Add new logs dataset and example configs (#240334)

Adds a simple dataset for generating success and error log messages. The
dataset and configs are intended to generate data on which we can
generate active/recovered/flapping alerts using ES|QL rule.

### Run example configs

`node x-pack/scripts/data_forge.js --config
x-pack/platform/packages/shared/kbn-data-forge/example_config/esql_poc/esql_active_recovered_alert.yaml`

`node x-pack/scripts/data_forge.js --config
x-pack/platform/packages/shared/kbn-data-forge/example_config/esql_poc/esql_flapping_alert.yaml`

Co-authored-by: Justin Kambic <[email protected]>

Author: benakansara

x-pack/platform/packages/shared/kbn-data-forge/example_config/success_and_error_log_messages/esql_active_recovered_alert.yaml

@@ -0,0 +1,31 @@
+---
+elasticsearch:
+  installKibanaUser: false
+
+kibana:
+  installAssets: true
+
+indexing:
+  eventsPerCycle: 1
+  dataset: "database_logs"
+
+schedule:
+  - template: "bad"
+    start: "now-2m"
+    end: "now+2m"
+    eventsPerCycle: 15
+    randomness: 0.1
+  - template: "good"
+    start: "now+2m"
+    end: "now+5m"
+    randomness: 0.1
+  - template: "bad"
+    start: "now+5m"
+    end: "now+8m"
+    eventsPerCycle: 5
+    randomness: 0.1
+  - template: "good"
+    start: "now+8m"
+    end: "now+10m"
+    randomness: 0.1
+  

x-pack/platform/packages/shared/kbn-data-forge/example_config/success_and_error_log_messages/esql_flapping_alert.yaml

@@ -0,0 +1,54 @@
+---
+elasticsearch:
+  installKibanaUser: false
+
+kibana:
+  installAssets: true
+
+indexing:
+  eventsPerCycle: 1
+  dataset: "database_logs"
+
+schedule:
+  - template: "bad"
+    start: "now-2m"
+    end: "now+2m"
+    eventsPerCycle: 15
+    randomness: 0.1
+  - template: "good"
+    start: "now+2m"
+    end: "now+5m"
+    randomness: 0.1
+  - template: "bad"
+    start: "now+5m"
+    end: "now+8m"
+    eventsPerCycle: 5
+    randomness: 0.1
+  - template: "good"
+    start: "now+8m"
+    end: "now+10m"
+    randomness: 0.1
+  - template: "bad"
+    start: "now+10m"
+    end: "now+14m"
+    eventsPerCycle: 15
+    randomness: 0.1
+  - template: "good"
+    start: "now+14m"
+    end: "now+17m"
+    randomness: 0.1
+  - template: "bad"
+    start: "now+17m"
+    end: "now+20m"
+    eventsPerCycle: 10
+    randomness: 0.1
+  - template: "good"
+    start: "now+20m"
+    end: "now+25m"
+    randomness: 0.1
+  - template: "bad"
+    start: "now+25m"
+    end: "now+30m"
+    eventsPerCycle: 20
+    randomness: 0.1
+  

x-pack/platform/packages/shared/kbn-data-forge/src/constants.ts

@@ -9,6 +9,7 @@ export const FAKE_HOSTS = 'fake_hosts';
 export const FAKE_LOGS = 'fake_logs';
 export const FAKE_STACK = 'fake_stack';
 export const SERVICE_LOGS = 'service.logs';
+export const DATABASE_LOGS = 'database_logs';
 
 export const INDEX_PREFIX = 'kbn-data-forge';
 

x-pack/platform/packages/shared/kbn-data-forge/src/data_sources/database_logs/ecs/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import template from '../template.json';
+import type { IndexTemplateDef } from '../../../types';
+
+export const indexTemplate: IndexTemplateDef = {
+  name: 'logs-database_logs@template',
+  template,
+  components: [],
+};

x-pack/platform/packages/shared/kbn-data-forge/src/data_sources/database_logs/index.ts

