Use ecs definition of the 'event.dataset' field for container_logs

Signed-off-by: Tetiana Kravchenko <[email protected]>

packages/docker/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: 2.12.0
+  changes:
+    - description: Use ecs definition of the 'event.dataset' field for container_logs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11196
 - version: 2.11.0
   changes:
     - description: Bump package-spec version to 3.2.2 to run on Serverless and stack version 9.0.

packages/docker/data_stream/container_logs/agent/stream/stream.yml.hbs

@@ -15,4 +15,6 @@ parsers:
 {{#if processors}}
 processors:
 {{processors}}
-{{/if}}
+{{/if}}
+data_stream:
+  dataset: {{data_stream.dataset}}

packages/docker/data_stream/container_logs/fields/base-fields.yml

@@ -14,10 +14,6 @@
   type: constant_keyword
   description: Event module
   value: docker
-- name: event.dataset
-  type: constant_keyword
-  description: Event dataset
-  value: docker.container_logs
 - name: log.offset
   type: long
   description: Offset of the entry in the log file.

packages/docker/data_stream/container_logs/fields/ecs.yml

@@ -36,3 +36,5 @@
   name: host.os.version
 - external: ecs
   name: host.type
+- external: ecs
+  name: event.dataset

packages/docker/data_stream/container_logs/manifest.yml

@@ -39,6 +39,14 @@ streams:
           #     pattern: '^\['
           #     negate: true
           #     match: after
+      - name: data_stream.dataset
+        type: text
+        title: 'Datasream Dataset name'
+        description: Name of Datastream dataset
+        multi: false
+        default: docker.container_logs
+        required: true
+        show_user: false
       - name: processors
         type: yaml
         title: Processors

packages/docker/docs/README.md

@@ -1132,7 +1132,7 @@ The Docker `container_logs` data stream collects container logs.
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| event.dataset | Event dataset | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.module | Event module | constant_keyword |
 | host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
 | host.architecture | Operating system architecture. | keyword |

packages/docker/manifest.yml

@@ -1,6 +1,6 @@
 name: docker
 title: Docker
-version: 2.11.0
+version: 2.12.0
 description: Collect metrics and logs from Docker instances with Elastic Agent.
 type: integration
 icons: