Convert Filebeat mongodb.log to ECS (#10009)

- Convert fields under `mongodb.log.*` to ECS. Previous field names are field aliases towards the new corresponding ECS field: - mongodb.log.message => message - mongodb.log.severity => log.level - read_timestamp => event.created (not aliased, still used elsewhere)
elastic · Jan 11, 2019 · f384ba3 · f384ba3
1 parent 27f7b15
commit f384ba3
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 133 deletions.
diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml
@@ -456,6 +456,16 @@
   to: event.duration
   alias: true
 
+## MongoDB module
+
+- from: mongodb.log.severity
+  to: log.level
+  alias: true
+
+- from: mongodb.log.message
+  to: message
+  alias: true
+
 ## NGINX module
 
 - from: nginx.access.user_name

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -6265,18 +6265,6 @@ Contains fields from MongoDB logs.
 
 
 
-*`mongodb.log.severity`*::
-+
---
-type: keyword
-
-example: I
-
-Severity level of message
-
-
---
-
 *`mongodb.log.component`*::
 +
 --
@@ -6301,13 +6289,21 @@ Context of message
 
 --
 
-*`mongodb.log.message`*::
+*`mongodb.log.severity`*::
 +
 --
-type: text
+type: alias
+
+alias to: log.level
 
-The message in the log line.
+--
 
+*`mongodb.log.message`*::
++
+--
+type: alias
+
+alias to: message
 
 --
 

diff --git a/filebeat/module/mongodb/fields.go b/filebeat/module/mongodb/fields.go
diff --git a/filebeat/module/mongodb/log/_meta/fields.yml b/filebeat/module/mongodb/log/_meta/fields.yml
@@ -3,11 +3,6 @@
   description: >
       Contains fields from MongoDB logs.
   fields:
-  - name: severity
-    description: >
-        Severity level of message
-    example: I
-    type: keyword
   - name: component
     description: >
         Functional categorization of message
@@ -18,7 +13,12 @@
         Context of message
     example: initandlisten
     type: keyword
+
+  - name: severity
+    type: alias
+    path: log.level
+    migration: true
   - name: message
-    description: >
-        The message in the log line.
-    type: text
+    type: alias
+    path: message
+    migration: true
diff --git a/filebeat/module/mongodb/log/ingest/pipeline.json b/filebeat/module/mongodb/log/ingest/pipeline.json
@@ -4,20 +4,15 @@
     "grok": {
       "field": "message",
       "patterns":[
-        "%{TIMESTAMP_ISO8601:mongodb.log.timestamp} %{WORD:mongodb.log.severity} %{WORD:mongodb.log.component} \\s*\\[%{WORD:mongodb.log.context}\\] %{GREEDYDATA:mongodb.log.message}"
+        "%{TIMESTAMP_ISO8601:mongodb.log.timestamp} %{WORD:log.level} %{WORD:mongodb.log.component} \\s*\\[%{WORD:mongodb.log.context}\\] %{GREEDYDATA:message}"
       ],
       "ignore_missing": true
     }
   },
-  {
-    "remove": {
-      "field": "message"
-    }
-  },
   {
     "rename": {
       "field": "@timestamp",
-      "target_field": "read_timestamp"
+      "target_field": "event.created"
     }
   },
   {