group + fields: + - name: version + type: keyword + ignore_above: 1024 +- name: elastic + type: group + fields: + - name: agent + type: group + fields: + - name: id + type: keyword + ignore_above: 1024 +- name: event + type: group + fields: + - name: action + type: keyword + ignore_above: 1024 + - name: category + type: keyword + ignore_above: 1024 + - name: code + type: keyword + ignore_above: 1024 + - name: created + type: date + - name: dataset + type: keyword + ignore_above: 1024 + - name: hash + type: keyword + ignore_above: 1024 + - name: id + type: keyword + ignore_above: 1024 + - name: ingested + type: date + - name: kind + type: keyword + ignore_above: 1024 + - name: module + type: keyword + ignore_above: 1024 + - name: outcome + type: keyword + ignore_above: 1024 + - name: provider + type: keyword + ignore_above: 1024 + - name: sequence + type: long + - name: severity + type: long + - name: type + type: keyword + ignore_above: 1024 +- name: host + type: group + fields: + - name: architecture + type: keyword + ignore_above: 1024 + - name: domain + type: keyword + ignore_above: 1024 + - name: hostname + type: keyword + ignore_above: 1024 + - name: id + type: keyword + ignore_above: 1024 + - name: ip + type: ip + - name: mac + type: keyword + ignore_above: 1024 + - name: name + type: keyword + ignore_above: 1024 + - name: os + type: group + fields: + - name: Ext + type: group + fields: + - name: variant + type: keyword + ignore_above: 1024 + - name: family + type: keyword + ignore_above: 1024 + - name: full + type: keyword + ignore_above: 1024 + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 + - name: text + type: text + norms: false + - name: kernel + type: keyword + ignore_above: 1024 + - name: name + fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 + - name: text + type: text + norms: false + ignore_above: 1024 + type: keyword + - name: platform + type: keyword + ignore_above: 1024 + - name: version + type: keyword + ignore_above: 1024 + - name: type + type: keyword + ignore_above: 1024 + - name: uptime + type: long diff --git a/package/endpoint/elasticsearch/transform/metadata_current/manifest.yml b/package/endpoint/elasticsearch/transform/metadata_current/manifest.yml new file mode 100644 index 000000000..b7889baa5 --- /dev/null +++ b/package/endpoint/elasticsearch/transform/metadata_current/manifest.yml @@ -0,0 +1,13 @@ +destination_index_template: + settings: + index: + codec: best_compression + refresh_interval: 5s + number_of_shards: 1 + number_of_routing_shards: 30 + sort.field: + - "@timestamp" + - agent.id + sort.order: + - desc + - asc diff --git a/package/endpoint/elasticsearch/transform/metadata_current/transform.yml b/package/endpoint/elasticsearch/transform/metadata_current/transform.yml new file mode 100644 index 000000000..cf697ec11 --- /dev/null +++ b/package/endpoint/elasticsearch/transform/metadata_current/transform.yml @@ -0,0 +1,20 @@ +source: + index: metrics-endpoint.metadata-* + query: + range: + "@timestamp": + gt: now-90d/d +dest: + index: metrics-endpoint.metadata_current_default +latest: + unique_key: + - elastic.agent.id + sort: "@timestamp" +description: Latest Endpoint metadata document per host +_meta: + managed: true +frequency: 1s +sync: + time: + field: event.ingested + delay: 1s diff --git a/package/endpoint/elasticsearch/transform/metadata_united/default.json b/package/endpoint/elasticsearch/transform/metadata_united/default.json deleted file mode 100644 index 38d565a0e..000000000 --- a/package/endpoint/elasticsearch/transform/metadata_united/default.