From d8f58a3d18401ce321a7234af8eb0b6049af1669 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 27 Oct 2023 22:38:00 +0000
Subject: [PATCH] Correct query schema for ELB mview generation (#1196)

(cherry picked from commit be978bf56f707f535dd6bd3304c44ac8432ca83b)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 public/services/requests/sql.ts               |  1 -
 .../aws_elb/assets/create_mv-1.0.0.sql        | 79 ++++++++++---------
 2 files changed, 41 insertions(+), 39 deletions(-)

diff --git a/public/services/requests/sql.ts b/public/services/requests/sql.ts
index b28323f03..1ec3b3d2a 100644
--- a/public/services/requests/sql.ts
+++ b/public/services/requests/sql.ts
@@ -6,7 +6,6 @@
 import { CoreStart } from '../../../../../src/core/public';
 import { DirectQueryRequest } from '../../../common/types/explorer';
 
-
 export class SQLService {
   private http;
   constructor(http: CoreStart['http']) {
diff --git a/server/adaptors/integrations/__data__/repository/aws_elb/assets/create_mv-1.0.0.sql b/server/adaptors/integrations/__data__/repository/aws_elb/assets/create_mv-1.0.0.sql
index 8520ae8b7..ecb48c084 100644
--- a/server/adaptors/integrations/__data__/repository/aws_elb/assets/create_mv-1.0.0.sql
+++ b/server/adaptors/integrations/__data__/repository/aws_elb/assets/create_mv-1.0.0.sql
@@ -1,38 +1,41 @@
-CREATE MATERIALIZED VIEW
-  {table_name}_mview AS
-    SELECT
-        type as `aws.elb.elb_type`,
-        time as `@timestamp`,
-        elb as `aws.elb.elb_name`,
-        split_part(client_ip, ':', 1) as `aws.elb.client.ip`,
-        split_part(client_ip, ':', 2) as `aws.elb.client.port`,
-        split_part(target_ip, ':', 1) as `aws.elb.target.ip`,
-        split_part(target_ip, ':', 2) as `aws.elb.target.port`,
-        request_processing_time as `aws.elb.request_processing_time`,
-        target_processing_time as `aws.elb.target_processing_time`,
-        response_processing_time as `aws.elb.response_processing_time`,
-        elb_status_code as `aws.elb.elb_status_code`,
-        target_status_code as `aws.elb.target_status_code`,
-        received_bytes as `aws.elb.received_bytes`,
-        sent_bytes as `aws.elb.sent_bytes`,
-        split_part(request, ' ', 1) as `http.request.method`,
-        split_part(request, ' ', 2) as `url.full`,
-        split_part(request, ' ', 3) as `url.schema`,
-        user_agent as `http.user_agent.name`,
-        ssl_cipher as `aws.elb.ssl_cipher`,
-        ssl_protocol as `aws.elb.ssl_protocol`,
-        target_group_arn as `aws.elb.target_group_arn`,
-        trace_id as `traceId`,
-        domain_name as `url.domain`,
-        chosen_cert_arn as `aws.elb.chosen_cert_arn`,
-        matched_rule_priority as `aws.elb.matched_rule_priority`,
-        request_creation_time as `aws.elb.request_creation_time`,
-        actions_executed as `aws.elb.actions_executed`,
-        redirect_url as `aws.elb.redirect_url`,
-        lambda_error_reason as `aws.elb.lambda_error_reason`,
-        target_port_list as `aws.elb.target_port_list`,
-        target_status_code_list as `aws.elb.target_status_code_list`,
-        classification as `aws.elb.classification`,
-        classification_reason as `aws.elb.classification_reason`
-    FROM
-        {table_name};
+CREATE MATERIALIZED VIEW {table_name}_mview AS
+SELECT
+    type as `aws.elb.elb_type`,
+    time as `@timestamp`,
+    elb as `aws.elb.elb_name`,
+    split_part (client_ip, ':', 1) as `communication.source.ip`,
+    split_part (client_ip, ':', 2) as `communication.source.port`,
+    split_part (target_ip, ':', 1) as `communication.destination.ip`,
+    split_part (target_ip, ':', 2) as `communication.destination.port`,
+    request_processing_time as `aws.elb.request_processing_time`,
+    target_processing_time as `aws.elb.target_processing_time`,
+    response_processing_time as `aws.elb.response_processing_time`,
+    elb_status_code as `http.response.status_code`,
+    target_status_code as `aws.elb.target_status_code`,
+    received_bytes as `aws.elb.received_bytes`,
+    sent_bytes as `aws.elb.sent_bytes`,
+    split_part (request, ' ', 1) as `http.request.method`,
+    split_part (request, ' ', 2) as `url.full`,
+    parse_url (split_part (request, ' ', 2), 'HOST') as `url.domain`,
+    parse_url (split_part (request, ' ', 2), 'PATH') as `url.path`,
+    split_part (request, ' ', 3) as `url.schema`,
+    request AS `http.request.body.content`,
+    user_agent as `http.user_agent.original`,
+    user_agent as `http.user_agent.name`,
+    ssl_cipher as `aws.elb.ssl_cipher`,
+    ssl_protocol as `aws.elb.ssl_protocol`,
+    split_part (target_group_arn, ':', 4) as `cloud.region`,
+    split_part (target_group_arn, ':', 5) as `cloud.account.id`,
+    trace_id as `traceId`,
+    chosen_cert_arn as `aws.elb.chosen_cert_arn`,
+    matched_rule_priority as `aws.elb.matched_rule_priority`,
+    request_creation_time as `aws.elb.request_creation_time`,
+    actions_executed as `aws.elb.actions_executed`,
+    redirect_url as `aws.elb.redirect_url`,
+    lambda_error_reason as `aws.elb.lambda_error_reason`,
+    target_port_list as `aws.elb.target_port_list`,
+    target_status_code_list as `aws.elb.target_status_code_list`,
+    classification as `aws.elb.classification`,
+    classification_reason as `aws.elb.classification_reason`
+FROM
+    {table_name};