Add non-indexed fields to ecs templates

[flash1293]

Some fields in ECS are specified to not get indexed. The existing default component template ecs@mappings isn't capturing this, so the fields will fall back to regular keyword mapping:
https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-original

Aligned with elastic/elastic-package#1733 - I'm not sure about the x509 fields, could you elaborate on these @jsoriano ?

This PR fixes the problem by adding dynamic templates for these fields.

[ruflin]

@eyalkoren Would be great to get your look at this one if you find some time. I wonder why this did not pop up in the tests and how we can adjust the tests to cover this use case.

[ruflin]

it seems this is a long according to ECS? https://www.elastic.co/guide/en/ecs/8.11/ecs-x509.html#field-x509-public-key-exponent I really wonder if we should cover this "edge" case.

[flash1293]

I think I agree. ECS doesn't mention whether it's indexed or not - so I guess indexing is fair game (and it's left to the user to overwrite this)?

[jsoriano]

I'm not sure about the x509 fields, could you elaborate on these @jsoriano ?

They are defined as non-indexed in ECS: https://github.com/elastic/ecs/blob/ee4e0979dbaa91c915a1b31a26e1ea814bfe75aa/schemas/x509.yml#L203

[eyalkoren]

@ruflin the tests currently ignore the index property of the ECS field definitions. Since they are defined in the schema, it should be easy to adjust them. I'll try to get to that this week, and bring into consideration the doc_values property as well.

[flash1293]

Thanks for the context @jsoriano - it threw me off that event.original is specifying this explicitly in the user-visible text in the docs.

[flash1293]

/ci

[flash1293]

@elasticsearchmachine run

[flash1293]

@elasticmachine run

[ruflin]

• @eyalkoren That would be great. Should we wait with this PR for the change as we might unconver other things?
• @eyalkoren @dakrone Do we need to increase the version of the template or anything if we update it?
• @flash1293 Try to merge in main, the failures seem to be unrelated

[elasticsearchmachine]

Pinging @elastic/es-data-management (Team:Data Management)

[elasticsearchmachine]

Hi @flash1293, I've created a changelog YAML for you.

[ruflin]

As usual, I pinged the wrong @leehinman , now added @dakrone .

[eyalkoren]

@eyalkoren That would be great. Should we wait with this PR for the change as we might unconver other things?

I don't think we need to wait with the test. My intention was to do it in a separate PR anyway to see it failing and then verify it gets fixed after merging this PR's fix. And I am not just saying that because my availability is non problematic 😬

@eyalkoren @dakrone Do we need to increase the version of the template or anything if we update it?

Since this template uses a version variable which is used by all other components managed by the stack registry, I believe we would need to update the registry version, unless it was already updated after the latest release.

[eyalkoren]

I ended up pushing the ECS test adjustment here and verified that it fails when removing the ecs@mappings fixes.
Since I also contributed, I hereby approve the mappings fix but will let other reviewers to "officially" approve the entire PR changes.

[felixbarny]

Please increment org.elasticsearch.xpack.stack.StackTemplateRegistry#REGISTRY_VERSION, otherwise LGTM

[dakrone]

LGTM