From a6476b212d9ad5cb3a6b61e9ec401038872e8aed Mon Sep 17 00:00:00 2001
From: Fede Galland <99492720+f-galland@users.noreply.github.com>
Date: Wed, 11 Dec 2024 14:23:18 -0300
Subject: [PATCH] Fix process.command_line mapping (#589)

* Remove multi-fields and change type to match text only

* Update generate.sh to remove multifields from process and agent.host

* Fix jq command

* Change wildcard type to keyword
---
 ecs/generate.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ecs/generate.sh b/ecs/generate.sh
index 7b860256f0936..e66cbb4c87d6d 100755
--- a/ecs/generate.sh
+++ b/ecs/generate.sh
@@ -19,8 +19,12 @@ remove_multi_fields() {
   local OUT_FILE="$2"
 
   jq 'del(
+    .mappings.properties.agent.properties.host.properties.os.properties.full.fields,
+    .mappings.properties.agent.properties.host.properties.os.properties.name.fields,
     .mappings.properties.host.properties.os.properties.full.fields,
     .mappings.properties.host.properties.os.properties.name.fields,
+    .mappings.properties.process.properties.command_line.fields,
+    .mappings.properties.process.properties.name.fields,
     .mappings.properties.vulnerability.properties.description.fields
   )' "$IN_FILE" > "$OUT_FILE"
 }
@@ -46,6 +50,10 @@ generate_mappings() {
   # Replace "constant_keyword" type (not supported by OpenSearch) with "keyword"
   echo "Replacing \"constant_keyword\" type with \"keyword\""
   find "$OUT_DIR" -type f -exec sed -i 's/constant_keyword/keyword/g' {} \;
+  
+  # Replace "wildcard" type (showing as "unknown" on dashboard) with "keyword"
+  echo "Replacing \"wildcard\" type with \"keyword\""
+  find "$OUT_DIR" -type f -exec sed -i 's/wildcard/keyword/g' {} \;
 
   # Replace "flattened" type (not supported by OpenSearch) with "flat_object"
   echo "Replacing \"flattened\" type with \"flat_object\""