Skip to content

[aws_logs] Remove fixed value from event.dataset mapping #15507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 2, 2025
Merged

[aws_logs] Remove fixed value from event.dataset mapping #15507

merged 2 commits into from
Oct 2, 2025

Conversation

zmoog
Copy link
Contributor

@zmoog zmoog commented Oct 1, 2025
edited
Loading

Proposed commit message

Remove the constant value logs-aws_logs.generic from the event.dataset mapping.

Context

The Custom AWS Logs integration is an integration package, so it doesn't automatically create a new index template for each installation, as input packages do.

To overcome this single index template limit, users manually clone the logs-aws_logs.generic index template (for more context, see the comment) and adapt it for a custom dataset.

Unfortunately, all index template clones reference the same logs-aws_logs.generic@package component template that maps event.dataset as constant_keyword with a constant value of logs-aws_logs.generic. This means data streams created from the cloned index templates reject documents with event.dataset values other than logs-aws_logs.generic.

Changes

In this PR I removed the fixed value, but we have at least two options:

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Install the Custom AWS Logs integration using aws_logs.custom as custom dataset.
  • Clone the logs-aws_logs.generic index template as logs-aws_logs.custom, setting the new index pattern as logs-aws_logs.custom-*.
  • Try to index a document in the Dev Tools using the following request:
POST logs-aws_logs.custom-default/_doc
{
  "@timestamp": "2025-10-01T13:39:29+02:00",
  "whatever": "yeah",
  "event": {
    "dataset": "aws_logs.custom"
  }
}

ES should index the document successfully.

Related issues

@zmoog
Remove fixed event.dataset value
f6b86ba 
We can't assume event.dataset is always aws_logs.genericsince, users
commonly clone the index template.
@zmoog zmoog self-assigned this Oct 1, 2025
@zmoog zmoog added Integration:aws_logs Custom AWS Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] bugfix Pull request that fixes a bug issue labels Oct 1, 2025
@zmoog zmoog changed the title [azure_logs] Remove fixed value from event.dataset mapping [aws_logs] Remove fixed value from event.dataset mapping Oct 1, 2025
@zmoog zmoog mentioned this pull request Oct 1, 2025
Closed
@zmoog zmoog marked this pull request as ready for review October 1, 2025 18:11
@zmoog zmoog requested a review from a team as a code owner October 1, 2025 18:11
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @zmoog

@zmoog zmoog merged commit 6b8adbf into main Oct 2, 2025
7 checks passed
@zmoog zmoog deleted the zmoog/fix/aws-logs/event-dataset-mapping branch October 2, 2025 08:26
@elastic-vault-github-plugin-prod
Copy link

Package aws_logs - 1.8.3 containing this change is available at https://epr.elastic.co/package/aws_logs/1.8.3/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kavindu-Dodan Kavindu-Dodan Kavindu-Dodan approved these changes

Assignees

@zmoog zmoog

Labels

bugfix Pull request that fixes a bug issue Integration:aws_logs Custom AWS Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zmoog @elasticmachine @Kavindu-Dodan