DataDog · api-clients-generation-pipeline · Mar 17, 2026
@@ -44644,6 +44644,11 @@ components:
             targets.
           example: service:my-service
           type: string
+        keep_unmatched:
+          description: Whether to keep an event that does not match any of the mapping
+            filters.
+          example: false
+          type: boolean
         mappings:
           description: A list of mapping rules to convert events to the OCSF format.
           items:

@@ -0,0 +1,92 @@
+"""
+Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.observability_pipelines_api import ObservabilityPipelinesApi
+from datadog_api_client.v2.model.observability_pipeline_config import ObservabilityPipelineConfig
+from datadog_api_client.v2.model.observability_pipeline_config_processor_group import (
+    ObservabilityPipelineConfigProcessorGroup,
+)
+from datadog_api_client.v2.model.observability_pipeline_data_attributes import ObservabilityPipelineDataAttributes
+from datadog_api_client.v2.model.observability_pipeline_datadog_agent_source import (
+    ObservabilityPipelineDatadogAgentSource,
+)
+from datadog_api_client.v2.model.observability_pipeline_datadog_agent_source_type import (
+    ObservabilityPipelineDatadogAgentSourceType,
+)
+from datadog_api_client.v2.model.observability_pipeline_datadog_logs_destination import (
+    ObservabilityPipelineDatadogLogsDestination,
+)
+from datadog_api_client.v2.model.observability_pipeline_datadog_logs_destination_type import (
+    ObservabilityPipelineDatadogLogsDestinationType,
+)
+from datadog_api_client.v2.model.observability_pipeline_ocsf_mapper_processor import (
+    ObservabilityPipelineOcsfMapperProcessor,
+)
+from datadog_api_client.v2.model.observability_pipeline_ocsf_mapper_processor_mapping import (
+    ObservabilityPipelineOcsfMapperProcessorMapping,
+)
+from datadog_api_client.v2.model.observability_pipeline_ocsf_mapper_processor_type import (
+    ObservabilityPipelineOcsfMapperProcessorType,
+)
+from datadog_api_client.v2.model.observability_pipeline_spec import ObservabilityPipelineSpec
+from datadog_api_client.v2.model.observability_pipeline_spec_data import ObservabilityPipelineSpecData
+
+body = ObservabilityPipelineSpec(
+    data=ObservabilityPipelineSpecData(
+        attributes=ObservabilityPipelineDataAttributes(
+            config=ObservabilityPipelineConfig(
+                destinations=[
+                    ObservabilityPipelineDatadogLogsDestination(
+                        id="datadog-logs-destination",
+                        inputs=[
+                            "my-processor-group",
+                        ],
+                        type=ObservabilityPipelineDatadogLogsDestinationType.DATADOG_LOGS,
+                    ),
+                ],
+                processor_groups=[
+                    ObservabilityPipelineConfigProcessorGroup(
+                        enabled=True,
+                        id="my-processor-group",
+                        include="service:my-service",
+                        inputs=[
+                            "datadog-agent-source",
+                        ],
+                        processors=[
+                            ObservabilityPipelineOcsfMapperProcessor(
+                                enabled=True,
+                                id="ocsf-mapper-processor",
+                                include="service:my-service",
+                                type=ObservabilityPipelineOcsfMapperProcessorType.OCSF_MAPPER,
+                                keep_unmatched=True,
+                                mappings=[
+                                    ObservabilityPipelineOcsfMapperProcessorMapping(
+                                        include="source:cloudtrail",
+                                        mapping="CloudTrail Account Change",
+                                    ),
+                                ],
+                            ),
+                        ],
+                    ),
+                ],
+                sources=[
+                    ObservabilityPipelineDatadogAgentSource(
+                        id="datadog-agent-source",
+                        type=ObservabilityPipelineDatadogAgentSourceType.DATADOG_AGENT,
+                    ),
+                ],
+            ),
+            name="OCSF Mapper Keep Unmatched Pipeline",
+        ),
+        type="pipelines",
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = ObservabilityPipelinesApi(api_client)
+    response = api_instance.validate_pipeline(body=body)
+
+    print(response)
@@ -66,6 +66,9 @@ def __init__(self, **kwargs):
         :param metrics: Configuration for generating individual metrics.
         :type metrics: [ObservabilityPipelineGeneratedMetric], optional
 
