using ecs@mappings with entityanalytics_entra_id fails tests with 'field "user.group" is undefined' #1921
Description
As part of elastic/integrations#10135 the entityanalytics_entra_id package has its ECS field definitions removed, to be replaced at runtime by ecs@mappings. One of the field groups that is removed is user.group. Apart from other changes that the automation makes that work as expected for other packages that do not include this group, the change is
diff --git a/packages/entityanalytics_entra_id/data_stream/entity/fields/ecs.yml b/packages/entityanalytics_entra_id/data_stream/entity/fields/ecs.yml index 98c1adf9b1..367fa9f275 100644 --- a/packages/entityanalytics_entra_id/data_stream/entity/fields/ecs.yml +++ b/packages/entityanalytics_entra_id/data_stream/entity/fields/ecs.yml @@ -100,13 +100,6 @@ type: boolean - name: first_name type: keyword - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - name: job_title type: keyword - name: last_nameWith this change the package tests now fail.
--- Test results for package: entityanalytics_entra_id - START --- FAILURE DETAILS: entityanalytics_entra_id/entity test-users.json: [0] field "user.group" is undefined ╭──────────────────────────┬─────────────┬───────────┬────────────────────────────┬─────────────────────────────────────────────────────────────────────────────┬──────────────╮ │ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │ ├──────────────────────────┼─────────────┼───────────┼────────────────────────────┼─────────────────────────────────────────────────────────────────────────────┼──────────────┤ │ entityanalytics_entra_id │ entity │ pipeline │ test-device.json │ PASS │ 7.023865ms │ │ entityanalytics_entra_id │ entity │ pipeline │ test-users.json │ FAIL: test case failed: one or more problems with fields found in documents │ 4.555814ms │ │ entityanalytics_entra_id │ entity │ pipeline │ (ingest pipeline warnings) │ PASS │ 391.471107ms │ ╰──────────────────────────┴─────────────┴───────────┴────────────────────────────┴─────────────────────────────────────────────────────────────────────────────┴──────────────╯ --- Test results for package: entityanalytics_entra_id - END --- It is not clear why this is from the error message in the test output.
The state of entityanalytics_entra_id used to demonstrate this can be reconstructed by running
Migration performed using ecs-update. go run github.com/andrewkroh/go-examples/ecs-update@014b35dfe4c9832b51e7c909a39a48257d6a005d \ -ecs-version=8.11.0 \ -ecs-git-ref=v8.11.0 \ -fields-yml-drop-ecs \ -kibana-version=^8.13.0 \ -drop-import-mappings \ -pr=1 \ -owner=elastic/security-service-integrations \ packages/entityanalytics_entra_id