Add OpenAPI documentation for keep_unmatched field in ocsf mapper processor (#1376)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -44855,6 +44855,11 @@ components:
             targets.
           example: service:my-service
           type: string
+        keep_unmatched:
+          description: Whether to keep an event that does not match any of the mapping
+            filters.
+          example: false
+          type: boolean
         mappings:
           description: A list of mapping rules to convert events to the OCSF format.
           items:

examples/v2_observability-pipelines_ValidatePipeline_3067748504.rs

@@ -0,0 +1,98 @@
+// Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK"
+// response
+use datadog_api_client::datadog;
+use datadog_api_client::datadogV2::api_observability_pipelines::ObservabilityPipelinesAPI;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineConfig;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineConfigDestinationItem;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineConfigProcessorGroup;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineConfigProcessorItem;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineConfigSourceItem;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineDataAttributes;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineDatadogAgentSource;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineDatadogAgentSourceType;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineDatadogLogsDestination;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineDatadogLogsDestinationType;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineOcsfMapperProcessor;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineOcsfMapperProcessorMapping;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineOcsfMapperProcessorMappingMapping;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineOcsfMapperProcessorType;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineOcsfMappingLibrary;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineSpec;
+use datadog_api_client::datadogV2::model::ObservabilityPipelineSpecData;
+
+#[tokio::main]
+async fn main() {
+    let body =
+        ObservabilityPipelineSpec::new(
+            ObservabilityPipelineSpecData::new(
+                ObservabilityPipelineDataAttributes::new(
+                    ObservabilityPipelineConfig::new(
+                        vec![
+                            ObservabilityPipelineConfigDestinationItem::ObservabilityPipelineDatadogLogsDestination(
+                                Box::new(
+                                    ObservabilityPipelineDatadogLogsDestination::new(
+                                        "datadog-logs-destination".to_string(),
+                                        vec!["my-processor-group".to_string()],
+                                        ObservabilityPipelineDatadogLogsDestinationType::DATADOG_LOGS,
+                                    ),
+                                ),
+                            )
+                        ],
+                        vec![
+                            ObservabilityPipelineConfigSourceItem::ObservabilityPipelineDatadogAgentSource(
+                                Box::new(
+                                    ObservabilityPipelineDatadogAgentSource::new(
+                                        "datadog-agent-source".to_string(),
+                                        ObservabilityPipelineDatadogAgentSourceType::DATADOG_AGENT,
+                                    ),
+                                ),
+                            )
+                        ],
+                    ).processor_groups(
+                        vec![
+                            ObservabilityPipelineConfigProcessorGroup::new(
+                                true,
+                                "my-processor-group".to_string(),
+                                "service:my-service".to_string(),
+                                vec!["datadog-agent-source".to_string()],
+                                vec![
+                                    ObservabilityPipelineConfigProcessorItem::ObservabilityPipelineOcsfMapperProcessor(
+                                        Box::new(
+                                            ObservabilityPipelineOcsfMapperProcessor::new(
+                                                true,
+                                                "ocsf-mapper-processor".to_string(),
+                                                "service:my-service".to_string(),
+                                                vec![
+                                                    ObservabilityPipelineOcsfMapperProcessorMapping::new(
+                                                        "source:cloudtrail".to_string(),
+                                                        ObservabilityPipelineOcsfMapperProcessorMappingMapping
+                                                        ::ObservabilityPipelineOcsfMappingLibrary(
+                                                            Box::new(
+                                                                ObservabilityPipelineOcsfMappingLibrary
+                                                                ::CLOUDTRAIL_ACCOUNT_CHANGE,
+                                                            ),
+                                                        ),
+                                                    )
+                                                ],
+                                                ObservabilityPipelineOcsfMapperProcessorType::OCSF_MAPPER,
+                                            ).keep_unmatched(true),
+                                        ),
+                                    )
+                                ],
+                            )
+                        ],
+                    ),
+                    "OCSF Mapper Keep Unmatched Pipeline".to_string(),
+                ),
+                "pipelines".to_string(),
+            ),
+        );
+    let configuration = datadog::Configuration::new();
+    let api = ObservabilityPipelinesAPI::with_config(configuration);
+    let resp = api.validate_pipeline(body).await;
+    if let Ok(value) = resp {
+        println!("{:#?}", value);
+    } else {
+        println!("{:#?}", resp.unwrap_err());
+    }
+}

src/datadogV2/model/model_observability_pipeline_ocsf_mapper_processor.rs

@@ -25,6 +25,9 @@ pub struct ObservabilityPipelineOcsfMapperProcessor {
     /// A Datadog search query used to determine which logs this processor targets.
     #[serde(rename = "include")]
     pub include: String,
+    /// Whether to keep an event that does not match any of the mapping filters.
+    #[serde(rename = "keep_unmatched")]
+    pub keep_unmatched: Option<bool>,
     /// A list of mapping rules to convert events to the OCSF format.
     #[serde(rename = "mappings")]
     pub mappings: Vec<crate::datadogV2::model::ObservabilityPipelineOcsfMapperProcessorMapping>,
@@ -51,6 +54,7 @@ impl ObservabilityPipelineOcsfMapperProcessor {
             enabled,
             id,
             include,
+            keep_unmatched: None,
             mappings,
             type_,
             additional_properties: std::collections::BTreeMap::new(),
@@ -63,6 +67,11 @@ impl ObservabilityPipelineOcsfMapperProcessor {
         self
     }
 