+        :param keep_unmatched: Whether to keep an event that does not match any of the mapping filters.
+        :type keep_unmatched: bool, optional
+
         :param mappings: A list of mapping rules to convert events to the OCSF format.
         :type mappings: [ObservabilityPipelineOcsfMapperProcessorMapping]
 

@@ -37,6 +37,7 @@ def openapi_types(_):
             "enabled": (bool,),
             "id": (str,),
             "include": (str,),
+            "keep_unmatched": (bool,),
             "mappings": ([ObservabilityPipelineOcsfMapperProcessorMapping],),
             "type": (ObservabilityPipelineOcsfMapperProcessorType,),
         }
@@ -46,6 +47,7 @@ def openapi_types(_):
         "enabled": "enabled",
         "id": "id",
         "include": "include",
+        "keep_unmatched": "keep_unmatched",
         "mappings": "mappings",
         "type": "type",
     }
@@ -58,6 +60,7 @@ def __init__(
         mappings: List[ObservabilityPipelineOcsfMapperProcessorMapping],
         type: ObservabilityPipelineOcsfMapperProcessorType,
         display_name: Union[str, UnsetType] = unset,
+        keep_unmatched: Union[bool, UnsetType] = unset,
         **kwargs,
     ):
         """
@@ -77,6 +80,9 @@ def __init__(
         :param include: A Datadog search query used to determine which logs this processor targets.
         :type include: str
 
+        :param keep_unmatched: Whether to keep an event that does not match any of the mapping filters.
+        :type keep_unmatched: bool, optional
+
         :param mappings: A list of mapping rules to convert events to the OCSF format.
         :type mappings: [ObservabilityPipelineOcsfMapperProcessorMapping]
 
@@ -85,6 +91,8 @@ def __init__(
         """
         if display_name is not unset:
             kwargs["display_name"] = display_name
+        if keep_unmatched is not unset:
+            kwargs["keep_unmatched"] = keep_unmatched
         super().__init__(kwargs)
 
         self_.enabled = enabled

@@ -0,0 +1 @@
+2026-03-16T13:02:49.264Z
@@ -0,0 +1,24 @@
+interactions:
+- request:
+    body: '{"data":{"attributes":{"config":{"destinations":[{"id":"datadog-logs-destination","inputs":["my-processor-group"],"type":"datadog_logs"}],"processor_groups":[{"enabled":true,"id":"my-processor-group","include":"service:my-service","inputs":["datadog-agent-source"],"processors":[{"enabled":true,"id":"ocsf-mapper-processor","include":"service:my-service","keep_unmatched":true,"mappings":[{"include":"source:cloudtrail","mapping":"CloudTrail
+      Account Change"}],"type":"ocsf_mapper"}]}],"sources":[{"id":"datadog-agent-source","type":"datadog_agent"}]},"name":"OCSF
+      Mapper Keep Unmatched Pipeline"},"type":"pipelines"}}'
+    headers:
+      accept:
+      - application/json
+      content-type:
+      - application/json
+    method: POST
+    uri: https://api.datadoghq.com/api/v2/obs-pipelines/pipelines/validate
+  response:
+    body:
+      string: '{"errors":[]}
+
+        '
+    headers:
+      content-type:
+      - application/vnd.api+json
+    status:
+      code: 200
+      message: OK
+version: 1
@@ -191,6 +191,14 @@ Feature: Observability Pipelines
     When the request is sent
     Then the response status is 400 Bad Request
 
+  @team:DataDog/observability-pipelines
+  Scenario: Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+    Given new "ValidatePipeline" request
+    And body with value {"data": {"attributes": {"config": {"destinations": [{"id": "datadog-logs-destination", "inputs": ["my-processor-group"], "type": "datadog_logs"}], "processor_groups": [{"enabled": true, "id": "my-processor-group", "include": "service:my-service", "inputs": ["datadog-agent-source"], "processors": [{"enabled": true, "id": "ocsf-mapper-processor", "include": "service:my-service", "type": "ocsf_mapper", "keep_unmatched": true, "mappings": [{"include": "source:cloudtrail", "mapping": "CloudTrail Account Change"}]}]}], "sources": [{"id": "datadog-agent-source", "type": "datadog_agent"}]}, "name": "OCSF Mapper Keep Unmatched Pipeline"}, "type": "pipelines"}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "errors" has length 0
+
   @team:DataDog/observability-pipelines
   Scenario: Validate an observability pipeline with OCSF mapper library mapping returns "OK" response
     Given new "ValidatePipeline" request