Skip to content

Commit 5e35f88

Browse files
eric-forte-elasticeric-forte-elastic
committed
Use list comprehension
1 parent 799836a commit 5e35f88

File tree

1 file changed

+14
-11
lines changed

1 file changed

+14
-11
lines changed

detection_rules/index_mappings.py

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -160,25 +160,30 @@ def get_simulated_index_template_mappings(elastic_client: Elasticsearch, name: s
160160

161161

162162
def prune_mappings_of_unsupported_types(
163-
integration: str, stream: str, stream_mappings: dict[str, Any], log: Callable[[str], None]
163+
integration: str | None, index: str | None, stream_mappings: dict[str, Any], log: Callable[[str], None]
164164
) -> dict[str, Any]:
165165
"""Prune fields with unsupported types (ES|QL) from the provided mappings."""
166+
debug_str = integration if integration is not None else index
166167
nested_multifields = find_nested_multifields(stream_mappings)
167168
for field in nested_multifields:
168-
field_name = str(field).split(".fields.")[0].replace(".", ".properties.") + ".fields"
169+
parts = str(field).split(".fields.")[0].split(".")
170+
base_name = ".properties.".join(parts)
171+
field_name = f"{base_name}.fields"
169172
log(
170-
f"Warning: Nested multi-field `{field}` found in `{integration}-{stream}`. "
173+
f"Warning: Nested multi-field `{field}` found in `{debug_str}`. "
171174
f"Removing parent field from schema for ES|QL validation."
172175
)
173176
delete_nested_key_from_dict(stream_mappings, field_name)
174177
nested_flattened_fields = find_flattened_fields_with_subfields(stream_mappings)
175178
for field in nested_flattened_fields:
176179
# Remove both .fields and .properties entries for flattened fields
177180
# .properties entries can occur when being merged with non-ecs or custom schemas
178-
field_name = str(field).split(".fields.")[0].replace(".", ".properties.") + ".fields"
179-
property_name = str(field).split(".fields.")[0].replace(".", ".properties.") + ".properties"
181+
parts = str(field).split(".fields.")[0].split(".")
182+
base_name = ".properties.".join(parts)
183+
field_name = f"{base_name}.fields"
184+
property_name = f"{base_name}.properties"
180185
log(
181-
f"Warning: flattened field `{field}` found in `{integration}-{stream}` with sub fields. "
186+
f"Warning: flattened field `{field}` found in `{debug_str}` with sub fields. "
182187
f"Removing parent field from schema for ES|QL validation."
183188
)
184189
delete_nested_key_from_dict(stream_mappings, field_name)
@@ -226,7 +231,7 @@ def prepare_integration_mappings( # noqa: PLR0913
226231
for stream in package_schema:
227232
flat_schema = package_schema[stream]
228233
stream_mappings = flat_schema_to_index_mapping(flat_schema)
229-
stream_mappings = prune_mappings_of_unsupported_types(integration, stream, stream_mappings, log)
234+
stream_mappings = prune_mappings_of_unsupported_types(f"{integration}-{stream}", None, stream_mappings, log)
230235
utils.combine_dicts(integration_mappings, deepcopy(stream_mappings))
231236
index_lookup[f"{integration}-{stream}"] = stream_mappings
232237

@@ -309,7 +314,7 @@ def get_filtered_index_schema( # noqa: PLR0913
309314
# Need to use a merge here to not overwrite existing fields
310315
utils.combine_dicts(base, deepcopy(non_ecs_mapping.get(match, {})))
311316
utils.combine_dicts(base, deepcopy(custom_mapping.get(match, {})))
312-
filtered_index_lookup[match] = prune_mappings_of_unsupported_types("index", match, base, log)
317+
filtered_index_lookup[match] = prune_mappings_of_unsupported_types(None, match, base, log)
313318
utils.combine_dicts(combined_mappings, deepcopy(base))
314319

315320
# Reduce the index lookup to only the matched indices (remote/Kibana schema validation source of truth)
@@ -495,8 +500,7 @@ def prepare_mappings( # noqa: PLR0913
495500
# and also at a per index level as custom schemas can override non-ecs fields and/or indices
496501
non_ecs_schema = ecs.flatten(non_ecs_schema)
497502
non_ecs_schema = utils.convert_to_nested_schema(non_ecs_schema)
498-
non_ecs_schema = prune_mappings_of_unsupported_types("non-ecs", "non-ecs", non_ecs_schema, log)
499-
non_ecs_mapping = prune_mappings_of_unsupported_types("non-ecs", "non-ecs", non_ecs_mapping, log)
503+
non_ecs_schema = prune_mappings_of_unsupported_types(None, "non-ecs", non_ecs_schema, log)
500504

501505
# Load custom schema and convert to index mapping format (nested schema)
502506
custom_mapping: dict[str, Any] = {}
@@ -506,7 +510,6 @@ def prepare_mappings( # noqa: PLR0913
506510
index_mapping = ecs.flatten(index_mapping)
507511
index_mapping = utils.convert_to_nested_schema(index_mapping)
508512
custom_mapping.update({index: index_mapping})
509-
custom_mapping = prune_mappings_of_unsupported_types("custom", "custom", custom_mapping, log)
510513

511514
# Load ECS in an index mapping format (nested schema)
512515
current_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True)

0 commit comments

Comments
 (0)