Adding custom mapper support to Observability Pipelines OCSF Mapper (DataDog#3692)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -41369,6 +41369,7 @@ components:
       example: CloudTrail Account Change
       oneOf:
       - $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingLibrary'
+      - $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustom'
     ObservabilityPipelineOcsfMapperProcessorType:
       default: ocsf_mapper
       description: The processor type. The value should always be `ocsf_mapper`.
@@ -41378,6 +41379,116 @@ components:
       type: string
       x-enum-varnames:
       - OCSF_MAPPER
+    ObservabilityPipelineOcsfMappingCustom:
+      description: Custom OCSF mapping configuration for transforming logs.
+      properties:
+        mapping:
+          description: A list of field mapping rules for transforming log fields to
+            OCSF schema fields.
+          items:
+            $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustomFieldMapping'
+          type: array
+        metadata:
+          $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustomMetadata'
+        version:
+          description: The version of the custom mapping configuration.
+          example: 1
+          format: int64
+          type: integer
+      required:
+      - mapping
+      - metadata
+      - version
+      type: object
+    ObservabilityPipelineOcsfMappingCustomFieldMapping:
+      description: Defines a single field mapping rule for transforming a source field
+        to an OCSF destination field.
+      properties:
+        default:
+          description: The default value to use if the source field is missing or
+            empty.
+          example: ''
+        dest:
+          description: The destination OCSF field path.
+          example: device.type
+          type: string
+        lookup:
+          $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustomLookup'
+        source:
+          description: The source field path from the log event.
+          example: host.type
+        sources:
+          description: Multiple source field paths for combined mapping.
+          example:
+          - field1
+          - field2
+        value:
+          description: A static value to use for the destination field.
+          example: static_value
+      required:
+      - dest
+      type: object
+    ObservabilityPipelineOcsfMappingCustomLookup:
+      description: Lookup table configuration for mapping source values to destination
+        values.
+      properties:
+        default:
+          description: The default value to use if no lookup match is found.
+          example: unknown
+        table:
+          description: A list of lookup table entries for value transformation.
+          items:
+            $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustomLookupTableEntry'
+          type: array
+      type: object
+    ObservabilityPipelineOcsfMappingCustomLookupTableEntry:
+      description: A single entry in a lookup table for value transformation.
+      properties:
+        contains:
+          description: The substring to match in the source value.
+          example: Desktop
+          type: string
+        equals:
+          description: The exact value to match in the source.
+          example: desktop
+        equals_source:
+          description: The source field to match against.
+          example: device_type
+          type: string
+        matches:
+          description: A regex pattern to match in the source value.
+          example: ^Desktop.*
+          type: string
+        not_matches:
+          description: A regex pattern that must not match the source value.
+          example: ^Mobile.*
+          type: string
+        value:
+          description: The value to use when a match is found.
+          example: desktop
+      type: object
+    ObservabilityPipelineOcsfMappingCustomMetadata:
+      description: Metadata for the custom OCSF mapping.
+      properties:
+        class:
+          description: The OCSF event class name.
+          example: Device Inventory Info
+          type: string
+        profiles:
+          description: A list of OCSF profiles to apply.
+          example:
+          - container
+          items:
+            type: string
+          type: array
+        version:
+          description: The OCSF schema version.
+          example: 1.3.0
+          type: string
+      required:
+      - class
+      - version
+      type: object
     ObservabilityPipelineOcsfMappingLibrary:
       description: Predefined library mappings for common log formats.
       enum:

api/datadogV2/model_observability_pipeline_ocsf_mapper_processor_mapping_mapping.go

@@ -11,6 +11,7 @@ import (
 // ObservabilityPipelineOcsfMapperProcessorMappingMapping - Defines a single mapping rule for transforming logs into the OCSF schema.
 type ObservabilityPipelineOcsfMapperProcessorMappingMapping struct {
 	ObservabilityPipelineOcsfMappingLibrary *ObservabilityPipelineOcsfMappingLibrary
+	ObservabilityPipelineOcsfMappingCustom  *ObservabilityPipelineOcsfMappingCustom
 
 	// UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct
 	UnparsedObject interface{}
@@ -21,6 +22,11 @@ func ObservabilityPipelineOcsfMappingLibraryAsObservabilityPipelineOcsfMapperPro
 	return ObservabilityPipelineOcsfMapperProcessorMappingMapping{ObservabilityPipelineOcsfMappingLibrary: v}
 }
 
