-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double reuse of a schema doesn't succeed #959
Comments
Thanks for opening with the detailed bug report and notes @jonathan-buttner! After a brief review, it looks like the |
Yeah no worries, thanks for taking a look @ebeahan! |
The fact that self-reuse doesn't get included in reuses to other field sets is intentional. It's been built like this in order to avoid having a self-referential loop: process.parent.parent.parent... and also to avoid having the upcoming new user fields ( If you need to reuse process and you also want expected:
- DoubleReuse
- { at: DoubleReuse, as: parent } Note that this new notation has only been used for self-nesting so far. It should also work when reusing to another field set. If not, please let us know. |
Ah thanks @webmat. I'll try the explicit notation and then close this ticket. |
Thanks @webmat for the detail. Makes sense why that approach was taken. I tinkered a bit and found the following YAML would generate the additional nesting of expected:
- DoubleReuse
- { at: DoubleReuse.process, as: parent } With a couple of adjustments in I'll open a PR to address. |
Description of the problem including expected versus actual behavior:
In ECS version 1.6
process
schema is reused on itself to create theparent
section. If a custom schema is used to reuseprocess
onto the custom schema, theparent
fields are not included.Steps to reproduce:
Create these files in a directory called
test_schema_reuse
:custom_process.yml
custom_double_reuse.yml
To make things a little easier you can short circuit the generator like so:
Run
python scripts/generator.py --include <path to test_schema_reuse> --ref v1.6.0
Examine the output of
ecs.yml
:DoubleReuse section of ecs.yml
Notice that the name
DoubleReuse-process-parent
does not exist in theecs.yml
file. The initial fieldDoubleReuse-process-test-base
does though.The endpoint team leverages the ability to reuse process and the parent fields in custom schema for malware: https://github.com/elastic/endpoint-package/blob/master/custom_schemas/custom_process.yml#L15
This works for ecs version 1.5 because the
parent
fields were defined manually.The text was updated successfully, but these errors were encountered: