Adding custom mapper support to Observability Pipelines OCSF Mapper (#3456)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -41369,6 +41369,7 @@ components:
       example: CloudTrail Account Change
       oneOf:
       - $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingLibrary'
+      - $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustom'
     ObservabilityPipelineOcsfMapperProcessorType:
       default: ocsf_mapper
       description: The processor type. The value should always be `ocsf_mapper`.
@@ -41378,6 +41379,116 @@ components:
       type: string
       x-enum-varnames:
       - OCSF_MAPPER
+    ObservabilityPipelineOcsfMappingCustom:
+      description: Custom OCSF mapping configuration for transforming logs.
+      properties:
+        mapping:
+          description: A list of field mapping rules for transforming log fields to
+            OCSF schema fields.
+          items:
+            $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustomFieldMapping'
+          type: array
+        metadata:
+          $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustomMetadata'
+        version:
+          description: The version of the custom mapping configuration.
+          example: 1
+          format: int64
+          type: integer
+      required:
+      - mapping
+      - metadata
+      - version
+      type: object
+    ObservabilityPipelineOcsfMappingCustomFieldMapping:
+      description: Defines a single field mapping rule for transforming a source field
+        to an OCSF destination field.
+      properties:
+        default:
+          description: The default value to use if the source field is missing or
+            empty.
+          example: ''
+        dest:
+          description: The destination OCSF field path.
+          example: device.type
+          type: string
+        lookup:
+          $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustomLookup'
+        source:
+          description: The source field path from the log event.
+          example: host.type
+        sources:
+          description: Multiple source field paths for combined mapping.
+          example:
+          - field1
+          - field2
+        value:
+          description: A static value to use for the destination field.
+          example: static_value
+      required:
+      - dest
+      type: object
+    ObservabilityPipelineOcsfMappingCustomLookup:
+      description: Lookup table configuration for mapping source values to destination
+        values.
+      properties:
+        default:
+          description: The default value to use if no lookup match is found.
+          example: unknown
+        table:
+          description: A list of lookup table entries for value transformation.
+          items:
+            $ref: '#/components/schemas/ObservabilityPipelineOcsfMappingCustomLookupTableEntry'
+          type: array
+      type: object
+    ObservabilityPipelineOcsfMappingCustomLookupTableEntry:
+      description: A single entry in a lookup table for value transformation.
+      properties:
+        contains:
+          description: The substring to match in the source value.
+          example: Desktop
+          type: string
+        equals:
+          description: The exact value to match in the source.
+          example: desktop
+        equals_source:
+          description: The source field to match against.
+          example: device_type
+          type: string
+        matches:
+          description: A regex pattern to match in the source value.
+          example: ^Desktop.*
+          type: string
+        not_matches:
+          description: A regex pattern that must not match the source value.
+          example: ^Mobile.*
+          type: string
+        value:
+          description: The value to use when a match is found.
+          example: desktop
+      type: object
+    ObservabilityPipelineOcsfMappingCustomMetadata:
+      description: Metadata for the custom OCSF mapping.
+      properties:
+        class:
+          description: The OCSF event class name.
+          example: Device Inventory Info
+          type: string
+        profiles:
+          description: A list of OCSF profiles to apply.
+          example:
+          - container
+          items:
+            type: string
+          type: array
+        version:
+          description: The OCSF schema version.
+          example: 1.3.0
+          type: string
+      required:
+      - class
+      - version
+      type: object
     ObservabilityPipelineOcsfMappingLibrary:
       description: Predefined library mappings for common log formats.
       enum:

cassettes/v2/Observability-Pipelines_4170000189/Validate-an-observability-pipeline-with-OCSF-mapper-custom-mapping-returns-OK-response_1216017604/frozen.json

@@ -0,0 +1 @@
+"2026-02-10T14:12:05.668Z"

cassettes/v2/Observability-Pipelines_4170000189/Validate-an-observability-pipeline-with-OCSF-mapper-custom-mapping-returns-OK-response_1216017604/recording.har

@@ -0,0 +1,67 @@
+{
+  "log": {
+    "_recordingName": "Observability Pipelines/Validate an observability pipeline with OCSF mapper custom mapping returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "53ece09f7d78b3327b7edee4b1d3bc51",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 888,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 583,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"config\":{\"destinations\":[{\"id\":\"datadog-logs-destination\",\"inputs\":[\"my-processor-group\"],\"type\":\"datadog_logs\"}],\"processor_groups\":[{\"enabled\":true,\"id\":\"my-processor-group\",\"include\":\"service:my-service\",\"inputs\":[\"datadog-agent-source\"],\"processors\":[{\"enabled\":true,\"id\":\"ocsf-mapper-processor\",\"include\":\"service:my-service\",\"mappings\":[{\"include\":\"source:custom\",\"mapping\":{\"mapping\":[{\"default\":\"\",\"dest\":\"time\",\"source\":\"timestamp\"},{\"default\":\"\",\"dest\":\"severity\",\"source\":\"level\"},{\"default\":\"\",\"dest\":\"device.type\",\"lookup\":{\"table\":[{\"contains\":\"Desktop\",\"value\":\"desktop\"}]},\"source\":\"host.type\"}],\"metadata\":{\"class\":\"Device Inventory Info\",\"profiles\":[\"container\"],\"version\":\"1.3.0\"},\"version\":1}}],\"type\":\"ocsf_mapper\"}]}],\"sources\":[{\"id\":\"datadog-agent-source\",\"type\":\"datadog_agent\"}]},\"name\":\"OCSF Custom Mapper Pipeline\"},\"type\":\"pipelines\"}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/obs-pipelines/pipelines/validate"
+        },
+        "response": {
+          "bodySize": 14,
+          "content": {
+            "mimeType": "application/vnd.api+json",
+            "size": 14,
+            "text": "{\"errors\":[]}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/vnd.api+json"
+            }
+          ],
+          "headersSize": 370,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2026-02-10T14:12:05.673Z",
+        "time": 381
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

