Add OpenAPI documentation for keep_unmatched field in ocsf mapper processor (#3122)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit 34f658fd80ea · 2026-03-18T10:53:26.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -44855,6 +44855,11 @@ components:
             targets.
           example: service:my-service
           type: string
+        keep_unmatched:
+          description: Whether to keep an event that does not match any of the mapping
+            filters.
+          example: false
+          type: boolean
         mappings:
           description: A list of mapping rules to convert events to the OCSF format.
           items:
diff --git a/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.frozen b/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.frozen
@@ -0,0 +1 @@
+2026-03-16T13:02:49.264Z
diff --git a/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.yml b/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.yml
diff --git a/examples/v2/observability-pipelines/ValidatePipeline_3067748504.rb b/examples/v2/observability-pipelines/ValidatePipeline_3067748504.rb
@@ -0,0 +1,56 @@
+# Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::ObservabilityPipelinesAPI.new
+
+body = DatadogAPIClient::V2::ObservabilityPipelineSpec.new({
+  data: DatadogAPIClient::V2::ObservabilityPipelineSpecData.new({
+    attributes: DatadogAPIClient::V2::ObservabilityPipelineDataAttributes.new({
+      config: DatadogAPIClient::V2::ObservabilityPipelineConfig.new({
+        destinations: [
+          DatadogAPIClient::V2::ObservabilityPipelineDatadogLogsDestination.new({
+            id: "datadog-logs-destination",
+            inputs: [
+              "my-processor-group",
+            ],
+            type: DatadogAPIClient::V2::ObservabilityPipelineDatadogLogsDestinationType::DATADOG_LOGS,
+          }),
+        ],
+        processor_groups: [
+          DatadogAPIClient::V2::ObservabilityPipelineConfigProcessorGroup.new({
+            enabled: true,
+            id: "my-processor-group",
+            include: "service:my-service",
+            inputs: [
+              "datadog-agent-source",
+            ],
+            processors: [
+              DatadogAPIClient::V2::ObservabilityPipelineOcsfMapperProcessor.new({
+                enabled: true,
+                id: "ocsf-mapper-processor",
+                include: "service:my-service",
+                type: DatadogAPIClient::V2::ObservabilityPipelineOcsfMapperProcessorType::OCSF_MAPPER,
+                keep_unmatched: true,
+                mappings: [
+                  DatadogAPIClient::V2::ObservabilityPipelineOcsfMapperProcessorMapping.new({
+                    include: "source:cloudtrail",
+                    mapping: DatadogAPIClient::V2::ObservabilityPipelineOcsfMappingLibrary::CLOUDTRAIL_ACCOUNT_CHANGE,
+                  }),
+                ],
+              }),
+            ],
+          }),
+        ],
+        sources: [
+          DatadogAPIClient::V2::ObservabilityPipelineDatadogAgentSource.new({
+            id: "datadog-agent-source",
+            type: DatadogAPIClient::V2::ObservabilityPipelineDatadogAgentSourceType::DATADOG_AGENT,
+          }),
+        ],
+      }),
+      name: "OCSF Mapper Keep Unmatched Pipeline",
+    }),
+    type: "pipelines",
+  }),
+})
+p api_instance.validate_pipeline(body)
diff --git a/features/v2/observability_pipelines.feature b/features/v2/observability_pipelines.feature
@@ -191,6 +191,14 @@ Feature: Observability Pipelines
     When the request is sent
     Then the response status is 400 Bad Request
 
+  @team:DataDog/observability-pipelines
+  Scenario: Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+    Given new "ValidatePipeline" request
+    And body with value {"data": {"attributes": {"config": {"destinations": [{"id": "datadog-logs-destination", "inputs": ["my-processor-group"], "type": "datadog_logs"}], "processor_groups": [{"enabled": true, "id": "my-processor-group", "include": "service:my-service", "inputs": ["datadog-agent-source"], "processors": [{"enabled": true, "id": "ocsf-mapper-processor", "include": "service:my-service", "type": "ocsf_mapper", "keep_unmatched": true, "mappings": [{"include": "source:cloudtrail", "mapping": "CloudTrail Account Change"}]}]}], "sources": [{"id": "datadog-agent-source", "type": "datadog_agent"}]}, "name": "OCSF Mapper Keep Unmatched Pipeline"}, "type": "pipelines"}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "errors" has length 0
+
   @team:DataDog/observability-pipelines
   Scenario: Validate an observability pipeline with OCSF mapper library mapping returns "OK" response
     Given new "ValidatePipeline" request
diff --git a/lib/datadog_api_client/v2/models/observability_pipeline_ocsf_mapper_processor.rb b/lib/datadog_api_client/v2/models/observability_pipeline_ocsf_mapper_processor.rb
@@ -35,6 +35,9 @@ class ObservabilityPipelineOcsfMapperProcessor
     # A Datadog search query used to determine which logs this processor targets.
     attr_reader :include
 
+    # Whether to keep an event that does not match any of the mapping filters.
+    attr_accessor :keep_unmatched
+
     # A list of mapping rules to convert events to the OCSF format.
     attr_reader :mappings
 
@@ -51,6 +54,7 @@ def self.attribute_map
         :'enabled' => :'enabled',
         :'id' => :'id',
         :'include' => :'include',
+        :'keep_unmatched' => :'keep_unmatched',
         :'mappings' => :'mappings',
         :'type' => :'type'
       }
@@ -64,6 +68,7 @@ def self.openapi_types
         :'enabled' => :'Boolean',
         :'id' => :'String',
         :'include' => :'String',
+        :'keep_unmatched' => :'Boolean',
         :'mappings' => :'Array<ObservabilityPipelineOcsfMapperProcessorMapping>',
         :'type' => :'ObservabilityPipelineOcsfMapperProcessorType'
       }
@@ -103,6 +108,10 @@ def initialize(attributes = {})
         self.include = attributes[:'include']
       end
 
+      if attributes.key?(:'keep_unmatched')
+        self.keep_unmatched = attributes[:'keep_unmatched']
+      end
+
       if attributes.key?(:'mappings')
         if (value = attributes[:'mappings']).is_a?(Array)
           self.mappings = value
@@ -206,6 +215,7 @@ def ==(o)
           enabled == o.enabled &&
           id == o.id &&
           include == o.include &&
+          keep_unmatched == o.keep_unmatched &&
           mappings == o.mappings &&
           type == o.type &&
           additional_properties == o.additional_properties
@@ -215,7 +225,7 @@ def ==(o)
     # @return [Integer] Hash code
     # @!visibility private
     def hash
-      [display_name, enabled, id, include, mappings, type, additional_properties].hash
+      [display_name, enabled, id, include, keep_unmatched, mappings, type, additional_properties].hash
     end
   end
 end
