🌊 Streams: Normalized format for wired streams#205113
Merged
flash1293 merged 102 commits intoelastic:mainfrom May 28, 2025
Merged
🌊 Streams: Normalized format for wired streams#205113flash1293 merged 102 commits intoelastic:mainfrom
flash1293 merged 102 commits intoelastic:mainfrom
Conversation
…to use the new types
…bana into flash1293/streams/otel-mode
…bana into flash1293/streams/otel-mode
Contributor
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
History
|
Contributor
|
Starting backport for target branches: 8.19 https://github.com/elastic/kibana/actions/runs/15298591946 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
flash1293
added a commit
to flash1293/kibana
that referenced
this pull request
May 28, 2025
This PR extends streams to allow mixed otel/ecs querying. Walkthrough (slightly outdated): https://github.com/user-attachments/assets/9d6280ff-57b2-43d8-9c81-dfbfabb64585 <img width="492" alt="Screenshot 2025-03-07 at 17 15 27" src="https://github.com/user-attachments/assets/792fbbc2-6cbe-42fe-96b3-eea2b6959fe5" /> # To test * Start up PR, enable streams via `POST kbn:/api/streams/_enable` * Redirect all incoming logs to streams: ``` PUT _ingest/pipeline/logs@custom { "processors": [ { "reroute": { "destination": "logs" } } ] } ``` * Send some logs * They will be trandslated to namespaced ECS and can be queried the same way Some demo actions: ``` # Make sure trial license is active (because of synthetic source) # Enable streams POST kbn:/api/streams/_enable # Fork some data to be able to edit mapping and stuff POST kbn:/api/streams/logs/_fork { "stream": { "name": "logs.child" }, "if": { "field": "attributes.custom_field", "operator": "exists" } } # Routing could have been done on "custom_field" as well # Send some ECS-formatted data POST logs/_doc { "message": "Hello world", "log.level": "warn", "host": { "name": "my-mbp", "ip": "1.2.3.4" }, "custom_field": "value2" } # Send some OTel-formatted data POST logs/_doc { "body": { "text": "Hello OTEL world" }, "severity_text": "warn", "resource": { "attributes": { "host.name": "my-mbp", "host.ip": "1.2.3.4" } }, "attributes": { "custom_field": "value" } } # See how it's stored as namespaced ECS (beware automatic aliasing) GET logs.child/_search # See the fields and their aliases GET kbn:/api/streams/logs.child # Nested data treatment (objects flattened, arrays kept) POST logs/_doc { "message": "Hello world", "log.level": "warn", "host": { "name": "my-mbp", "ip": "1.2.3.4" }, "custom_field": "value2", "nested_custom_field": { "deeply": { "deeply": { "nested": "value" } } }, "array_values": [ { "deeply": { "nested": 123 }}, { "deeply": { "nested": 456 }} ] } GET logs.child/_search # Map a field (show alias in app) PUT kbn:/api/streams/logs.child/_ingest { "ingest": { "lifecycle": { "inherit": {} }, "processing": [], "routing": [], "wired": { "fields": { "attributes.custom_value": { "type": "keyword" } } } } } # Trying to map "custom_value" will result in an error - only attributes.* and resource_attributes.* can be mapped # End experiment POST kbn:/api/streams/_disable ``` ## Do on separate PRs * More dedicated integration tests * Replace the painless implementation of normalization with an Elasticsearch processor (not shipped yet) * Remove the dot expander processors once Elasticsearch allows accessing flattened field names --------- Co-authored-by: Chris Cowan <chris@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 440aeab) # Conflicts: # x-pack/test/api_integration/deployment_agnostic/apis/observability/streams/enrichment.ts
1 task
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
