Add OpenAPI documentation for keep_unmatched field in ocsf mapper processor (#3718)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -44855,6 +44855,11 @@ components:
             targets.
           example: service:my-service
           type: string
+        keep_unmatched:
+          description: Whether to keep an event that does not match any of the mapping
+            filters.
+          example: false
+          type: boolean
         mappings:
           description: A list of mapping rules to convert events to the OCSF format.
           items:

cassettes/v2/Observability-Pipelines_4170000189/Validate-an-observability-pipeline-with-OCSF-mapper-keep_unmatched-returns-OK-response_1718208362/frozen.json

@@ -0,0 +1 @@
+"2026-03-16T13:02:49.264Z"

cassettes/v2/Observability-Pipelines_4170000189/Validate-an-observability-pipeline-with-OCSF-mapper-keep_unmatched-returns-OK-response_1718208362/recording.har

@@ -0,0 +1,67 @@
+{
+  "log": {
+    "_recordingName": "Observability Pipelines/Validate an observability pipeline with OCSF mapper keep_unmatched returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "f5433095b6695a37c1e8c7de43d95c58",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 617,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 582,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"config\":{\"destinations\":[{\"id\":\"datadog-logs-destination\",\"inputs\":[\"my-processor-group\"],\"type\":\"datadog_logs\"}],\"processor_groups\":[{\"enabled\":true,\"id\":\"my-processor-group\",\"include\":\"service:my-service\",\"inputs\":[\"datadog-agent-source\"],\"processors\":[{\"enabled\":true,\"id\":\"ocsf-mapper-processor\",\"include\":\"service:my-service\",\"keep_unmatched\":true,\"mappings\":[{\"include\":\"source:cloudtrail\",\"mapping\":\"CloudTrail Account Change\"}],\"type\":\"ocsf_mapper\"}]}],\"sources\":[{\"id\":\"datadog-agent-source\",\"type\":\"datadog_agent\"}]},\"name\":\"OCSF Mapper Keep Unmatched Pipeline\"},\"type\":\"pipelines\"}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/obs-pipelines/pipelines/validate"
+        },
+        "response": {
+          "bodySize": 14,
+          "content": {
+            "mimeType": "application/vnd.api+json",
+            "size": 14,
+            "text": "{\"errors\":[]}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/vnd.api+json"
+            }
+          ],
+          "headersSize": 370,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2026-03-16T13:02:50.118Z",
+        "time": 99
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

examples/v2/observability-pipelines/ValidatePipeline_3067748504.ts

@@ -0,0 +1,66 @@
+/**
+ * Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+ */
+
+import { client, v2 } from "@datadog/datadog-api-client";
+
+const configuration = client.createConfiguration();
+const apiInstance = new v2.ObservabilityPipelinesApi(configuration);
+
+const params: v2.ObservabilityPipelinesApiValidatePipelineRequest = {
+  body: {
+    data: {
+      attributes: {
+        config: {
+          destinations: [
+            {
+              id: "datadog-logs-destination",
+              inputs: ["my-processor-group"],
+              type: "datadog_logs",
+            },
+          ],
+          processorGroups: [
+            {
+              enabled: true,
+              id: "my-processor-group",
+              include: "service:my-service",
+              inputs: ["datadog-agent-source"],
+              processors: [
+                {
+                  enabled: true,
+                  id: "ocsf-mapper-processor",
+                  include: "service:my-service",
+                  type: "ocsf_mapper",
+                  keepUnmatched: true,
+                  mappings: [
+                    {
+                      include: "source:cloudtrail",
+                      mapping: "CloudTrail Account Change",
+                    },
+                  ],
+                },
+              ],
+            },
+          ],
+          sources: [
+            {
+              id: "datadog-agent-source",
+              type: "datadog_agent",
+            },
+          ],
+        },
+        name: "OCSF Mapper Keep Unmatched Pipeline",
+      },
+      type: "pipelines",
+    },
+  },
+};
+
+apiInstance
+  .validatePipeline(params)
+  .then((data: v2.ValidationResponse) => {
+    console.log(
+      "API called successfully. Returned data: " + JSON.stringify(data)
+    );
+  })
+  .catch((error: any) => console.error(error));

features/v2/observability_pipelines.feature

@@ -191,6 +191,14 @@ Feature: Observability Pipelines
     When the request is sent
     Then the response status is 400 Bad Request
 
+  @team:DataDog/observability-pipelines
+  Scenario: Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+    Given new "ValidatePipeline" request
+    And body with value {"data": {"attributes": {"config": {"destinations": [{"id": "datadog-logs-destination", "inputs": ["my-processor-group"], "type": "datadog_logs"}], "processor_groups": [{"enabled": true, "id": "my-processor-group", "include": "service:my-service", "inputs": ["datadog-agent-source"], "processors": [{"enabled": true, "id": "ocsf-mapper-processor", "include": "service:my-service", "type": "ocsf_mapper", "keep_unmatched": true, "mappings": [{"include": "source:cloudtrail", "mapping": "CloudTrail Account Change"}]}]}], "sources": [{"id": "datadog-agent-source", "type": "datadog_agent"}]}, "name": "OCSF Mapper Keep Unmatched Pipeline"}, "type": "pipelines"}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "errors" has length 0
+
   @team:DataDog/observability-pipelines
   Scenario: Validate an observability pipeline with OCSF mapper library mapping returns "OK" response
     Given new "ValidatePipeline" request

packages/datadog-api-client-v2/models/ObservabilityPipelineOcsfMapperProcessor.ts

@@ -30,6 +30,10 @@ export class ObservabilityPipelineOcsfMapperProcessor {
    * A Datadog search query used to determine which logs this processor targets.
    */
   "include": string;
+  /**
+   * Whether to keep an event that does not match any of the mapping filters.
+   */
+  "keepUnmatched"?: boolean;
   /**
    * A list of mapping rules to convert events to the OCSF format.
    */
@@ -74,6 +78,10 @@ export class ObservabilityPipelineOcsfMapperProcessor {
       type: "string",
       required: true,
     },
+    keepUnmatched: {
+      baseName: "keep_unmatched",
+      type: "boolean",
+    },
     mappings: {
       baseName: "mappings",
       type: "Array<ObservabilityPipelineOcsfMapperProcessorMapping>",