+    pub fn keep_unmatched(mut self, value: bool) -> Self {
+        self.keep_unmatched = Some(value);
+        self
+    }
+
     pub fn additional_properties(
         mut self,
         value: std::collections::BTreeMap<String, serde_json::Value>,
@@ -93,6 +102,7 @@ impl<'de> Deserialize<'de> for ObservabilityPipelineOcsfMapperProcessor {
                 let mut enabled: Option<bool> = None;
                 let mut id: Option<String> = None;
                 let mut include: Option<String> = None;
+                let mut keep_unmatched: Option<bool> = None;
                 let mut mappings: Option<
                     Vec<crate::datadogV2::model::ObservabilityPipelineOcsfMapperProcessorMapping>,
                 > = None;
@@ -123,6 +133,13 @@ impl<'de> Deserialize<'de> for ObservabilityPipelineOcsfMapperProcessor {
                         "include" => {
                             include = Some(serde_json::from_value(v).map_err(M::Error::custom)?);
                         }
+                        "keep_unmatched" => {
+                            if v.is_null() {
+                                continue;
+                            }
+                            keep_unmatched =
+                                Some(serde_json::from_value(v).map_err(M::Error::custom)?);
+                        }
                         "mappings" => {
                             mappings = Some(serde_json::from_value(v).map_err(M::Error::custom)?);
                         }
@@ -155,6 +172,7 @@ impl<'de> Deserialize<'de> for ObservabilityPipelineOcsfMapperProcessor {
                     enabled,
                     id,
                     include,
+                    keep_unmatched,
                     mappings,
                     type_,
                     additional_properties,

tests/scenarios/cassettes/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.frozen

@@ -0,0 +1 @@
+2026-03-16T13:02:49.264Z

tests/scenarios/cassettes/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.json

@@ -0,0 +1,39 @@
+{
+  "http_interactions": [
+    {
+      "request": {
+        "body": {
+          "string": "{\"data\":{\"attributes\":{\"config\":{\"destinations\":[{\"id\":\"datadog-logs-destination\",\"inputs\":[\"my-processor-group\"],\"type\":\"datadog_logs\"}],\"processor_groups\":[{\"enabled\":true,\"id\":\"my-processor-group\",\"include\":\"service:my-service\",\"inputs\":[\"datadog-agent-source\"],\"processors\":[{\"enabled\":true,\"id\":\"ocsf-mapper-processor\",\"include\":\"service:my-service\",\"keep_unmatched\":true,\"mappings\":[{\"include\":\"source:cloudtrail\",\"mapping\":\"CloudTrail Account Change\"}],\"type\":\"ocsf_mapper\"}]}],\"sources\":[{\"id\":\"datadog-agent-source\",\"type\":\"datadog_agent\"}]},\"name\":\"OCSF Mapper Keep Unmatched Pipeline\"},\"type\":\"pipelines\"}}",
+          "encoding": null
+        },
+        "headers": {
+          "Accept": [
+            "application/json"
+          ],
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "method": "post",
+        "uri": "https://api.datadoghq.com/api/v2/obs-pipelines/pipelines/validate"
+      },
+      "response": {
+        "body": {
+          "string": "{\"errors\":[]}\n",
+          "encoding": null
+        },
+        "headers": {
+          "Content-Type": [
+            "application/vnd.api+json"
+          ]
+        },
+        "status": {
+          "code": 200,
+          "message": "OK"
+        }
+      },
+      "recorded_at": "Mon, 16 Mar 2026 13:02:49 GMT"
+    }
+  ],
+  "recorded_with": "VCR 6.0.0"
+}

tests/scenarios/features/v2/observability_pipelines.feature

@@ -191,6 +191,14 @@ Feature: Observability Pipelines
     When the request is sent
     Then the response status is 400 Bad Request
 
+  @team:DataDog/observability-pipelines
+  Scenario: Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+    Given new "ValidatePipeline" request
+    And body with value {"data": {"attributes": {"config": {"destinations": [{"id": "datadog-logs-destination", "inputs": ["my-processor-group"], "type": "datadog_logs"}], "processor_groups": [{"enabled": true, "id": "my-processor-group", "include": "service:my-service", "inputs": ["datadog-agent-source"], "processors": [{"enabled": true, "id": "ocsf-mapper-processor", "include": "service:my-service", "type": "ocsf_mapper", "keep_unmatched": true, "mappings": [{"include": "source:cloudtrail", "mapping": "CloudTrail Account Change"}]}]}], "sources": [{"id": "datadog-agent-source", "type": "datadog_agent"}]}, "name": "OCSF Mapper Keep Unmatched Pipeline"}, "type": "pipelines"}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "errors" has length 0
+
   @team:DataDog/observability-pipelines
   Scenario: Validate an observability pipeline with OCSF mapper library mapping returns "OK" response
     Given new "ValidatePipeline" request