This PR extends streams to allow mixed otel/ecs querying. Walkthrough (slightly outdated): https://github.com/user-attachments/assets/9d6280ff-57b2-43d8-9c81-dfbfabb64585 <img width="492" alt="Screenshot 2025-03-07 at 17 15 27" src="https://github.com/user-attachments/assets/792fbbc2-6cbe-42fe-96b3-eea2b6959fe5" /> # To test * Start up PR, enable streams via `POST kbn:/api/streams/_enable` * Redirect all incoming logs to streams: ``` PUT _ingest/pipeline/logs@custom { "processors": [ { "reroute": { "destination": "logs" } } ] } ``` * Send some logs * They will be trandslated to namespaced ECS and can be queried the same way Some demo actions: ``` # Make sure trial license is active (because of synthetic source) # Enable streams POST kbn:/api/streams/_enable # Fork some data to be able to edit mapping and stuff POST kbn:/api/streams/logs/_fork { "stream": { "name": "logs.child" }, "if": { "field": "attributes.custom_field", "operator": "exists" } } # Routing could have been done on "custom_field" as well # Send some ECS-formatted data POST logs/_doc { "message": "Hello world", "log.level": "warn", "host": { "name": "my-mbp", "ip": "1.2.3.4" }, "custom_field": "value2" } # Send some OTel-formatted data POST logs/_doc { "body": { "text": "Hello OTEL world" }, "severity_text": "warn", "resource": { "attributes": { "host.name": "my-mbp", "host.ip": "1.2.3.4" } }, "attributes": { "custom_field": "value" } } # See how it's stored as namespaced ECS (beware automatic aliasing) GET logs.child/_search # See the fields and their aliases GET kbn:/api/streams/logs.child # Nested data treatment (objects flattened, arrays kept) POST logs/_doc { "message": "Hello world", "log.level": "warn", "host": { "name": "my-mbp", "ip": "1.2.3.4" }, "custom_field": "value2", "nested_custom_field": { "deeply": { "deeply": { "nested": "value" } } }, "array_values": [ { "deeply": { "nested": 123 }}, { "deeply": { "nested": 456 }} ] } GET logs.child/_search # Map a field (show alias in app) PUT kbn:/api/streams/logs.child/_ingest { "ingest": { "lifecycle": { "inherit": {} }, "processing": [], "routing": [], "wired": { "fields": { "attributes.custom_value": { "type": "keyword" } } } } } # Trying to map "custom_value" will result in an error - only attributes.* and resource_attributes.* can be mapped # End experiment POST kbn:/api/streams/_disable ``` ## Do on separate PRs * More dedicated integration tests * Replace the painless implementation of normalization with an Elasticsearch processor (not shipped yet) * Remove the dot expander processors once Elasticsearch allows accessing flattened field names --------- Co-authored-by: Chris Cowan <chris@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
1 task
kdelemme
added a commit
that referenced
this pull request
May 29, 2025
## Summary Update scout test according to latest change with normalized fields: #205113
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
May 29, 2025
## Summary Update scout test according to latest change with normalized fields: elastic#205113 (cherry picked from commit 567b4d5)
kibanamachine
added a commit
that referenced
this pull request
May 29, 2025
# Backport This will backport the following commits from `main` to `8.19`: - [fix(streams): wired scout test (#221838)](#221838) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Kevin Delemme","email":"kevin.delemme@elastic.co"},"sourceCommit":{"committedDate":"2025-05-29T14:45:35Z","message":"fix(streams): wired scout test (#221838)\n\n## Summary\n\nUpdate scout test according to latest change with normalized fields:\nhttps://github.com//pull/205113","sha":"567b4d5c6bd8e1c8916d606906054e9939d89935","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport:version","v9.1.0","v8.19.0","author:obs-ux-management"],"title":"fix(streams): wired