From a44250eda089f89cc820c0ba5492bef71857aeb1 Mon Sep 17 00:00:00 2001
From: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Date: Tue, 26 Mar 2024 20:37:03 +0100
Subject: [PATCH] Add dynamic mappings for non-indexed ECS fields (#1733)

Some fields like `event.original` are documented and defined ECS as non-indexed,
with `index: false` and `doc_values: false`. Honor this in the dynamic template.
---
 internal/builder/_static/ecs_mappings.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/internal/builder/_static/ecs_mappings.yaml b/internal/builder/_static/ecs_mappings.yaml
index d42da2819..aa2034f53 100644
--- a/internal/builder/_static/ecs_mappings.yaml
+++ b/internal/builder/_static/ecs_mappings.yaml
@@ -23,6 +23,12 @@ mappings:
                 type: ip
             match: ip
             match_mapping_type: string
+        - x509_public_key_exponent_non_indexed_long:
+            mapping:
+                type: long
+                index: false
+                doc_values: false
+            path_match: '*.x509.public_key_exponent'
         - port_to_long:
             mapping:
                 type: long
@@ -198,6 +204,12 @@ mappings:
             mapping:
                 type: match_only_text
             path_match: message
+        - event_original_non_indexed_keyword:
+            mapping:
+                type: keyword
+                index: false
+                doc_values: false
+            path_match: 'event.original'
         - agent_name_to_keyword:
             mapping:
                 type: keyword