@@ -0,0 +1,99 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { random, sample } from 'lodash';
+import type { GeneratorFunction } from '../../types';
+export { indexTemplate } from './ecs';
+
+const createGroupIndex = (index: number) => Math.floor(index / 1000) * 1000;
+
+const DATABASE_ERROR_MESSAGES = [
+  'Connection timeout: database error occurred while connecting to primary server',
+  'Query failed: database error in SELECT statement execution',
+  'Transaction rollback: database error detected, rolling back changes',
+  'Deadlock detected: database error in concurrent transaction processing',
+  'Connection pool exhausted: database error - no available connections',
+  'Constraint violation: database error in data integrity check',
+  'Replication lag: database error in master-slave synchronization',
+  'Index corruption: database error detected in table indexes',
+  'Lock timeout: database error waiting for resource lock',
+  'Authentication failed: database error in user credential verification',
+];
+
+const SUCCESS_MESSAGES = [
+  'Database connection established successfully',
+  'Query executed successfully: SELECT * FROM users WHERE active = true',
+  'Transaction committed successfully',
+  'Data backup completed successfully',
+  'Index optimization completed successfully',
+  'Replication sync completed successfully',
+  'Database health check passed',
+  'Connection pool initialized successfully',
+  'User authentication successful',
+  'Cache refresh completed successfully',
+];
+
+const DATABASE_HOSTS = [
+  'db-primary-01',
+  'db-primary-02',
+  'db-replica-01',
+  'db-replica-02',
+  'db-analytics-01',
+  'db-cache-01',
+  'db-warehouse-01',
+];
+
+export const generateEvent: GeneratorFunction = (config, schedule, index, timestamp) => {
+  const groupIndex = createGroupIndex(index);
+  const latency = random(50, 2000);
+  const interval = schedule.interval ?? config.indexing.interval;
+  const isError = schedule.template === 'error' || schedule.template === 'bad';
+  const hostName = sample(DATABASE_HOSTS) || 'db-primary-01';
+
+  return [
+    {
+      namespace: 'database_logs',
+      '@timestamp': timestamp.toISOString(),
+      event: {
+        module: 'database',
+        dataset: 'database.logs',
+        duration: latency,
+        code: isError ? random(400, 599) : 200,
+        category: isError ? 'database_error' : 'database_success',
+        type: isError ? 'error' : 'info',
+      },
+      log: {
+        level: isError ? 'error' : 'info',
+        logger: 'database_logs',
+      },
+      host: {
+        name: hostName,
+      },
+      service: {
+        name: 'database-service',
+        type: 'database',
+      },
+      labels: {
+        groupId: `group-${groupIndex}`,
+        eventId: `event-${index}`,
+        scenario: schedule.template,
+        database_type: sample(['postgresql', 'mysql', 'mongodb', 'elasticsearch']) || 'postgresql',
+      },
+      metricset: {
+        period: interval,
+      },
+      message: isError
+        ? sample(DATABASE_ERROR_MESSAGES) || 'Unknown database error occurred'
+        : sample(SUCCESS_MESSAGES) || 'Database operation completed successfully',
+      database: {
+        query_time: latency,
+        connection_id: `conn_${random(1000, 9999)}`,
+        query_type: sample(['SELECT', 'INSERT', 'UPDATE', 'DELETE']) || 'SELECT',
+      },
+    },
+  ];
+};

x-pack/platform/packages/shared/kbn-data-forge/src/data_sources/database_logs/template.json

@@ -0,0 +1,155 @@
+{
+  "_meta": {
+    "description": "Database logs composable template for ES|QL testing",
+    "version": "1.0.0"
+  },
+  "index_patterns": [
+    "kbn-data-forge-database_logs.database_logs-*"
+  ],
+  "priority": 1,
+  "template": {
+    "mappings": {
+      "_meta": {
+        "version": "1.0.0"
+      },
+      "date_detection": false,
+      "dynamic_templates": [
+        {
+          "labels": {
+            "path_match": "labels.*",
+            "mapping": {
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        },
+        {
+          "strings_as_keyword": {
+            "mapping": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ],
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "metricset": {
+          "properties": {
+            "period": {
+              "type": "long"
+            }
+          }
+        },
+        "host": {
+          "properties": {
+            "name": {
+              "type": "keyword",
+              "ignore_above": 256
+            }
+          }
+        },
+        "service": {
+          "properties": {
+            "name": {
+              "type": "keyword",
+              "ignore_above": 256
+            },
+            "type": {
+              "type": "keyword",
+              "ignore_above": 256
+            }
+          }
+        },
+        "event": {
+          "properties": {
+            "dataset": {
+              "type": "keyword",
+              "ignore_above": 256
+            },
+            "module": {
+              "type": "keyword",
+              "ignore_above": 256
+            },
+            "category": {
+              "type": "keyword",
+              "ignore_above": 256
+            },
+            "type": {
+              "type": "keyword",
+              "ignore_above": 256
+            },
+            "code": {
+              "type": "long"
+            },
+            "duration": {
+              "type": "long"
+            }
+          }
+        },
+        "log": {
+          "properties": {
+            "level": {
+              "type": "keyword",
+              "ignore_above": 256
+            },
+            "logger": {
+              "type": "keyword",
+              "ignore_above": 256
+            }
+          }
+        },
+        "message": {
+          "type": "text",
+          "fields": {
+            "keyword": {
+              "type": "keyword",
+              "ignore_above": 256
+            }
+          }
+        },
+        "database": {
+          "properties": {
+            "query_time": {
+              "type": "long"
+            },
+            "connection_id": {
+              "type": "keyword",
+              "ignore_above": 256
+            },
+            "query_type": {
+              "type": "keyword",
+              "ignore_above": 256
+            }
+          }
+        }
+      }
+    },
+    "settings": {
+      "index": {
+        "mapping": {
+          "total_fields": {
+            "limit": "2000"
+          }
+        },
+        "number_of_shards": "1",
+        "number_of_replicas": "0",
+        "query": {
+          "default_field": [
+            "message",
+            "labels.*",
+            "event.*",
+            "host.name",
+            "service.*"
+          ]
+        }
+      }
+    },
+    "aliases": {
+      "logs-database_logs": {}
+    }
+  }
+}