Skip to content

Commit ec0cfed

Browse files
mjabascal10mjabascal10
committed
feat(visualization): add update for Linux visualizations to normalize field names and improve dataset consistency
1 parent b4466fa commit ec0cfed

File tree

2 files changed

+156
-0
lines changed

2 files changed

+156
-0
lines changed

backend/src/main/resources/config/liquibase/changelog/20260220002_update_linux_visualizations.xml

Lines changed: 154 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,154 @@
1+
<?xml version="1.0" encoding="utf-8"?>
2+
<databaseChangeLog
3+
xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
6+
http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
7+
8+
<changeSet id="20260220002" author="Manuel Abascal">
9+
10+
<sql dbms="postgresql" splitStatements="true" stripComments="true">
11+
<![CDATA[
12+
13+
------------------------------------------------------------------
14+
-- Replace log.linux.fileset.name.keyword with action.keyword (SAFE)
15+
-- This field identifies the type of Linux log/dataset
16+
-------------------------------------------------------------------
17+
UPDATE utm_visualization
18+
SET filters = REPLACE(filters,
19+
'"field":"log.linux.fileset.name.keyword"',
20+
'"field":"action.keyword"')
21+
WHERE filters LIKE '%"field":"log.linux.fileset.name.keyword"%';
22+
23+
UPDATE utm_visualization
24+
SET aggregation = REPLACE(aggregation,
25+
'"field":"log.linux.fileset.name.keyword"',
26+
'"field":"action.keyword"')
27+
WHERE aggregation LIKE '%"field":"log.linux.fileset.name.keyword"%';
28+
29+
------------------------------------------------------------------
30+
-- Update filter value from "auth" to "system.auth" (SAFE)
31+
-- Reflects new dataset naming convention in systemd/journald
32+
-------------------------------------------------------------------
33+
UPDATE utm_visualization
34+
SET filters = REPLACE(filters,
35+
'"field":"action.keyword","value":"auth"',
36+
'"field":"action.keyword","value":"system.auth"')
37+
WHERE filters LIKE '%"field":"action.keyword","value":"auth"%';
38+
39+
------------------------------------------------------------------
40+
-- Replace log.linux.host.name.keyword with origin.host.keyword (SAFE)
41+
-- Normalizes to standard event schema
42+
-------------------------------------------------------------------
43+
UPDATE utm_visualization
44+
SET filters = REPLACE(filters,
45+
'"field":"log.linux.host.name.keyword"',
46+
'"field":"origin.host.keyword"')
47+
WHERE filters LIKE '%"field":"log.linux.host.name.keyword"%';
48+
49+
UPDATE utm_visualization
50+
SET aggregation = REPLACE(aggregation,
51+
'"field":"log.linux.host.name.keyword"',
52+
'"field":"origin.host.keyword"')
53+
WHERE aggregation LIKE '%"field":"log.linux.host.name.keyword"%';
54+
55+
------------------------------------------------------------------
56+
-- Replace log.linux.host.ip.keyword with origin.ip.keyword (SAFE)
57+
-------------------------------------------------------------------
58+
UPDATE utm_visualization
59+
SET filters = REPLACE(filters,
60+
'"field":"log.linux.host.ip.keyword"',
61+
'"field":"origin.ip.keyword"')
62+
WHERE filters LIKE '%"field":"log.linux.host.ip.keyword"%';
63+
64+
UPDATE utm_visualization
65+
SET aggregation = REPLACE(aggregation,
66+
'"field":"log.linux.host.ip.keyword"',
67+
'"field":"origin.ip.keyword"')
68+
WHERE aggregation LIKE '%"field":"log.linux.host.ip.keyword"%';
69+
70+
------------------------------------------------------------------
71+
-- Replace log.linux.host.os.name.keyword with log.osType.keyword (SAFE)
72+
-------------------------------------------------------------------
73+
UPDATE utm_visualization
74+
SET filters = REPLACE(filters,
75+
'"field":"log.linux.host.os.name.keyword"',
