@@ -292,8 +292,6 @@ def get_filtered_index_schema(
292292 # Custom and non-ecs mappings are filtered before being sent to this function in prepare mappings
293293 combined_mappings : dict [str , Any ] = {}
294294 utils .combine_dicts (combined_mappings , deepcopy (ecs_schema ))
295- utils .combine_dicts (combined_mappings , deepcopy (non_ecs_mapping ))
296- utils .combine_dicts (combined_mappings , deepcopy (custom_mapping ))
297295 for match in matches :
298296 utils .combine_dicts (combined_mappings , deepcopy (filtered_index_lookup .get (match , {})))
299297
@@ -461,20 +459,29 @@ def prepare_mappings( # noqa: PLR0913
461459 index_lookup .update (integration_index_lookup )
462460
463461 # Load non-ecs schema and convert to index mapping format (nested schema)
462+ # For non_ecs we need both a mapping and a schema as custom schemas can override non-ecs fields
463+ # In these cases we need to accept the overwrite keep the original non-ecs field in the schema
464+ non_ecs_schema : dict [str , Any ] = {}
464465 non_ecs_mapping : dict [str , Any ] = {}
465466 non_ecs = ecs .get_non_ecs_schema ()
466467 for index in indices :
467- non_ecs_mapping .update (non_ecs .get (index , {}))
468- non_ecs_mapping = ecs .flatten (non_ecs_mapping )
469- non_ecs_mapping = utils .convert_to_nested_schema (non_ecs_mapping )
468+ index_mapping = non_ecs .get (index , {})
469+ non_ecs_schema .update (index_mapping )
470+ index_mapping = ecs .flatten (index_mapping )
471+ index_mapping = utils .convert_to_nested_schema (index_mapping )
472+ non_ecs_mapping .update ({index : index_mapping })
473+
474+ non_ecs_schema = ecs .flatten (non_ecs_schema )
475+ non_ecs_schema = utils .convert_to_nested_schema (non_ecs_schema )
470476
471477 # Load custom schema and convert to index mapping format (nested schema)
472478 custom_mapping : dict [str , Any ] = {}
473479 custom_indices = ecs .get_custom_schemas ()
474480 for index in indices :
475- custom_mapping .update (custom_indices .get (index , {}))
476- custom_mapping = ecs .flatten (custom_mapping )
477- custom_mapping = utils .convert_to_nested_schema (custom_mapping )
481+ index_mapping = custom_indices .get (index , {})
482+ index_mapping = ecs .flatten (index_mapping )
483+ index_mapping = utils .convert_to_nested_schema (index_mapping )
484+ custom_mapping .update ({index : index_mapping })
478485
479486 # Load ECS in an index mapping format (nested schema)
480487 current_version = Version .parse (load_current_package_version (), optional_minor_and_patch = True )
@@ -487,8 +494,8 @@ def prepare_mappings( # noqa: PLR0913
487494
488495 index_lookup .update ({"rule-ecs-index" : ecs_schema })
489496
490- if (not integration_mappings or existing_mappings ) and not non_ecs_mapping and not ecs_schema :
497+ if (not integration_mappings or existing_mappings ) and not non_ecs_schema and not ecs_schema :
491498 raise ValueError ("No mappings found" )
492- index_lookup .update ({"rule-non-ecs-index" : non_ecs_mapping })
499+ index_lookup .update ({"rule-non-ecs-index" : non_ecs_schema })
493500
494501 return existing_mappings , index_lookup , combined_mappings
0 commit comments