Add new validation rule to avoid rename processor without checking event.original

[mrodm]

Originally posted in elastic/integrations#3451 (comment)

Add a new validation rule to ensure that if there is a rename processor whose target_field is event.original and field is message, it needs also to check that if key is defined checking about the presence of event.original in the document.

Moreover this new validation rule needs to check that a remove processor is defined to remove the message field, to avoid duplication.

As an example, if there is that rename processor in the ingest pipeline, a remove processor should exist and that rename processor should be like :

    - rename:
        field: message
        target_field: event.original
        # ignore_missing: true 
        if: 'ctx.event?.original == null'
    - remove:
        field: message
        ignore_missing: true
        if: 'ctx.event?.original != null'

Similar to what it was done in elastic/integrations#7026

[ishleenk17]

@mrodm : The remove processor validation should not be limited to just the message field.
So I am not sure if we should add this to the validation here.
There should be a generic validation that any field if renamed and not being used again should be removed.

[jillguyonnet]

@ishleenk17 Apologies for not addressing your comment earlier. Renaming message to event.original is a common pattern (over 130 packages were affected in the test branch); it was straightforward enough to address through conditional schema, which also allowed stronger restrictions (such as the presence and value of the if property). Implementing a more general rule would probably open wider discussions and require a more involved approach. Please let us know if you have any concerns or feel free to open another issue to discuss this further.