76+
'"field":"log.osType.keyword"')
77+
WHERE filters LIKE '%"field":"log.linux.host.os.name.keyword"%';
78+
79+
UPDATE utm_visualization
80+
SET aggregation = REPLACE(aggregation,
81+
'"field":"log.linux.host.os.name.keyword"',
82+
'"field":"log.osType.keyword"')
83+
WHERE aggregation LIKE '%"field":"log.linux.host.os.name.keyword"%';
84+
85+
------------------------------------------------------------------
86+
-- Replace log.linux.message.keyword with log.message.keyword (SAFE)
87+
-------------------------------------------------------------------
88+
UPDATE utm_visualization
89+
SET filters = REPLACE(filters,
90+
'"field":"log.linux.message.keyword"',
91+
'"field":"log.message.keyword"')
92+
WHERE filters LIKE '%"field":"log.linux.message.keyword"%';
93+
94+
UPDATE utm_visualization
95+
SET aggregation = REPLACE(aggregation,
96+
'"field":"log.linux.message.keyword"',
97+
'"field":"log.message.keyword"')
98+
WHERE aggregation LIKE '%"field":"log.linux.message.keyword"%';
99+
100+
------------------------------------------------------------------
101+
-- Replace log.linux.agent.name.keyword with dataSource.keyword (SAFE)
102+
-------------------------------------------------------------------
103+
UPDATE utm_visualization
104+
SET filters = REPLACE(filters,
105+
'"field":"log.linux.agent.name.keyword"',
106+
'"field":"dataSource.keyword"')
107+
WHERE filters LIKE '%"field":"log.linux.agent.name.keyword"%';
108+
109+
UPDATE utm_visualization
110+
SET aggregation = REPLACE(aggregation,
111+
'"field":"log.linux.agent.name.keyword"',
112+
'"field":"dataSource.keyword"')
113+
WHERE aggregation LIKE '%"field":"log.linux.agent.name.keyword"%';
114+
115+
------------------------------------------------------------------
116+
-- Replace log.linux.agent.version.keyword with log.agentVersion.keyword (SAFE)
117+
-------------------------------------------------------------------
118+
UPDATE utm_visualization
119+
SET filters = REPLACE(filters,
120+
'"field":"log.linux.agent.version.keyword"',
121+
'"field":"log.agentVersion.keyword"')
122+
WHERE filters LIKE '%"field":"log.linux.agent.version.keyword"%';
123+
124+
UPDATE utm_visualization
125+
SET aggregation = REPLACE(aggregation,
126+
'"field":"log.linux.agent.version.keyword"',
127+
'"field":"log.agentVersion.keyword"')
128+
WHERE aggregation LIKE '%"field":"log.linux.agent.version.keyword"%';
129+
130+
------------------------------------------------------------------
131+
-- Replace log.linux.event.module.keyword with action.keyword (SAFE)
132+
-- In old structure: event.module = "system"
133+
-- In new structure: action = "system.syslog" (module + dataset)
134+
-------------------------------------------------------------------
135+
UPDATE utm_visualization
136+
SET filters = REPLACE(filters,
137+
'"field":"log.linux.event.module.keyword"',
138+
'"field":"action.keyword"')
139+
WHERE filters LIKE '%"field":"log.linux.event.module.keyword"%';
140+
141+
UPDATE utm_visualization
142+
SET aggregation = REPLACE(aggregation,
143+
'"field":"log.linux.event.module.keyword"',
144+
'"field":"action.keyword"')
145+
WHERE aggregation LIKE '%"field":"log.linux.event.module.keyword"%';
146+
147+
148+
]]>
149+
</sql>
150+
151+
</changeSet>
152+
153+
</databaseChangeLog>
154+

backend/src/main/resources/config/liquibase/master.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -467,6 +467,8 @@
467467

468468
<include file="/config/liquibase/changelog/20260220001_update_filter_linux.xml" relativeToChangelogFile="false"/>
469469

470+
<include file="/config/liquibase/changelog/20260220002_update_linux_visualizations.xml" relativeToChangelogFile="false"/>
471+
470472

471473

472474
</databaseChangeLog>

0 commit comments

Comments
 (0)