scout test","number":221838,"url":"https://github.com/elastic/kibana/pull/221838","mergeCommit":{"message":"fix(streams): wired scout test (#221838)\n\n## Summary\n\nUpdate scout test according to latest change with normalized fields:\nhttps://github.com//pull/205113","sha":"567b4d5c6bd8e1c8916d606906054e9939d89935"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/221838","number":221838,"mergeCommit":{"message":"fix(streams): wired scout test (#221838)\n\n## Summary\n\nUpdate scout test according to latest change with normalized fields:\nhttps://github.com//pull/205113","sha":"567b4d5c6bd8e1c8916d606906054e9939d89935"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Kevin Delemme <kevin.delemme@elastic.co>
kibanamachine
added
the
backport missing
Contributor
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
1 similar comment
Contributor
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
flash1293
added a commit
that referenced
this pull request
Jun 2, 2025
) # Backport This will backport the following commits from `main` to `8.19`: - [🌊 Streams: Normalized format for wired streams (#205113)](#205113) <!--- Backport version: 10.0.0 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Joe Reuter","email":"johannes.reuter@elastic.co"},"sourceCommit":{"committedDate":"2025-05-28T11:08:39Z","message":"🌊 Streams: Normalized format for wired streams (#205113)\n\nThis PR extends streams to allow mixed otel/ecs querying.\n\nWalkthrough (slightly outdated):\n\n\nhttps://github.com/user-attachments/assets/9d6280ff-57b2-43d8-9c81-dfbfabb64585\n\n\n<img width=\"492\" alt=\"Screenshot 2025-03-07 at 17 15 27\"\nsrc=\"https://github.com/user-attachments/assets/792fbbc2-6cbe-42fe-96b3-eea2b6959fe5\"\n/>\n\n# To test\n\n* Start up PR, enable streams via `POST kbn:/api/streams/_enable`\n* Redirect all incoming logs to streams:\n```\nPUT _ingest/pipeline/logs@custom\n{\n \"processors\": [\n {\n \"reroute\": {\n \"destination\": \"logs\"\n }\n }\n ]\n}\n```\n* Send some logs\n* They will be trandslated to namespaced ECS and can be queried the same\nway\n\nSome demo actions:\n```\n# Make sure trial license is active (because of synthetic source)\n\n# Enable streams\nPOST kbn:/api/streams/_enable\n\n# Fork some data to be able to edit mapping and stuff\nPOST kbn:/api/streams/logs/_fork\n{\n \"stream\": { \"name\": \"logs.child\" },\n \"if\": {\n \"field\": \"attributes.custom_field\",\n \"operator\": \"exists\"\n }\n}\n# Routing could have been done on \"custom_field\" as well\n\n# Send some ECS-formatted data\nPOST logs/_doc\n{\n \"message\": \"Hello world\",\n \"log.level\": \"warn\",\n \"host\": {\n \"name\": \"my-mbp\",\n \"ip\": \"1.2.3.4\"\n },\n \"custom_field\": \"value2\"\n}\n\n# Send some OTel-formatted data\nPOST logs/_doc\n{\n \"body\": {\n \"text\": \"Hello OTEL world\"\n },\n \"severity_text\": \"warn\",\n \"resource\": {\n \"attributes\": {\n \"host.name\": \"my-mbp\",\n \"host.ip\": \"1.2.3.4\"\n }\n },\n \"attributes\": {\n \"custom_field\": \"value\"\n }\n}\n\n# See how it's stored as namespaced ECS (beware automatic aliasing)\nGET logs.child/_search\n\n# See the fields and their aliases\nGET kbn:/api/streams/logs.child\n\n# Nested data treatment (objects flattened, arrays kept)\nPOST logs/_doc\n{\n \"message\": \"Hello world\",\n \"log.level\": \"warn\",\n \"host\": {\n \"name\": \"my-mbp\",\n \"ip\": \"1.2.3.4\"\n },\n \"custom_field\": \"value2\",\n \"nested_custom_field\": {\n \"deeply\": {\n \"deeply\": {\n \"nested\": \"value\"\n }\n }\n },\n \"array_values\": [\n { \"deeply\": { \"nested\": 123 }},\n { \"deeply\": { \"nested\": 456 }}\n ]\n}\n\nGET logs.child/_search\n\n# Map a field (show alias in app)\nPUT kbn:/api/streams/logs.child/_ingest\n{\n \"ingest\": {\n \"lifecycle\": {\n \"inherit\": {}\n },\n \"processing\": [],\n \"routing\": [],\n \"wired\": {\n \"fields\": {\n \"attributes.custom_value\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n}\n# Trying to map \"custom_value\" will result in an error - only attributes.