cassettes/v2/Observability-Pipelines_4170000189/Validate-an-observability-pipeline-with-OCSF-mapper-invalid-custom-mapping-returns-Bad-Re_1912095981/frozen.json

@@ -0,0 +1 @@
+"2026-02-10T14:12:06.064Z"

cassettes/v2/Observability-Pipelines_4170000189/Validate-an-observability-pipeline-with-OCSF-mapper-invalid-custom-mapping-returns-Bad-Re_1912095981/recording.har

@@ -0,0 +1,67 @@
+{
+  "log": {
+    "_recordingName": "Observability Pipelines/Validate an observability pipeline with OCSF mapper invalid custom mapping returns \"Bad Request\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "61f1236430793b647e3deccb484f7786",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 699,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 583,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"config\":{\"destinations\":[{\"id\":\"datadog-logs-destination\",\"inputs\":[\"my-processor-group\"],\"type\":\"datadog_logs\"}],\"processor_groups\":[{\"enabled\":true,\"id\":\"my-processor-group\",\"include\":\"service:my-service\",\"inputs\":[\"datadog-agent-source\"],\"processors\":[{\"enabled\":true,\"id\":\"ocsf-mapper-processor\",\"include\":\"service:my-service\",\"mappings\":[{\"include\":\"source:custom\",\"mapping\":{\"mapping\":[{\"dest\":\"time\",\"source\":\"timestamp\"}],\"metadata\":{\"class\":\"Invalid Class\",\"profiles\":[\"container\"],\"version\":\"1.3.0\"},\"version\":0}}],\"type\":\"ocsf_mapper\"}]}],\"sources\":[{\"id\":\"datadog-agent-source\",\"type\":\"datadog_agent\"}]},\"name\":\"OCSF Invalid Mapper Pipeline\"},\"type\":\"pipelines\"}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/obs-pipelines/pipelines/validate"
+        },
+        "response": {
+          "bodySize": 344,
+          "content": {
+            "mimeType": "application/json",
+            "size": 344,
+            "text": "{\"errors\":[{\"title\":\"Schema version must be a positive integer\",\"meta\":{\"field\":\"mappings.0.version\",\"id\":\"ocsf-mapper-processor\",\"message\":\"Schema version must be a positive integer\"}},{\"title\":\"Invalid custom mapping class\",\"meta\":{\"field\":\"mappings.0.metadata.class\",\"id\":\"ocsf-mapper-processor\",\"message\":\"Invalid custom mapping class\"}}]}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 363,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 400,
+          "statusText": "Bad Request"
+        },
+        "startedDateTime": "2026-02-10T14:12:06.069Z",
+        "time": 372
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

cassettes/v2/Observability-Pipelines_4170000189/Validate-an-observability-pipeline-with-OCSF-mapper-library-mapping-returns-OK-response_935798470/frozen.json

@@ -0,0 +1 @@
+"2026-02-10T14:12:05.285Z"

cassettes/v2/Observability-Pipelines_4170000189/Validate-an-observability-pipeline-with-OCSF-mapper-library-mapping-returns-OK-response_935798470/recording.har

@@ -0,0 +1,67 @@
+{
+  "log": {
+    "_recordingName": "Observability Pipelines/Validate an observability pipeline with OCSF mapper library mapping returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "5e3a17b9b10ff8463285d7e228eca707",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 580,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 583,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"config\":{\"destinations\":[{\"id\":\"datadog-logs-destination\",\"inputs\":[\"my-processor-group\"],\"type\":\"datadog_logs\"}],\"processor_groups\":[{\"enabled\":true,\"id\":\"my-processor-group\",\"include\":\"service:my-service\",\"inputs\":[\"datadog-agent-source\"],\"processors\":[{\"enabled\":true,\"id\":\"ocsf-mapper-processor\",\"include\":\"service:my-service\",\"mappings\":[{\"include\":\"source:cloudtrail\",\"mapping\":\"CloudTrail Account Change\"}],\"type\":\"ocsf_mapper\"}]}],\"sources\":[{\"id\":\"datadog-agent-source\",\"type\":\"datadog_agent\"}]},\"name\":\"OCSF Mapper Pipeline\"},\"type\":\"pipelines\"}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/obs-pipelines/pipelines/validate"
+        },
+        "response": {
+          "bodySize": 14,
+          "content": {
+            "mimeType": "application/vnd.api+json",
+            "size": 14,
+            "text": "{\"errors\":[]}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/vnd.api+json"
+            }
+          ],
+          "headersSize": 370,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2026-02-10T14:12:05.289Z",
+        "time": 372
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}