Skip to content

Adding IT suite for PPL-based dashboards in Neo for CloudWatch Lake #4695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Adding IT suite for PPL-based dashboards in Neo for CloudWatch Lake #4695

wants to merge 18 commits into from

Conversation

@aalva500-prog
Copy link
Contributor

@aalva500-prog aalva500-prog commented Oct 29, 2025

Description

This PR adds integration tests and documentation for PPL based dashboards covering NFW, CloudTrail, WAF, and VPC logs in Neo for CloudWatch Lake.

Changes

New Integration Tests:

  • Added NFW (Network Firewall) PPL dashboard integration tests
  • Added CloudTrail PPL dashboard integration tests
  • Added VPC Flow Logs PPL dashboard integration tests
  • Added WAF PPL dashboard integration tests
  • Reorganized PPL dashboard tests into dedicated dashboard/ package

Test Infrastructure:

  • Added new index mappings and test data for NFW, CloudTrail, VPC, and WAF logs

Documentation:

  • Added documentation for NFW, CloudTrail, VPC, and WAF PPL based dashboards integration tests

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • New functionality has javadoc added.
  • New functionality has a user manual doc added.
  • New PPL command checklist all confirmed.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff or -s.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

aaarone90 and others added 8 commits October 20, 2025 13:48
@aaarone90
Adding IT for PPL Based Dashboarsd for VPC and WAF logs
0bcc4d6 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Fixing documentation for VPC and WAF Dashboards
6e8aec6 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Adding IT test suit for CloudTrail PPL CW Based Vended Dashboards
adec82b 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Adding IT suit for PPL based-dashboards in CW Lake
e2ab82c 
Signed-off-by: Aaron Alvarez <[email protected]>
@aalva500-prog
Merge branch 'opensearch-project:main' into neo-ppl-dashboards
93c3d40
@aaarone90
Changing PPLIntegTestCase back to original
281b45b 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Fixing IT tests and updating documentation
a40f431 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Fixing data to avoid security issues
5b2e714 
Signed-off-by: Aaron Alvarez <[email protected]>
@aalva500-prog aalva500-prog marked this pull request as ready for review October 29, 2025 16:45
Swiddis
Swiddis reviewed Oct 29, 2025
View reviewed changes
integ-test/src/test/resources/vpc_logs.json Outdated
Copy link
Collaborator

@Swiddis Swiddis Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: Where exactly is this data from?

We had the issue with integrations that we committed a bunch of sample data and lost the source it was generated from. That would be a good thing to put in the docs.

Copy link
Collaborator

@RyanL1997 RyanL1997 Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 We need to get some data from the actual real flow, like from the actual loggroup of VPC logs

Copy link
Collaborator

@RyanL1997 RyanL1997 Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me actually follow up on this. I do have some existing flow that I can export some sanitized data. Cuz even for the verification of query correctness, we may need some field with relatively high cardinality.

Copy link
Contributor Author

@aalva500-prog aalva500-prog Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The data you see here is coming from my own S3 bucket, which I use during the integration creation workflow in OpenSearch Dashboards. However, this is not real data and it only has a few records, as the purpose of this exercise was to test query correctness specifically. I had to change the data to avoid exposing sensitive info also.

Copy link
Contributor Author

@aalva500-prog aalva500-prog Oct 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During the new workflow in PPL based dashboards the data should come directly from CW log groups, though. Apart from the NFW, the rest of the queries have been already tested by DQS team connecting directly with CW log groups. However, for NFW the data has been retrieved directly from own CW log groups, so the schema is correct, but I can add some more data if needed.

Copy link
Contributor Author

@aalva500-prog aalva500-prog Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would be good, thanks @RyanL1997

Let me actually follow up on this. I do have some existing flow that I can export some sanitized data. Cuz even for the verification of query correctness, we may need some field with relatively high cardinality.

RyanL1997 and others added 9 commits October 30, 2025 16:09
@RyanL1997
update sample data for waf ct and vpc
0ca8f8b 
Signed-off-by: Jialiang Liang <[email protected]>
@aalva500-prog
Merge branch 'opensearch-project:main' into neo-ppl-dashboards
283be40
@aaarone90
Fixed VPC integration tests
9adb4a2 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Fixed CloudTrail Integration tests
158dcf6 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Fixing WAF test suite
5431f11 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Fixing documentation and NFW test suite
724924b 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Deleting duplicate files
84c8f16 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Deleting duplicated files
365b248 
Signed-off-by: Aaron Alvarez <[email protected]>
@aaarone90
Addressing licensing issues
a791c22 
Signed-off-by: Aaron Alvarez <[email protected]>
@aalva500-prog aalva500-prog requested a review from Swiddis November 4, 2025 18:48
@aaarone90
Retrigger CI
abec8fb 
Signed-off-by: Aaron Alvarez <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Swiddis Swiddis Swiddis approved these changes

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@kavithacm kavithacm Awaiting requested review from kavithacm kavithacm is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner

@YANG-DB YANG-DB Awaiting requested review from YANG-DB YANG-DB is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar vamsimanohar is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@seankao-az seankao-az Awaiting requested review from seankao-az seankao-az is a code owner

@MaxKsyunz MaxKsyunz Awaiting requested review from MaxKsyunz MaxKsyunz is a code owner

@Yury-Fridlyand Yury-Fridlyand Awaiting requested review from Yury-Fridlyand Yury-Fridlyand is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@forestmvey forestmvey Awaiting requested review from forestmvey forestmvey is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

@GumpacG GumpacG Awaiting requested review from GumpacG GumpacG is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner

@LantaoJin LantaoJin Awaiting requested review from LantaoJin LantaoJin is a code owner

@noCharger noCharger Awaiting requested review from noCharger noCharger is a code owner

@qianheng-aws qianheng-aws Awaiting requested review from qianheng-aws qianheng-aws is a code owner

@yuancu yuancu Awaiting requested review from yuancu yuancu is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aalva500-prog @Swiddis @RyanL1997 @aaarone90