* and resource_attributes.* can be mapped\n\n# End experiment\nPOST kbn:/api/streams/_disable\n```\n\n## Do on separate PRs\n\n* More dedicated integration tests\n* Replace the painless implementation of normalization with an\nElasticsearch processor (not shipped yet)\n* Remove the dot expander processors once Elasticsearch allows accessing\nflattened field names\n\n---------\n\nCo-authored-by: Chris Cowan <chris@elastic.co>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"440aeabd398d3ca29e578f076a3292f5a61ec217","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:obs-ux-logs","backport:version","Feature:Streams","v9.1.0","v8.19.0"],"title":"🌊 Streams: Normalized format for wired streams","number":205113,"url":"https://github.com/elastic/kibana/pull/205113","mergeCommit":{"message":"🌊 Streams: Normalized format for wired streams (#205113)\n\nThis PR extends streams to allow mixed otel/ecs querying.\n\nWalkthrough (slightly outdated):\n\n\nhttps://github.com/user-attachments/assets/9d6280ff-57b2-43d8-9c81-dfbfabb64585\n\n\n<img width=\"492\" alt=\"Screenshot 2025-03-07 at 17 15 27\"\nsrc=\"https://github.com/user-attachments/assets/792fbbc2-6cbe-42fe-96b3-eea2b6959fe5\"\n/>\n\n# To test\n\n* Start up PR, enable streams via `POST kbn:/api/streams/_enable`\n* Redirect all incoming logs to streams:\n```\nPUT _ingest/pipeline/logs@custom\n{\n \"processors\": [\n {\n \"reroute\": {\n \"destination\": \"logs\"\n }\n }\n ]\n}\n```\n* Send some logs\n* They will be trandslated to namespaced ECS and can be queried the same\nway\n\nSome demo actions:\n```\n# Make sure trial license is active (because of synthetic source)\n\n# Enable streams\nPOST kbn:/api/streams/_enable\n\n# Fork some data to be able to edit mapping and stuff\nPOST kbn:/api/streams/logs/_fork\n{\n \"stream\": { \"name\": \"logs.child\" },\n \"if\": {\n \"field\": \"attributes.custom_field\",\n \"operator\": \"exists\"\n }\n}\n# Routing could have been done on \"custom_field\" as well\n\n# Send some ECS-formatted data\nPOST logs/_doc\n{\n \"message\": \"Hello world\",\n \"log.level\": \"warn\",\n \"host\": {\n \"name\": \"my-mbp\",\n \"ip\": \"1.2.3.4\"\n },\n \"custom_field\": \"value2\"\n}\n\n# Send some OTel-formatted data\nPOST logs/_doc\n{\n \"body\": {\n \"text\": \"Hello OTEL world\"\n },\n \"severity_text\": \"warn\",\n \"resource\": {\n \"attributes\": {\n \"host.name\": \"my-mbp\",\n \"host.ip\": \"1.2.3.4\"\n }\n },\n \"attributes\": {\n \"custom_field\": \"value\"\n }\n}\n\n# See how it's stored as namespaced ECS (beware automatic aliasing)\nGET logs.child/_search\n\n# See the fields and their aliases\nGET kbn:/api/streams/logs.child\n\n# Nested data treatment (objects flattened, arrays kept)\nPOST logs/_doc\n{\n \"message\": \"Hello world\",\n \"log.level\": \"warn\",\n \"host\": {\n \"name\": \"my-mbp\",\n \"ip\": \"1.2.3.4\"\n },\n \"custom_field\": \"value2\",\n \"nested_custom_field\": {\n \"deeply\": {\n \"deeply\": {\n \"nested\": \"value\"\n }\n }\n },\n \"array_values\": [\n { \"deeply\": { \"nested\": 123 }},\n { \"deeply\": { \"nested\": 456 }}\n ]\n}\n\nGET logs.child/_search\n\n# Map a field (show alias in app)\nPUT kbn:/api/streams/logs.child/_ingest\n{\n \"ingest\": {\n \"lifecycle\": {\n \"inherit\": {}\n },\n \"processing\": [],\n \"routing\": [],\n \"wired\": {\n \"fields\": {\n \"attributes.custom_value\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n}\n# Trying to map \"custom_value\" will result in an error - only attributes.