Add dynamic mappings for non-indexed ECS fields (#1733)

Some fields like `event.original` are documented and defined ECS as non-indexed, with `index: false` and `doc_values: false`. Honor this in the dynamic template.
elastic · Mar 26, 2024 · a44250e · a44250e
1 parent 6d9206a
commit a44250e
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/internal/builder/_static/ecs_mappings.yaml b/internal/builder/_static/ecs_mappings.yaml
@@ -23,6 +23,12 @@ mappings:
                 type: ip
             match: ip
             match_mapping_type: string
+        - x509_public_key_exponent_non_indexed_long:
+            mapping:
+                type: long
+                index: false
+                doc_values: false
+            path_match: '*.x509.public_key_exponent'
         - port_to_long:
             mapping:
                 type: long
@@ -198,6 +204,12 @@ mappings:
             mapping:
                 type: match_only_text
             path_match: message
+        - event_original_non_indexed_keyword:
+            mapping:
+                type: keyword
+                index: false
+                doc_values: false
+            path_match: 'event.original'
         - agent_name_to_keyword:
             mapping:
                 type: keyword