+// ObservabilityPipelineOcsfMappingCustomAsObservabilityPipelineOcsfMapperProcessorMappingMapping is a convenience function that returns ObservabilityPipelineOcsfMappingCustom wrapped in ObservabilityPipelineOcsfMapperProcessorMappingMapping.
+func ObservabilityPipelineOcsfMappingCustomAsObservabilityPipelineOcsfMapperProcessorMappingMapping(v *ObservabilityPipelineOcsfMappingCustom) ObservabilityPipelineOcsfMapperProcessorMappingMapping {
+	return ObservabilityPipelineOcsfMapperProcessorMappingMapping{ObservabilityPipelineOcsfMappingCustom: v}
+}
+
 // UnmarshalJSON turns data into one of the pointers in the struct.
 func (obj *ObservabilityPipelineOcsfMapperProcessorMappingMapping) UnmarshalJSON(data []byte) error {
 	var err error
@@ -42,9 +48,27 @@ func (obj *ObservabilityPipelineOcsfMapperProcessorMappingMapping) UnmarshalJSON
 		obj.ObservabilityPipelineOcsfMappingLibrary = nil
 	}
 
+	// try to unmarshal data into ObservabilityPipelineOcsfMappingCustom
+	err = datadog.Unmarshal(data, &obj.ObservabilityPipelineOcsfMappingCustom)
+	if err == nil {
+		if obj.ObservabilityPipelineOcsfMappingCustom != nil && obj.ObservabilityPipelineOcsfMappingCustom.UnparsedObject == nil {
+			jsonObservabilityPipelineOcsfMappingCustom, _ := datadog.Marshal(obj.ObservabilityPipelineOcsfMappingCustom)
+			if string(jsonObservabilityPipelineOcsfMappingCustom) == "{}" { // empty struct
+				obj.ObservabilityPipelineOcsfMappingCustom = nil
+			} else {
+				match++
+			}
+		} else {
+			obj.ObservabilityPipelineOcsfMappingCustom = nil
+		}
+	} else {
+		obj.ObservabilityPipelineOcsfMappingCustom = nil
+	}
+
 	if match != 1 { // more than 1 match
 		// reset to nil
 		obj.ObservabilityPipelineOcsfMappingLibrary = nil
+		obj.ObservabilityPipelineOcsfMappingCustom = nil
 		return datadog.Unmarshal(data, &obj.UnparsedObject)
 	}
 	return nil // exactly one match
@@ -56,6 +80,10 @@ func (obj ObservabilityPipelineOcsfMapperProcessorMappingMapping) MarshalJSON()
 		return datadog.Marshal(&obj.ObservabilityPipelineOcsfMappingLibrary)
 	}
 
+	if obj.ObservabilityPipelineOcsfMappingCustom != nil {
+		return datadog.Marshal(&obj.ObservabilityPipelineOcsfMappingCustom)
+	}
+
 	if obj.UnparsedObject != nil {
 		return datadog.Marshal(obj.UnparsedObject)
 	}
@@ -68,6 +96,10 @@ func (obj *ObservabilityPipelineOcsfMapperProcessorMappingMapping) GetActualInst
 		return obj.ObservabilityPipelineOcsfMappingLibrary
 	}
 
+	if obj.ObservabilityPipelineOcsfMappingCustom != nil {
+		return obj.ObservabilityPipelineOcsfMappingCustom
+	}
+
 	// all schemas are nil
 	return nil
 }

api/datadogV2/model_observability_pipeline_ocsf_mapping_custom.go

@@ -0,0 +1,174 @@
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2019-Present Datadog, Inc.
+
+package datadogV2
+
+import (
+	"fmt"
+
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
+)
+
+// ObservabilityPipelineOcsfMappingCustom Custom OCSF mapping configuration for transforming logs.
+type ObservabilityPipelineOcsfMappingCustom struct {
+	// A list of field mapping rules for transforming log fields to OCSF schema fields.
+	Mapping []ObservabilityPipelineOcsfMappingCustomFieldMapping `json:"mapping"`
+	// Metadata for the custom OCSF mapping.
+	Metadata ObservabilityPipelineOcsfMappingCustomMetadata `json:"metadata"`
+	// The version of the custom mapping configuration.
+	Version int64 `json:"version"`
+	// UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct
+	UnparsedObject       map[string]interface{} `json:"-"`
+	AdditionalProperties map[string]interface{} `json:"-"`
+}
+
+// NewObservabilityPipelineOcsfMappingCustom instantiates a new ObservabilityPipelineOcsfMappingCustom object.
+// This constructor will assign default values to properties that have it defined,
+// and makes sure properties required by API are set, but the set of arguments
+// will change when the set of required properties is changed.
+func NewObservabilityPipelineOcsfMappingCustom(mapping []ObservabilityPipelineOcsfMappingCustomFieldMapping, metadata ObservabilityPipelineOcsfMappingCustomMetadata, version int64) *ObservabilityPipelineOcsfMappingCustom {
+	this := ObservabilityPipelineOcsfMappingCustom{}
+	this.Mapping = mapping
+	this.Metadata = metadata
+	this.Version = version
+	return &this
+}
+
+// NewObservabilityPipelineOcsfMappingCustomWithDefaults instantiates a new ObservabilityPipelineOcsfMappingCustom object.
+// This constructor will only assign default values to properties that have it defined,
+// but it doesn't guarantee that properties required by API are set.
+func NewObservabilityPipelineOcsfMappingCustomWithDefaults() *ObservabilityPipelineOcsfMappingCustom {
+	this := ObservabilityPipelineOcsfMappingCustom{}
+	return &this
+}
+
+// GetMapping returns the Mapping field value.
+func (o *ObservabilityPipelineOcsfMappingCustom) GetMapping() []ObservabilityPipelineOcsfMappingCustomFieldMapping {
+	if o == nil {
+		var ret []ObservabilityPipelineOcsfMappingCustomFieldMapping
+		return ret
+	}
+	return o.Mapping
+}
+
+// GetMappingOk returns a tuple with the Mapping field value
+// and a boolean to check if the value has been set.
+func (o *ObservabilityPipelineOcsfMappingCustom) GetMappingOk() (*[]ObservabilityPipelineOcsfMappingCustomFieldMapping, bool) {
+	if o == nil {
+		return nil, false
+	}
+	return &o.Mapping, true
+}
+
+// SetMapping sets field value.
+func (o *ObservabilityPipelineOcsfMappingCustom) SetMapping(v []ObservabilityPipelineOcsfMappingCustomFieldMapping) {
+	o.Mapping = v
+}
+
+// GetMetadata returns the Metadata field value.
+func (o *ObservabilityPipelineOcsfMappingCustom) GetMetadata() ObservabilityPipelineOcsfMappingCustomMetadata {
+	if o == nil {
+		var ret ObservabilityPipelineOcsfMappingCustomMetadata
+		return ret
+	}
+	return o.Metadata
+}
+
+// GetMetadataOk returns a tuple with the Metadata field value
+// and a boolean to check if the value has been set.
+func (o *ObservabilityPipelineOcsfMappingCustom) GetMetadataOk() (*ObservabilityPipelineOcsfMappingCustomMetadata, bool) {
+	if o == nil {
+		return nil, false
+	}
+	return &o.Metadata, true
+}
+
+// SetMetadata sets field value.
+func (o *ObservabilityPipelineOcsfMappingCustom) SetMetadata(v ObservabilityPipelineOcsfMappingCustomMetadata) {
+	o.Metadata = v
+}
+
+// GetVersion returns the Version field value.
+func (o *ObservabilityPipelineOcsfMappingCustom) GetVersion() int64 {
+	if o == nil {
+		var ret int64
+		return ret
+	}
+	return o.Version
+}
+
+// GetVersionOk returns a tuple with the Version field value
+// and a boolean to check if the value has been set.
+func (o *ObservabilityPipelineOcsfMappingCustom) GetVersionOk() (*int64, bool) {
+	if o == nil {
+		return nil, false
+	}
+	return &o.Version, true
+}
+
+// SetVersion sets field value.
+func (o *ObservabilityPipelineOcsfMappingCustom) SetVersion(v int64) {
+	o.Version = v
+}
+
+// MarshalJSON serializes the struct using spec logic.
+func (o ObservabilityPipelineOcsfMappingCustom) MarshalJSON() ([]byte, error) {
+	toSerialize := map[string]interface{}{}
+	if o.UnparsedObject != nil {
+		return datadog.Marshal(o.UnparsedObject)
+	}
+	toSerialize["mapping"] = o.Mapping
+	toSerialize["metadata"] = o.Metadata
+	toSerialize["version"] = o.Version
+
+	for key, value := range o.AdditionalProperties {
+		toSerialize[key] = value
+	}
+	return datadog.Marshal(toSerialize)
+}
+
+// UnmarshalJSON deserializes the given payload.
+func (o *ObservabilityPipelineOcsfMappingCustom) UnmarshalJSON(bytes []byte) (err error) {
+	all := struct {
+		Mapping  *[]ObservabilityPipelineOcsfMappingCustomFieldMapping `json:"mapping"`
+		Metadata *ObservabilityPipelineOcsfMappingCustomMetadata       `json:"metadata"`
+		Version  *int64                                                `json:"version"`
+	}{}
+	if err = datadog.Unmarshal(bytes, &all); err != nil {
+		return datadog.Unmarshal(bytes, &o.UnparsedObject)
+	}
+	if all.Mapping == nil {
+		return fmt.Errorf("required field mapping missing")
+	}
+	if all.Metadata == nil {
+		return fmt.Errorf("required field metadata missing")
+	}
+	if all.Version == nil {
+		return fmt.Errorf("required field version missing")
+	}
+	additionalProperties := make(map[string]interface{})
+	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
+		datadog.DeleteKeys(additionalProperties, &[]string{"mapping", "metadata", "version"})
+	} else {
+		return err
+	}
+
+	hasInvalidField := false
+	o.Mapping = *all.Mapping
+	if all.Metadata.UnparsedObject != nil && o.UnparsedObject == nil {
+		hasInvalidField = true
+	}
+	o.Metadata = *all.Metadata
+	o.Version = *all.Version
+
+	if len(additionalProperties) > 0 {
+		o.AdditionalProperties = additionalProperties
+	}
+
+	if hasInvalidField {
+		return datadog.Unmarshal(bytes, &o.UnparsedObject)
+	}
+
+	return nil
+}