* and resource_attributes.* can be mapped\n\n# End experiment\nPOST kbn:/api/streams/_disable\n```\n\n## Do on separate PRs\n\n* More dedicated integration tests\n* Replace the painless implementation of normalization with an\nElasticsearch processor (not shipped yet)\n* Remove the dot expander processors once Elasticsearch allows accessing\nflattened field names\n\n---------\n\nCo-authored-by: Chris Cowan <chris@elastic.co>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"440aeabd398d3ca29e578f076a3292f5a61ec217"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/205113","number":205113,"mergeCommit":{"message":"🌊 Streams: Normalized format for wired streams (#205113)\n\nThis PR extends streams to allow mixed otel/ecs querying.\n\nWalkthrough (slightly outdated):\n\n\nhttps://github.com/user-attachments/assets/9d6280ff-57b2-43d8-9c81-dfbfabb64585\n\n\n<img width=\"492\" alt=\"Screenshot 2025-03-07 at 17 15 27\"\nsrc=\"https://github.com/user-attachments/assets/792fbbc2-6cbe-42fe-96b3-eea2b6959fe5\"\n/>\n\n# To test\n\n* Start up PR, enable streams via `POST kbn:/api/streams/_enable`\n* Redirect all incoming logs to streams:\n```\nPUT _ingest/pipeline/logs@custom\n{\n \"processors\": [\n {\n \"reroute\": {\n \"destination\": \"logs\"\n }\n }\n ]\n}\n```\n* Send some logs\n* They will be trandslated to namespaced ECS and can be queried the same\nway\n\nSome demo actions:\n```\n# Make sure trial license is active (because of synthetic source)\n\n# Enable streams\nPOST kbn:/api/streams/_enable\n\n# Fork some data to be able to edit mapping and stuff\nPOST kbn:/api/streams/logs/_fork\n{\n \"stream\": { \"name\": \"logs.child\" },\n \"if\": {\n \"field\": \"attributes.custom_field\",\n \"operator\": \"exists\"\n }\n}\n# Routing could have been done on \"custom_field\" as well\n\n# Send some ECS-formatted data\nPOST logs/_doc\n{\n \"message\": \"Hello world\",\n \"log.level\": \"warn\",\n \"host\": {\n \"name\": \"my-mbp\",\n \"ip\": \"1.2.3.4\"\n },\n \"custom_field\": \"value2\"\n}\n\n# Send some OTel-formatted data\nPOST logs/_doc\n{\n \"body\": {\n \"text\": \"Hello OTEL world\"\n },\n \"severity_text\": \"warn\",\n \"resource\": {\n \"attributes\": {\n \"host.name\": \"my-mbp\",\n \"host.ip\": \"1.2.3.4\"\n }\n },\n \"attributes\": {\n \"custom_field\": \"value\"\n }\n}\n\n# See how it's stored as namespaced ECS (beware automatic aliasing)\nGET logs.child/_search\n\n# See the fields and their aliases\nGET kbn:/api/streams/logs.child\n\n# Nested data treatment (objects flattened, arrays kept)\nPOST logs/_doc\n{\n \"message\": \"Hello world\",\n \"log.level\": \"warn\",\n \"host\": {\n \"name\": \"my-mbp\",\n \"ip\": \"1.2.3.4\"\n },\n \"custom_field\": \"value2\",\n \"nested_custom_field\": {\n \"deeply\": {\n \"deeply\": {\n \"nested\": \"value\"\n }\n }\n },\n \"array_values\": [\n { \"deeply\": { \"nested\": 123 }},\n { \"deeply\": { \"nested\": 456 }}\n ]\n}\n\nGET logs.child/_search\n\n# Map a field (show alias in app)\nPUT kbn:/api/streams/logs.child/_ingest\n{\n \"ingest\": {\n \"lifecycle\": {\n \"inherit\": {}\n },\n \"processing\": [],\n \"routing\": [],\n \"wired\": {\n \"fields\": {\n \"attributes.custom_value\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n}\n# Trying to map \"custom_value\" will result in an error - only attributes.* and resource_attributes.* can be mapped\n\n# End experiment\nPOST kbn:/api/streams/_disable\n```\n\n## Do on separate PRs\n\n* More dedicated integration tests\n* Replace the painless implementation of normalization with an\nElasticsearch processor (not shipped yet)\n* Remove the dot expander processors once Elasticsearch allows accessing\nflattened field names\n\n---------\n\nCo-authored-by: Chris Cowan <chris@elastic.co>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"440aeabd398d3ca29e578f076a3292f5a61ec217"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
removed
the
backport missing
zacharyparikh
pushed a commit
to zacharyparikh/kibana
that referenced
this pull request
Jun 4, 2025
This PR extends streams to allow mixed otel/ecs querying. Walkthrough (slightly outdated): https://github.com/user-attachments/assets/9d6280ff-57b2-43d8-9c81-dfbfabb64585 <img width="492" alt="Screenshot 2025-03-07 at 17 15 27" src="https://github.com/user-attachments/assets/792fbbc2-6cbe-42fe-96b3-eea2b6959fe5" /> # To test * Start up PR, enable streams via `POST kbn:/api/streams/_enable` * Redirect all incoming logs to streams: ``` PUT _ingest/pipeline/logs@custom { "processors": [ { "reroute": { "destination": "logs" } } ] } ``` * Send some logs * They will be trandslated to namespaced ECS and can be queried the same way Some demo actions: ``` # Make sure trial license is active (because of synthetic source) # Enable streams POST kbn:/api/streams/_enable # Fork some data to be able to edit mapping and stuff POST kbn:/api/streams/logs/_fork { "stream": { "name": "logs.child" }, "if": { "field": "attributes.custom_field", "operator": "exists" } } # Routing could have been done on "custom_field" as well # Send some ECS-formatted data POST logs/_doc { "message": "Hello world", "log.level": "warn", "host": { "name": "my-mbp", "ip": "1.2.3.4" }, "custom_field": "value2" } # Send some OTel-formatted data POST logs/_doc { "body": { "text": "Hello OTEL world" }, "severity_text": "warn", "resource": { "attributes": { "host.name": "my-mbp", "host.ip": "1.2.3.4" } }, "attributes": { "custom_field": "value" } } # See how it's stored as namespaced ECS (beware automatic aliasing) GET logs.child/_search # See the fields and their aliases GET kbn:/api/streams/logs.child # Nested data treatment (objects flattened, arrays kept) POST logs/_doc { "message": "Hello world", "log.level": "warn", "host": { "name": "my-mbp", "ip": "1.2.3.4" }, "custom_field": "value2", "nested_custom_field": { "deeply": { "deeply": { "nested": "value" } } }, "array_values": [ { "deeply": { "nested": 123 }}, { "deeply": { "nested": 456 }} ] } GET logs.child/_search # Map a field (show alias in app) PUT kbn:/api/streams/logs.child/_ingest { "ingest": { "lifecycle": { "inherit": {} }, "processing": [], "routing": [], "wired": { "fields": { "attributes.custom_value": { "type": "keyword" } } } } } # Trying to map "custom_value" will result in an error - only attributes.* and resource_attributes.* can be mapped # End experiment POST kbn:/api/streams/_disable ``` ## Do on separate PRs * More dedicated integration tests * Replace the painless implementation of normalization with an Elasticsearch processor (not shipped yet) * Remove the dot expander processors once Elasticsearch allows accessing flattened field names --------- Co-authored-by: Chris Cowan <chris@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
zacharyparikh
pushed a commit
to zacharyparikh/kibana
that referenced
this pull request
Jun 4, 2025
## Summary Update scout test according to latest change with normalized fields: elastic#205113
nickpeihl
pushed a commit
to nickpeihl/kibana
that referenced
this pull request
Jun 12, 2025
## Summary Update scout test according to latest change with normalized fields: elastic#205113
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR extends streams to allow mixed otel/ecs querying.
Walkthrough (slightly outdated):
otel_streams.mov
To test
POST kbn:/api/streams/_enableSome demo actions:
Do on separate PRs