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "source": { - "index": [ - "metrics-endpoint.metadata_current_default*", - ".fleet-agents*" - ] - }, - "dest": { - "index": ".metrics-endpoint.metadata_united_default" - }, - "frequency": "1s", - "sync": { - "time": { - "delay": "4s", - "field": "updated_at" - } - }, - "pivot": { - "aggs": { - "united": { - "scripted_metric": { - "init_script": "state.docs = []", - "map_script": "state.docs.add(new HashMap(params['_source']))", - "combine_script": "return state.docs", - "reduce_script": "def ret = new HashMap(); for (s in states) { for (d in s) { if (d.containsKey('Endpoint')) { ret.endpoint = d } else { ret.agent = d } }} return ret" - } - } - }, - "group_by": { - "agent.id": { - "terms": { - "field": "agent.id" - } - } - } - }, - "description": "Merges latest Endpoint and Agent metadata documents", - "_meta": { - "managed": true - } -} \ No newline at end of file diff --git a/package/endpoint/elasticsearch/transform/metadata_united/fields/fields.yml b/package/endpoint/elasticsearch/transform/metadata_united/fields/fields.yml new file mode 100644 index 000000000..666d01359 --- /dev/null +++ b/package/endpoint/elasticsearch/transform/metadata_united/fields/fields.yml @@ -0,0 +1,365 @@ +- name: agent + type: group + fields: + - name: id + type: keyword + ignore_above: 1024 +- name: united + type: group + fields: + - name: endpoint + type: group + fields: + - name: "@timestamp" + type: date + - name: Endpoint + type: group + fields: + - name: configuration + type: group + fields: + - name: isolation + type: boolean + null_value: false + - name: policy + type: group + fields: + - name: applied + type: group + fields: + - name: id + type: keyword + ignore_above: 1024 + - name: name + type: keyword + ignore_above: 1024 + - name: status + type: keyword + ignore_above: 1024 + - name: state + type: group + fields: + - name: isolation + type: boolean + null_value: false + - name: status + type: keyword + ignore_above: 1024 + - name: capabilities + type: keyword + ignore_above: 128 + doc_values: false + - name: agent + type: group + fields: + - name: id + type: keyword + ignore_above: 1024 + - name: name + type: keyword + ignore_above: 1024 + - name: type + type: keyword + ignore_above: 1024 + - name: version + type: keyword + ignore_above: 1024 + - name: data_stream + type: group + fields: + - name: dataset + type: constant_keyword + value: endpoint.metadata + - name: namespace + type: keyword + - name: type + type: constant_keyword + value: metrics + - name: ecs + type: group + fields: + - name: version + type: keyword + ignore_above: 1024 + - name: elastic + type: group + fields: + - name: agent + type: group + fields: + - name: id + type: keyword + ignore_above: 1024 + - name: event + type: group + fields: + - name: action + type: keyword + ignore_above: 1024 + - name: category + type: keyword + ignore_above: 1024 + - name: code + type: keyword + ignore_above: 1024 + - name: created + type: date + - name: dataset + type: keyword + ignore_above: 1024 + - name: hash + type: keyword + ignore_above: 1024 + - name: id + type: keyword + ignore_above: 1024 + - name: ingested + type: date + - name: kind + type: keyword + ignore_above: 1024 + - name: module + type: keyword + ignore_above: 1024 + - name: outcome + type: keyword + ignore_above: 1024 + - name: provider + type: keyword + ignore_above: 1024 + - name: sequence + type: long + - name: severity + type: long + - name: type + type: keyword + ignore_above: 1024 + - name: host + type: group + fields: + - name: architecture + type: keyword + ignore_above: 1024 + - name: domain + type: keyword + ignore_above: 1024 + - name: hostname + type: keyword + ignore_above: 1024 + - name: id + type: keyword + ignore_above: 1024 + - name: ip + type: ip + - name: mac + type: keyword + ignore_above: 1024 + - name: name + type: keyword + ignore_above: 1024 + - name: os + type: group + fields: + - name: Ext + type: group + fields: + - name: variant + type: keyword + ignore_above: 1024 + - name: family + type: keyword + ignore_above: 1024 + - name: full + type: keyword + ignore_above: 1024 + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 + - name: text + type: text + norms: false + - name: kernel + type: keyword + ignore_above: 1024 + - name: name + type: keyword + ignore_above: 1024 + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 + - name: text + type: text + norms: false + - name: platform + type: keyword + ignore_above: 1024 + - name: version + type: keyword + ignore_above: 1024 + - name: type + type: keyword + ignore_above: 1024 + - name: uptime + type: long + - name: agent + type: group + fields: + - name: access_api_key_id + type: keyword + - name: action_seq_no + type: integer + index: false + - name: active + type: boolean + - name: agent + type: group + fields: + - name: id + type: keyword + - name: version + type: keyword + - name: default_api_key + type: keyword + - name: default_api_key_id + type: keyword + - name: enrolled_at + type: date + - name: last_checkin + type: date + - name: last_checkin_status + type: keyword + - name: last_checkin_message + type: text + index: false + - name: last_updated + type: date + - name: local_metadata + type: group + fields: + - name: elastic + type: group + fields: + - name: agent + type: group + fields: + - name: build + type: group + fields: + - name: original + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 256 + - name: id + type: keyword + - name: log_level + type: keyword + - name: snapshot + type: boolean + - name: upgradeable + type: boolean + - name: version + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 16 + - name: host + type: group + fields: + - name: architecture + type: keyword + - name: hostname + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 256 + - name: id + type: keyword + - name: ip + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 64 + - name: mac + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 17 + - name: name + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 256 + - name: os + type: group + fields: + - name: family + type: keyword + - name: full + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 128 + - name: kernel + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 128 + - name: name + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 256 + - name: platform + type: keyword + - name: version + type: text + multi_fields: + - name: keyword + type: keyword + ignore_above: 32 + - name: packages + type: keyword + - name: policy_coordinator_idx + type: integer + - name: policy_id + type: keyword + - name: policy_output_permissions_hash + type: keyword + - name: policy_revision_idx + type: integer + - name: shared_id + type: keyword + - name: type + type: keyword + - name: unenrolled_at + type: date + - name: unenrolled_reason + type: keyword + - name: unenrollment_started_at + type: date + - name: updated_at + type: date + - name: upgrade_started_at + type: date + - name: upgraded_at + type: date + - name: user_provided_metadata + type: object + enabled: false + - name: components + type: object + enabled: false diff --git a/package/endpoint/elasticsearch/transform/metadata_united/manifest.yml b/package/endpoint/elasticsearch/transform/metadata_united/manifest.yml new file mode 100644 index 000000000..0a3d5439a --- /dev/null +++ b/package/endpoint/elasticsearch/transform/metadata_united/manifest.yml @@ -0,0 +1,18 @@ +destination_index_template: + settings: + index: + codec: best_compression + refresh_interval: 5s + number_of_shards: 1 + number_of_routing_shards: 30 + hidden: true + mappings: + dynamic: false + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/package/endpoint/elasticsearch/transform/metadata_united/transform.yml b/package/endpoint/elasticsearch/transform/metadata_united/transform.yml new file mode 100644 index 000000000..6ee3c46cc --- /dev/null +++ b/package/endpoint/elasticsearch/transform/metadata_united/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - metrics-endpoint.metadata_current_default* + - ".fleet-agents*" +dest: + index: .metrics-endpoint.metadata_united_default +frequency: 1s +sync: + time: + delay: 4s + field: updated_at +pivot: + aggs: + united: + scripted_metric: + init_script: state.docs = [] + map_script: state.docs.add(new HashMap(params['_source'])) + combine_script: return state.docs + reduce_script: def ret = new HashMap(); for (s in states) { for (d in s) { if (d.containsKey('Endpoint')) { ret.endpoint = d } else { ret.agent = d } }} return ret + group_by: + agent.id: + terms: + field: agent.id +description: Merges latest Endpoint and Agent metadata documents +_meta: + managed: true