-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
using ecs@mappings with entityanalytics_entra_id fails tests with 'field "user.group" is undefined' #1921
Comments
From what I can see, there are a couple of reasons that make this case special:
I would recommend to set a currently supported definition for
For our side I think we should add a more explicit error for this case (adding it in #1923). We could assume that in the cases of fields imported from ECS the user doesn't want to use nested, but I would prefer to be on the safe side on this, and keep this requirement. |
Closing this by now after improving the error message in #1923. Please reopen if you consider something else should be done. |
This behaviour is very surprising. As developer I would expect that this would just work. |
I agree, but this comes from the lack of support for arrays of objects in our data layer, what can be also surprising. After several iterations on this, I think we are in a situation where it is more difficult to create situations in packages that the developer didn't plan about. Not ideal, but in my opinion better than defaulting to something that would be surprising for users.
The problem is with the ambiguity when arrays of objects are used. Would you expect this to work as an array of objects or as nested objects? Arrays of objects are not properly supported by ES, and are stored in unexpected ways (as arrays of their member fields, disconnected between them). Nested objects are stored in a more natural way, probably what a newcomer would expect, but require more storage and specific support. So I think the developer needs to make a conscious decision here: using plain arrays of objects, using nested objects, denormalizing documents, or looking for some other different data structure that doesn't require arrays of objects. I am open to proposals about how to improve this, but I still think that we should not rely on a default behavior for arrays of objects, given the trade-offs of every option. I also prefer to be in a situation that discourages the use of arrays of objects, given their problems. |
As part of elastic/integrations#10135 the entityanalytics_entra_id package has its ECS field definitions removed, to be replaced at runtime by
ecs@mappings
. One of the field groups that is removed isuser.group
. Apart from other changes that the automation makes that work as expected for other packages that do not include this group, the change isWith this change the package tests now fail.
It is not clear why this is from the error message in the test output.
The state of entityanalytics_entra_id used to demonstrate this can be reconstructed by running
The text was updated successfully, but these errors were encountered: