Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Explicit mapping for all osquery fields #902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 14, 2021
Merged

Explicit mapping for all osquery fields #902

merged 4 commits into from
Apr 14, 2021

Conversation

aleksmaus
Copy link
Contributor

What does this PR do?

Explicit mapping for all osquery fields.

Following this recommendation for mapping
https://www.elastic.co/guide/en/elasticsearch/reference/current/number.html

Consider mapping a numeric identifier as a keyword if:
You don’t plan to search for the identifier data using range queries.
Fast retrieval is important. term query searches on keyword fields are often faster than term searches on numeric fields.
If you’re unsure which to use, you can use a multi-field to map the data as both a keyword and a numeric data type.

The fields mapping is generated from the official osquery 4.7.0 schema. The numeric fields are mapped to keywords, the text fields had additional text multifield defined.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.

Author's Checklist

Related issues

Screenshots

osquery mapping:
Screen Shot 2021-04-10 at 4 27 22 PM

collected osquery data with types converted appropriately with osquerybeat
Screen Shot 2021-04-10 at 4 25 11 PM

@aleksmaus aleksmaus added the enhancement New feature or request label Apr 10, 2021
@elasticmachine
Copy link

elasticmachine commented Apr 10, 2021
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Branch indexing

  • Start Time: 2021-04-13T22:28:13.006+0000

  • Duration: 37 min 33 sec

  • Commit: 41a86bc

Test stats 🧪

Test Results
Failed 0
Passed 1926
Skipped 3
Total 1929

Trends 🧪

Image of Build Times

Image of Tests

@aleksmaus aleksmaus mentioned this pull request Apr 10, 2021
Merged
6 tasks
@aleksmaus
Copy link
Contributor Author

Do not review/merge yet, will update the mapping more today.

patrykkopycinski
patrykkopycinski reviewed Apr 12, 2021
View reviewed changes
@patrykkopycinski patrykkopycinski mentioned this pull request Apr 12, 2021
Merged
1 task
@aleksmaus
Copy link
Contributor Author

the integration and kibana are updated to handle keyword/long keyword/double multifields correctly

Screen Shot 2021-04-13 at 11 40 37 AM

Screen Shot 2021-04-13 at 11 40 25 AM

Screen Shot 2021-04-13 at 11 42 15 AM

lykkin
lykkin approved these changes Apr 13, 2021
View reviewed changes
Copy link
Contributor

@lykkin lykkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

out of curiosity, what did you use to generate the osquery.yml file?

@aleksmaus aleksmaus merged commit ff5c237 into elastic:master Apr 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrykkopycinski patrykkopycinski patrykkopycinski left review comments

@james-elastic james-elastic james-elastic approved these changes

+1 more reviewer

@lykkin lykkin lykkin approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@aleksmaus @elasticmachine @lykkin @patrykkopycinski @james-elastic