External ECS fields inside destination index created by transform doesn't map correctly #1369
Description
As per the transform's package-spec, the field definition is same as datastream fields. Reference - https://github.com/elastic/package-spec/blob/main/spec/integration/elasticsearch/transform/spec.yml#L55
But, when fields are defined with external (ecs), the mapping in the destination index is incorrect.
Steps to reproduce the bug (found in v 8.9.0 on Elastic Cloud):
-
Define ECS fields under
packages/ti_anomali/elasticsearch/transform/latest_ioc/fields/fields.ymlasexternal: ecsjust like underpackages/ti_anomali/data_stream/threatstream/fields/ecs.yml.- Example:
- name: message external: ecs - name: error.message external: ecs
- Example:
-
Build the package using
elastic-package build -
Install the package by direct upload using zip. https://www.elastic.co/guide/en/fleet/current/fleet-apis.html#installPackageByUpload
-
Check the source datastream mapping and destination index mapping navigating Kibana via:
- Source:
Stack Management -> Index Management -> Component Templates -> logs-ti_anomali.threatstream@package -> Mappings - Destination:
Stack Management -> Index Management -> Component Templates -> logs-ti_anomali.latest_ioc-template@package -> Mappings
- Source:
-
Verify the mapping is incorrect.
- Source:
"message": { "type": "match_only_text" }, "error": { "properties": { "message": { "type": "match_only_text" } } }, - Destination:
"message": { "ignore_above": 1024, "type": "keyword" }, "error": { "properties": { "message": { "ignore_above": 1024, "type": "keyword" } } },
- Source: