Skip to content

Commit fdc7f71

Browse files
api-clients-generation-pipeline[bot]ci.datadog-api-spec
api-clients-generation-pipeline[bot]
and
ci.datadog-api-spec
authored
Add support for Schema Processor in Logs Pipelines (#32246)
Co-authored-by: ci.datadog-api-spec <[email protected]>
1 parent adeaf72 commit fdc7f71

File tree

8 files changed

+8468
-6
lines changed

8 files changed

+8468
-6
lines changed

content/en/api/v1/logs-pipelines/examples.json

Lines changed: 6 additions & 6 deletions
Large diffs are not rendered by default.

content/en/api/v1/logs-pipelines/request.CreateLogsPipeline_1745625064.json

Lines changed: 243 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,243 @@
1+
{
2+
"filter": {
3+
"query": "source:python"
4+
},
5+
"name": "testSchemaProcessor",
6+
"processors": [
7+
{
8+
"type": "schema-processor",
9+
"is_enabled": true,
10+
"name": "Apply OCSF schema for 3001",
11+
"schema": {
12+
"schema_type": "ocsf",
13+
"version": "1.5.0",
14+
"class_uid": 3001,
15+
"class_name": "Account Change",
16+
"profiles": [
17+
"cloud",
18+
"datetime"
19+
]
20+
},
21+
"mappers": [
22+
{
23+
"type": "schema-category-mapper",
24+
"name": "activity_id and activity_name",
25+
"categories": [
26+
{
27+
"filter": {
28+
"query": "@eventName:(*Create*)"
29+
},
30+
"name": "Create",
31+
"id": 1
32+
},
33+
{
34+
"filter": {
35+
"query": "@eventName:(ChangePassword OR PasswordUpdated)"
36+
},
37+
"name": "Password Change",
38+
"id": 3
39+
},
40+
{
41+
"filter": {
42+
"query": "@eventName:(*Attach*)"
43+
},
44+
"name": "Attach Policy",
45+
"id": 7
46+
},
47+
{
48+
"filter": {
49+
"query": "@eventName:(*Detach* OR *Remove*)"
50+
},
51+
"name": "Detach Policy",
52+
"id": 8
53+
},
54+
{
55+
"filter": {
56+
"query": "@eventName:(*Delete*)"
57+
},
58+
"name": "Delete",
59+
"id": 6
60+
},
61+
{
62+
"filter": {
63+
"query": "@eventName:*"
64+
},
65+
"name": "Other",
66+
"id": 99
67+
}
68+
],
69+
"targets": {
70+
"name": "ocsf.activity_name",
71+
"id": "ocsf.activity_id"
72+
},
73+
"fallback": {
74+
"values": {
75+
"ocsf.activity_id": "99",
76+
"ocsf.activity_name": "Other"
77+
},
78+
"sources": {
79+
"ocsf.activity_name": [
80+
"eventName"
81+
]
82+
}
83+
}
84+
},
85+
{
86+
"type": "schema-category-mapper",
87+
"name": "status",
88+
"categories": [
89+
{
90+
"filter": {
91+
"query": "-@errorCode:*"
92+
},
93+
"id": 1,
94+
"name": "Success"
95+
},
96+
{
97+
"filter": {
98+
"query": "@errorCode:*"
99+
},
100+
"id": 2,
101+
"name": "Failure"
102+
}
103+
],
104+
"targets": {
105+
"id": "ocsf.status_id",
106+
"name": "ocsf.status"
107+
}
108+
},
109+
{
110+
"type": "schema-category-mapper",
111+
"name": "Set default severity",
112+
"categories": [
113+
{
114+
"filter": {
115+
"query": "@eventName:*"
116+
},
117+
"name": "Informational",
118+
"id": 1
119+
}
120+
],
121+
"targets": {
122+
"name": "ocsf.severity",
123+
"id": "ocsf.severity_id"
124+
}
125+
},
126+
{
127+
"type": "schema-remapper",
128+
"name": "Map userIdentity to ocsf.user.uid",
129+
"sources": [
130+
"userIdentity.principalId",
131+
"responseElements.role.roleId",
132+
"responseElements.user.userId"
133+
],
134+
"target": "ocsf.user.uid",
135+
"preserve_source": true
136+
},
137+
{
138+
"type": "schema-remapper",
139+
"name": "Map userName to ocsf.user.name",
140+
"sources": [
141+
"requestParameters.userName",
142+
"responseElements.role.roleName",
143+
"requestParameters.roleName",
144+
"responseElements.user.userName"
145+
],
146+
"target": "ocsf.user.name",
147+
"preserve_source": true
148+
},
149+
{
150+
"type": "schema-remapper",
151+
"name": "Map api to ocsf.api",
152+
"sources": [
153+
"api"
154+
],
155+
"target": "ocsf.api",
156+
"preserve_source": true
157+
},
158+
{
159+
"type": "schema-remapper",
160+
"name": "Map user to ocsf.user",
161+
"sources": [
162+
"user"
163+
],
164+
"target": "ocsf.user",
165+
"preserve_source": true
166+
},
167+
{
168+
"type": "schema-remapper",
169+
"name": "Map actor to ocsf.actor",
170+
"sources": [
171+
"actor"
172+
],
173+
"target": "ocsf.actor",
174+
"preserve_source": true
175+
},
176+
{
177+
"type": "schema-remapper",
178+
"name": "Map cloud to ocsf.cloud",
179+
"sources": [
180+
"cloud"
181+
],
182+
"target": "ocsf.cloud",
183+
"preserve_source": true
184+
},
185+
{
186+
"type": "schema-remapper",
187+
"name": "Map http_request to ocsf.http_request",
188+
"sources": [
189+
"http_request"
190+
],
191+
"target": "ocsf.http_request",
192+
"preserve_source": true
193+
},
194+
{
195+
"type": "schema-remapper",
196+
"name": "Map metadata to ocsf.metadata",
197+
"sources": [
198+
"metadata"
199+
],
200+
"target": "ocsf.metadata",
201+
"preserve_source": true
202+
},
203+
{
204+
"type": "schema-remapper",
205+
"name": "Map time to ocsf.time",
206+
"sources": [
207+
"time"
208+
],
209+
"target": "ocsf.time",
210+
"preserve_source": true
211+
},
212+
{
213+
"type": "schema-remapper",
214+
"name": "Map src_endpoint to ocsf.src_endpoint",
215+
"sources": [
216+
"src_endpoint"
217+
],
218+
"target": "ocsf.src_endpoint",
219+
"preserve_source": true
220+
},
221+
{
222+
"type": "schema-remapper",
223+
"name": "Map severity to ocsf.severity",
224+
"sources": [
225+
"severity"
226+
],
227+
"target": "ocsf.severity",
228+
"preserve_source": true
229+
},
230+
{
231+
"type": "schema-remapper",
232+
"name": "Map severity_id to ocsf.severity_id",
233+
"sources": [
234+
"severity_id"
235+
],
236+
"target": "ocsf.severity_id",
237+
"preserve_source": true
238+
}
239+
]
240+
}
241+
],
242+
"tags": []
243+
}

0 commit comments

Comments
 (0)