Mark which field set reuses expect arrays

[ebeahan]

Purpose

Indicate in the field definitions when a field set reuse expects an array.

Background

Reuses allowing arrays may benefit specific limited use. However, there's currently no way to declare this reuse type in the ECS tooling.

{
  "process": {
    "previous" : [
      {
        "name": "abc.exe"
      },
      {
        "name": "xyz.exe"
      }
    ]
  }
}

The above basic example presents an ECS mapped event using field set array reuse. The previous object is process.* field set reused at process.previous.

The normalize: [ 'array' ] setting controls when a particular field expects an array of values. There's no dedicated array type in Elasticsearch, and any field can contain zero or more values of the same type. So when the array attribute is specified, a note is added by the generator script to that field's description in the ECS docs.

Field def setting:

    - name: example
      normalize:
        - array

Results in this text added to field's description:

Proposed design

Implement a similar mechanism as leaf fields:

• specify an attribute on a field reuse
• have the asciidoc generator handle including that content in the field reuse description

Open question(s)

• Do we reuse the existing normalize attribute convention? Or a simple bool parameter (e.g., is_array)?