From da09f0c988de94f969a01b5972515d8e88429550 Mon Sep 17 00:00:00 2001
From: Vladimir-A <32281993+Vladimir-A@users.noreply.github.com>
Date: Sat, 18 May 2024 19:31:13 +0300
Subject: [PATCH] ecs: add args_count field

Signed-off-by: Anikeev Vladimir <anikivladimir5@gmail.com>
---
 core/exporter/encoders/ecs.go | 36 ++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 13 deletions(-)

diff --git a/core/exporter/encoders/ecs.go b/core/exporter/encoders/ecs.go
index d695aa0d..07244afa 100644
--- a/core/exporter/encoders/ecs.go
+++ b/core/exporter/encoders/ecs.go
@@ -470,23 +470,33 @@ func encodeUser(rec *flatrecord.Record) JSONData {
 // encodeProcess creates an ECS process field including the nested parent process.
 func encodeProcess(rec *flatrecord.Record) JSONData {
 	exe := flatrecord.Mapper.MapStr(flatrecord.SF_PROC_EXE)(rec)
+	args_count := 0
+	if flatrecord.Mapper.MapStr(flatrecord.SF_PROC_ARGS)(rec) != "" {
+		args_count = len(strings.Split(flatrecord.Mapper.MapStr(flatrecord.SF_PROC_ARGS)(rec), " "))
+	}
 	process := JSONData{
-		ECS_PROC_EXE:     exe,
-		ECS_PROC_ARGS:    flatrecord.Mapper.MapStr(flatrecord.SF_PROC_ARGS)(rec),
-		ECS_PROC_CMDLINE: flatrecord.Mapper.MapStr(flatrecord.SF_PROC_CMDLINE)(rec),
-		ECS_PROC_PID:     flatrecord.Mapper.MapInt(flatrecord.SF_PROC_PID)(rec),
-		ECS_PROC_START:   utils.ToIsoTimeStr(flatrecord.Mapper.MapInt(flatrecord.SF_PROC_CREATETS)(rec)),
-		ECS_PROC_NAME:    path.Base(exe),
-		ECS_PROC_THREAD:  JSONData{ECS_PROC_TID: flatrecord.Mapper.MapInt(flatrecord.SF_PROC_TID)(rec)},
+		ECS_PROC_EXE:        exe,
+		ECS_PROC_ARGS:       flatrecord.Mapper.MapStr(flatrecord.SF_PROC_ARGS)(rec),
+		ECS_PROC_ARGS_COUNT: args_count,
+		ECS_PROC_CMDLINE:    flatrecord.Mapper.MapStr(flatrecord.SF_PROC_CMDLINE)(rec),
+		ECS_PROC_PID:        flatrecord.Mapper.MapInt(flatrecord.SF_PROC_PID)(rec),
+		ECS_PROC_START:      utils.ToIsoTimeStr(flatrecord.Mapper.MapInt(flatrecord.SF_PROC_CREATETS)(rec)),
+		ECS_PROC_NAME:       path.Base(exe),
+		ECS_PROC_THREAD:     JSONData{ECS_PROC_TID: flatrecord.Mapper.MapInt(flatrecord.SF_PROC_TID)(rec)},
 	}
 	pexe := flatrecord.Mapper.MapStr(flatrecord.SF_PPROC_EXE)(rec)
+	pargs_count := 0
+	if flatrecord.Mapper.MapStr(flatrecord.SF_PPROC_ARGS)(rec) != "" {
+		pargs_count = len(strings.Split(flatrecord.Mapper.MapStr(flatrecord.SF_PPROC_ARGS)(rec), " "))
+	}
 	parent := JSONData{
-		ECS_PROC_EXE:     pexe,
-		ECS_PROC_ARGS:    flatrecord.Mapper.MapStr(flatrecord.SF_PPROC_ARGS)(rec),
-		ECS_PROC_CMDLINE: flatrecord.Mapper.MapStr(flatrecord.SF_PPROC_CMDLINE)(rec),
-		ECS_PROC_PID:     flatrecord.Mapper.MapInt(flatrecord.SF_PPROC_PID)(rec),
-		ECS_PROC_START:   utils.ToIsoTimeStr(flatrecord.Mapper.MapInt(flatrecord.SF_PPROC_CREATETS)(rec)),
-		ECS_PROC_NAME:    path.Base(pexe),
+		ECS_PROC_EXE:        pexe,
+		ECS_PROC_ARGS:       flatrecord.Mapper.MapStr(flatrecord.SF_PPROC_ARGS)(rec),
+		ECS_PROC_ARGS_COUNT: pargs_count,
+		ECS_PROC_CMDLINE:    flatrecord.Mapper.MapStr(flatrecord.SF_PPROC_CMDLINE)(rec),
+		ECS_PROC_PID:        flatrecord.Mapper.MapInt(flatrecord.SF_PPROC_PID)(rec),
+		ECS_PROC_START:      utils.ToIsoTimeStr(flatrecord.Mapper.MapInt(flatrecord.SF_PPROC_CREATETS)(rec)),
+		ECS_PROC_NAME:       path.Base(pexe),
 	}
 	process[ECS_PROC_PARENT] = parent
 	return process