Introduce process.* field set reuse filtering
#1847
Conversation
| 8.3.0-dev+exp,true,process,process.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain. | ||
| 8.3.0-dev+exp,true,process,process.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." | ||
| 8.3.0-dev+exp,true,process,process.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. | ||
| 8.3.0-dev+exp,true,process,process.parent.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event. |
There was a problem hiding this comment.
Another ? for process.parent.env_vars
I don't see any env_vars in https://github.com/elastic/endpoint-package/blob/49d9a9ac02762afa3ad158febe5edc164883d715/custom_subsets/elastic_endpoint/process/linux_event_model_event.yaml , but I know we added it for it, so just double checking
There was a problem hiding this comment.
I would say only top level process gets env_vars. I will submit another PR to endpoint-package.
There was a problem hiding this comment.
I added process.parent.env_vars to keep process.* and process.parent.* more symmetrical. Open to changing if there's any differing views.
|
endpoint-package updated to include mapping for process.env_vars |
* add location for subset filters * add --subset arg to make * artifact changes with new filterings * also need to account for experimental fields * correct experimental artifacts * experimental subset def * ignore subset artifacts * add env_vars * add interactive and parent.interactive * changelog (cherry picked from commit 40eab34) # Conflicts: # experimental/generated/csv/fields.csv # experimental/generated/elasticsearch/composable/template.json # generated/csv/fields.csv # generated/elasticsearch/composable/template.json
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
* add location for subset filters * add --subset arg to make * artifact changes with new filterings * also need to account for experimental fields * correct experimental artifacts * experimental subset def * ignore subset artifacts * add env_vars * add interactive and parent.interactive * changelog (cherry picked from commit 40eab34)
Follow-up to #1842
The Linux event model requires many reuses of the
process.*field set, but not all these reuses need the entire field set be reused.This change leverages the
--subsetfeature to limit the number of new fields introduced by these complex reuses. No existingprocess.*orprocess.parent.*fields are affected or removed by this change.