From fa776c0a355a37ca258c5b4d2e5341d33f66d276 Mon Sep 17 00:00:00 2001
From: Chris Berkhout <chrisberkhout@gmail.com>
Date: Wed, 21 May 2025 14:48:58 +0200
Subject: [PATCH 1/3] elaspsedTime is a duration not a date.

---
 .../am_access/elasticsearch/ingest_pipeline/default.yml      | 5 ++++-
 .../data_stream/am_access/fields/forgerock-fields.yml        | 2 +-
 .../idm_access/elasticsearch/ingest_pipeline/default.yml     | 5 ++++-
 .../data_stream/idm_access/fields/forgerock-fields.yml       | 2 +-
 packages/forgerock/docs/README.md                            | 4 ++--
 5 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml
index 33994afa12d..c4d04df5137 100644
--- a/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml
@@ -95,9 +95,12 @@ processors:
       ignore_failure: true
   - convert:
       field: forgerock.response.elapsedTime
-      target_field: event.duration
       type: long
       ignore_failure: true
+  - set:
+      field: event.duration
+      copy_from: forgerock.response.elapsedTime
+      ignore_empty_value: true
   - script:
       lang: painless
       if: ctx.event?.duration != null && ctx.forgerock?.response?.elapsedTimeUnits == 'MILLISECONDS'
diff --git a/packages/forgerock/data_stream/am_access/fields/forgerock-fields.yml b/packages/forgerock/data_stream/am_access/fields/forgerock-fields.yml
index 2eae6ba27c6..1921a75a851 100644
--- a/packages/forgerock/data_stream/am_access/fields/forgerock-fields.yml
+++ b/packages/forgerock/data_stream/am_access/fields/forgerock-fields.yml
@@ -66,7 +66,7 @@
   type: keyword
   description: The responses's username.
 - name: forgerock.response.elapsedTime
-  type: date
+  type: long
   description: Time to execute event.
 - name: forgerock.response.elapsedTimeUnits
   type: keyword
diff --git a/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml
index bab1917bfc1..f48ec70aa8f 100644
--- a/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml
@@ -87,9 +87,12 @@ processors:
       ignore_failure: true
   - convert:
       field: forgerock.response.elapsedTime
-      target_field: event.duration
       type: long
       ignore_failure: true
+  - set:
+      field: event.duration
+      copy_from: forgerock.response.elapsedTime
+      ignore_empty_value: true
   - script:
       lang: painless
       if: ctx.event?.duration != null && ctx.forgerock?.response?.elapsedTimeUnits == 'MILLISECONDS'
diff --git a/packages/forgerock/data_stream/idm_access/fields/forgerock-fields.yml b/packages/forgerock/data_stream/idm_access/fields/forgerock-fields.yml
index d524180227f..eb54d3d16d2 100644
--- a/packages/forgerock/data_stream/idm_access/fields/forgerock-fields.yml
+++ b/packages/forgerock/data_stream/idm_access/fields/forgerock-fields.yml
@@ -20,7 +20,7 @@
   type: keyword
   description: The protocol associated with the request; REST or PLL.
 - name: forgerock.response.elapsedTime
-  type: date
+  type: long
   description: Time to execute event.
 - name: forgerock.response.elapsedTimeUnits
   type: keyword
diff --git a/packages/forgerock/docs/README.md b/packages/forgerock/docs/README.md
index ff92350398c..2cbf8945519 100644
--- a/packages/forgerock/docs/README.md
+++ b/packages/forgerock/docs/README.md
@@ -120,7 +120,7 @@ An example event for `am_access` looks as following:
 | forgerock.response.detail.scope | The responses's scope. | keyword |
 | forgerock.response.detail.token_type | The responses's token type. | keyword |
 | forgerock.response.detail.username | The responses's username. | keyword |
-| forgerock.response.elapsedTime | Time to execute event. | date |
+| forgerock.response.elapsedTime | Time to execute event. | long |
 | forgerock.response.elapsedTimeUnits | Units for response time. | keyword |
 | forgerock.response.status | Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED. | keyword |
 | forgerock.roles | IDM roles associated with the request. | keyword |
@@ -618,7 +618,7 @@ An example event for `idm_access` looks as following:
 | forgerock.level | The log level. | keyword |
 | forgerock.request.operation | The request operation. | keyword |
 | forgerock.request.protocol | The protocol associated with the request; REST or PLL. | keyword |
-| forgerock.response.elapsedTime | Time to execute event. | date |
+| forgerock.response.elapsedTime | Time to execute event. | long |
 | forgerock.response.elapsedTimeUnits | Units for response time. | keyword |
 | forgerock.response.status | Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED. | keyword |
 | forgerock.roles | IDM roles associated with the request. | keyword |

From 93b5de459d9acc4b8a2cb05c332a5e5036081d21 Mon Sep 17 00:00:00 2001
From: Chris Berkhout <chrisberkhout@gmail.com>
Date: Wed, 21 May 2025 14:51:24 +0200
Subject: [PATCH 2/3] Version bump, changelog entry.

---
 packages/forgerock/changelog.yml | 5 +++++
 packages/forgerock/manifest.yml  | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml
index dbc361ee581..81b3e64b7e2 100644
--- a/packages/forgerock/changelog.yml
+++ b/packages/forgerock/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.21.1"
+  changes:
+    - description: Map the duration elaspsedTime as a long not a date.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/13959
 - version: "1.21.0"
   changes:
     - description: Update Kibana constraint to support 9.0.0.
diff --git a/packages/forgerock/manifest.yml b/packages/forgerock/manifest.yml
index e9276819543..f910c0f57bb 100644
--- a/packages/forgerock/manifest.yml
+++ b/packages/forgerock/manifest.yml
@@ -1,6 +1,6 @@
 name: forgerock
 title: "ForgeRock"
-version: "1.21.0"
+version: "1.21.1"
 description: Collect audit logs from ForgeRock with Elastic Agent.
 type: integration
 format_version: "3.0.2"

From a98a8f54eadf18bc3f5735a82223b6b252b290cc Mon Sep 17 00:00:00 2001
From: Chris Berkhout <chrisberkhout@gmail.com>
Date: Thu, 22 May 2025 09:20:41 +0200
Subject: [PATCH 3/3] Update packages/forgerock/changelog.yml

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
---
 packages/forgerock/changelog.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml
index 81b3e64b7e2..1b85fb18720 100644
--- a/packages/forgerock/changelog.yml
+++ b/packages/forgerock/changelog.yml
@@ -1,7 +1,7 @@
 # newer versions go on top
 - version: "1.21.1"
   changes:
-    - description: Map the duration elaspsedTime as a long not a date.
+    - description: Map the duration `forgerock.response.elapsedTime` as a long not a date.
       type: bugfix
       link: https://github.com/elastic/integrations/pull/13959
 - version: "1.21.0"