[aws_logs] Remove fixed value from event.dataset mapping by zmoog · Pull Request #15507 · elastic/integrations

zmoog · 2025-10-01T16:07:55Z

Proposed commit message

Remove the constant value logs-aws_logs.generic from the event.dataset mapping.

Context

The Custom AWS Logs integration is an integration package, so it doesn't automatically create a new index template for each installation, as input packages do.

To overcome this single index template limit, users manually clone the logs-aws_logs.generic index template (for more context, see the comment) and adapt it for a custom dataset.

Unfortunately, all index template clones reference the same logs-aws_logs.generic@package component template that maps event.dataset as constant_keyword with a constant value of logs-aws_logs.generic. This means data streams created from the cloned index templates reject documents with event.dataset values other than logs-aws_logs.generic.

Changes

In this PR I removed the fixed value, but we have at least two options:

We can keep the event.dataset mapping as constant_keyword without the fixed value to logs-aws_logs.generic.
Change the mapping to keyword to align with ECS https://www.elastic.co/docs/reference/ecs/ecs-event#field-event-dataset to give users more flexibility.

Checklist

I have reviewed tips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package's changelog.yml file.
I have verified that Kibana version constraints are current according to guidelines.
~~I have verified that any added dashboard complies with Kibana's Dashboard good practices~~

How to test this PR locally

Install the Custom AWS Logs integration using aws_logs.custom as custom dataset.
Clone the logs-aws_logs.generic index template as logs-aws_logs.custom, setting the new index pattern as logs-aws_logs.custom-*.
Try to index a document in the Dev Tools using the following request:

POST logs-aws_logs.custom-default/_doc
{
  "@timestamp": "2025-10-01T13:39:29+02:00",
  "whatever": "yeah",
  "event": {
    "dataset": "aws_logs.custom"
  }
}

ES should index the document successfully.

Related issues

Relates [Custom AWS Logs] The field event.dataset should not be mapped as constant_keyword. #13433 (see comment)

We can't assume event.dataset is always aws_logs.genericsince, users commonly clone the index template.

elasticmachine · 2025-10-01T18:40:32Z

💚 Build Succeeded

Buildkite Build
Commit: 30327ac

History

💚 Build #32150 succeeded f6b86ba

cc @zmoog

elastic-vault-github-plugin-prod · 2025-10-02T08:45:08Z

Package aws_logs - 1.8.3 containing this change is available at https://epr.elastic.co/package/aws_logs/1.8.3/

Remove the constant value `logs-aws_logs.generic` from the `event.dataset` mapping. **Context** The Custom AWS Logs integration is an integration package, so it doesn't automatically create a new index template for each installation, as input packages do. To overcome this single index template limit, users manually clone the `logs-aws_logs.generic` index template (for more context, see the [comment](elastic#13433 (comment))) and adapt it for a custom dataset. Unfortunately, all index template clones reference the same `logs-aws_logs.generic@package` component template that maps `event.dataset` as `constant_keyword` with a constant value of `logs-aws_logs.generic`. This means data streams created from the cloned index templates reject documents with `event.dataset` values other than `logs-aws_logs.generic`. **Changes** In this PR I removed the fixed value, but we have at least two options: - We can keep the `event.dataset` mapping as `constant_keyword` without the fixed value to `logs-aws_logs.generic`. - Change the mapping to `keyword` to align with ECS https://www.elastic.co/docs/reference/ecs/ecs-event#field-event-dataset to give users more flexibility.

Remove fixed event.dataset value

f6b86ba

We can't assume event.dataset is always aws_logs.genericsince, users commonly clone the index template.

zmoog self-assigned this Oct 1, 2025

zmoog added Integration:aws_logs Custom AWS Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] bugfix Pull request that fixes a bug issue labels Oct 1, 2025

zmoog changed the title ~~[azure_logs] Remove fixed value from event.dataset mapping~~ [aws_logs] Remove fixed value from event.dataset mapping Oct 1, 2025

zmoog mentioned this pull request Oct 1, 2025

[Custom AWS Logs] The field event.dataset should not be mapped as constant_keyword. #13433

Closed

zmoog marked this pull request as ready for review October 1, 2025 18:11

zmoog requested a review from a team as a code owner October 1, 2025 18:11

Update changelog

30327ac

Kavindu-Dodan approved these changes Oct 1, 2025

View reviewed changes

zmoog merged commit 6b8adbf into main Oct 2, 2025
7 checks passed

zmoog deleted the zmoog/fix/aws-logs/event-dataset-mapping branch October 2, 2025 08:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[aws_logs] Remove fixed value from event.dataset mapping#15507

[aws_logs] Remove fixed value from event.dataset mapping#15507
zmoog merged 2 commits intomainfrom
zmoog/fix/aws-logs/event-dataset-mapping

zmoog commented Oct 1, 2025 •

edited

Loading

Uh oh!

elasticmachine commented Oct 1, 2025

Uh oh!

Uh oh!

elastic-vault-github-plugin-prod bot commented Oct 2, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

zmoog commented Oct 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed commit message

Checklist

How to test this PR locally

Related issues

Uh oh!

elasticmachine commented Oct 1, 2025

💚 Build Succeeded

History

Uh oh!

Uh oh!

elastic-vault-github-plugin-prod bot commented Oct 2, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

zmoog commented Oct 1, 2025 •

edited

Loading