From e6525deefac463e551846b99be39407e5e0f0f44 Mon Sep 17 00:00:00 2001
From: Marc Lopez Rubio <marc5.12@outlook.com>
Date: Tue, 3 Sep 2024 11:38:13 -0700
Subject: [PATCH] logs-apm.error-*: define log.level field as keyword (#112440)

Defines `log.level` as a `keyword` for all apm error logs.

---------

Signed-off-by: Marc Lopez Rubio <marc5.12@outlook.com>
---
 docs/changelog/112440.yaml                    |  5 ++++
 .../logs-apm.error@mappings.yaml              |  3 ++
 .../src/main/resources/resources.yaml         |  2 +-
 .../rest-api-spec/test/20_error_logs.yml      | 28 +++++++++++++++++++
 4 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 docs/changelog/112440.yaml
 create mode 100644 x-pack/plugin/apm-data/src/yamlRestTest/resources/rest-api-spec/test/20_error_logs.yml

diff --git a/docs/changelog/112440.yaml b/docs/changelog/112440.yaml
new file mode 100644
index 0000000000000..f208474fa2686
--- /dev/null
+++ b/docs/changelog/112440.yaml
@@ -0,0 +1,5 @@
+pr: 112440
+summary: "logs-apm.error-*: define log.level field as keyword"
+area: Data streams
+type: bug
+issues: []
diff --git a/x-pack/plugin/apm-data/src/main/resources/component-templates/logs-apm.error@mappings.yaml b/x-pack/plugin/apm-data/src/main/resources/component-templates/logs-apm.error@mappings.yaml
index c1d004b4e7bf4..6c83f40252354 100644
--- a/x-pack/plugin/apm-data/src/main/resources/component-templates/logs-apm.error@mappings.yaml
+++ b/x-pack/plugin/apm-data/src/main/resources/component-templates/logs-apm.error@mappings.yaml
@@ -6,6 +6,9 @@ _meta:
 template:
   mappings:
     properties:
+      # log.*
+      log.level:
+        type: keyword
       # error.*
       error.custom:
         type: object
diff --git a/x-pack/plugin/apm-data/src/main/resources/resources.yaml b/x-pack/plugin/apm-data/src/main/resources/resources.yaml
index 3e66769d939ad..0502a8c559ff6 100644
--- a/x-pack/plugin/apm-data/src/main/resources/resources.yaml
+++ b/x-pack/plugin/apm-data/src/main/resources/resources.yaml
@@ -1,7 +1,7 @@
 # "version" holds the version of the templates and ingest pipelines installed
 # by xpack-plugin apm-data. This must be increased whenever an existing template or
 # pipeline is changed, in order for it to be updated on Elasticsearch upgrade.
-version: 8
+version: 9
 
 component-templates:
   # Data lifecycle.
diff --git a/x-pack/plugin/apm-data/src/yamlRestTest/resources/rest-api-spec/test/20_error_logs.yml b/x-pack/plugin/apm-data/src/yamlRestTest/resources/rest-api-spec/test/20_error_logs.yml
new file mode 100644
index 0000000000000..5d2a6ec29ff4c
--- /dev/null
+++ b/x-pack/plugin/apm-data/src/yamlRestTest/resources/rest-api-spec/test/20_error_logs.yml
@@ -0,0 +1,28 @@
+---
+setup:
+  - do:
+      cluster.health:
+        wait_for_events: languid
+---
+"Test logs-apm.error-* error log fields":
+  - do:
+      bulk:
+        index: logs-apm.error-log-level-testing
+        refresh: true
+        body:
+          - create: {}
+          - '{"@timestamp": "2017-06-22", "log": {"level": "error"}, "error": {"log": {"message": "loglevel"}, "exception": [{"message": "exception_used"}]}}'
+
+          - create: {}
+          - '{"@timestamp": "2017-06-22", "log": {"level": "warn"}, "error": {"log": {"message": "loglevel"}, "exception": [{"message": "exception_used"}]}}'
+
+  - is_false: errors
+
+  - do:
+      search:
+        index: logs-apm.error-log-level-testing
+        body:
+          fields: ["log.level"]
+  - length: { hits.hits: 2 }
+  - match: { hits.hits.0.fields: { "log.level": ["error"] } }
+  - match: { hits.hits.1.fields: { "log.level": ["warn"] } }