Migrate add_docker_metadata to ECS

[ruflin]

Migrate the docker fields to ECS container fields.

• docker.container.id -> container.id
• docker.container.image -> container.image.name
• docker.container.name -> container.name
• docker.container.labels -> container.labels

[ruflin]

@graphaelli Have you found a good way to migrate such fields?

[webmat]

I don't think we can. I'm assuming this is user-populated, including key names? If that's the case, then the list of fields to migrate is unknowable.

Perhaps if some fields are often present by default, we can create aliases for those, though.

[graphaelli]

I have not found a good way. Can the migration assistant create those aliases dynamically? That is, iterate over the source labels and create aliases on the old indices for each one? Another option is to inform users to include both fields with an or clause in searches and aggregations.

APM has the same issue where context.tags are moving to labels. It may be possible there to introduce an APM UI-only concept of "tags" "labels" and make the context.tags.$key=$value or labels.$key=value query on behalf of the user - we have not discussed this possibility but I'd be curious what you think.

[ruflin]

@graphaelli Indeed that is something that the migration assistant could potentially do. I think in this case it's more important for apm-server as you probably need it for the 6.x compatiblity layer and in our case it's nice to have as we can also break it in 7 and inform the user about this one. If we can use then the same feature to, that is great.

[webmat]

Yeah I think the migration assistant will be our best bet.

[ruflin]

@graphaelli Can you take this up with the Kibana team working on the migration assistant to see what they think?

[graphaelli]

They've added it to their use cases for the migration assistant, there will be hooks for us to handle it there.

[ruflin]

Great news. Thanks for following up.

[ruflin]

Was not sure why here the constant was not used. @exekias ok to change this one or could this have other side effects?

[exekias]

uhm, probably they were introduced at different points in time, I don't see a reason for it to not use the constant

[ruflin]

ok, replaced it by the constant then.

[ruflin]

Remove this one as I felt it's not needed anymore when using Put with the DeepUpdate. Please double check if that is correct.

[exekias]

while that's true, I think that will create more unneeded allocations? this is the kind of code that runs lots of times

[ruflin]

Not sure I can fully follow here. You are mostly worried about the DeepUpdate part?

[ruflin]

Going to merge for now. @exekias Let's revisit this next year to make sure we have the correct optimisations in place.

[elasticmachine]

Pinging @elastic/infrastructure

[ruflin]

I suggest we move forward with this PR even though alias for docker.container.labels do not exist as it's not straight forward. I added a note about it to our ECS issue so we can track it there.

[webmat]

One small issue in ecs-migration.yml, and two comments that will help inform next steps.

[webmat]

I don't think we can. I'm assuming this is user-populated, including key names? If that's the case, then the list of fields to migrate is unknowable.

Perhaps if some fields are often present by default, we can create aliases for those, though.

[ruflin]

@webmat Could you take a look again to get this in?

[webmat]

LGTM

[ruflin]

@adriansr @cwurm This probably needs some fixing in the collection script. Will fix it in this PR manually.