Skip to content

Commit

Permalink
Use wildcard type
Browse files Browse the repository at this point in the history
  • Loading branch information
@marc-gr
marc-gr committed Jun 23, 2021
1 parent 594efec commit 119b40f
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 12 deletions.
12 changes: 6 additions & 6 deletions packages/netflow/data_stream/log/fields/ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -762,7 +762,7 @@
description: Error message.
- name: stack_trace
level: extended
type: keyword
type: wildcard
ignore_above: 1024
description: The stack trace of this error in plain text.
- name: type
Expand Down Expand Up @@ -1393,7 +1393,7 @@
example: 887
- name: request.body.content
level: extended
type: keyword
type: wildcard
ignore_above: 1024
description: The full HTTP request body.
example: Hello world
Expand Down Expand Up @@ -1425,7 +1425,7 @@
example: 887
- name: response.body.content
level: extended
type: keyword
type: wildcard
ignore_above: 1024
description: The full HTTP response body.
example: Hello world
Expand Down Expand Up @@ -2585,13 +2585,13 @@
The `#` is not part of the fragment.'
- name: full
level: extended
type: keyword
type: wildcard
ignore_above: 1024
description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
example: https://www.elastic.co:443/search?q=elasticsearch#top
- name: original
level: extended
type: keyword
type: wildcard
ignore_above: 1024
description: 'Unmodified original url as seen in the event source.
Expand All @@ -2606,7 +2606,7 @@
description: Password of the request.
- name: path
level: extended
type: keyword
type: wildcard
ignore_above: 1024
description: Path of the request, such as "/search".
- name: port
Expand Down
12 changes: 6 additions & 6 deletions packages/netflow/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ The `log` dataset collects netflow logs.
| error.code | Error code describing the error. | keyword |
| error.id | Unique identifier for the error. | keyword |
| error.message | Error message. | text |
| error.stack_trace | The stack trace of this error in plain text. | keyword |
| error.stack_trace | The stack trace of this error in plain text. | wildcard |
| error.type | The type of the error, for example the class name of the exception. | keyword |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | Event category. This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. | keyword |
Expand Down Expand Up @@ -228,12 +228,12 @@ The `log` dataset collects netflow logs.
| host.user.id | One or multiple unique identifiers of the user. | keyword |
| host.user.name | Short name or login of the user. | keyword |
| http.request.body.bytes | Size in bytes of the request body. | long |
| http.request.body.content | The full HTTP request body. | keyword |
| http.request.body.content | The full HTTP request body. | wildcard |
| http.request.bytes | Total size in bytes of the request (body and headers). | long |
| http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
| http.request.referrer | Referrer for this HTTP request. | keyword |
| http.response.body.bytes | Size in bytes of the response body. | long |
| http.response.body.content | The full HTTP response body. | keyword |
| http.response.body.content | The full HTTP response body. | wildcard |
| http.response.bytes | Total size in bytes of the response (body and headers). | long |
| http.response.status_code | HTTP response status code. | long |
| http.version | HTTP version. | keyword |
Expand Down Expand Up @@ -1724,10 +1724,10 @@ The `log` dataset collects netflow logs.
| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
| url.extension | The field contains the file extension from the original request url. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". | keyword |
| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | keyword |
| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
| url.password | Password of the request. | keyword |
| url.path | Path of the request, such as "/search". | keyword |
| url.path | Path of the request, such as "/search". | wildcard |
| url.port | Port of the request, such as 443. | long |
| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
Expand Down

0 comments on commit 119b40f

Please sign in to comment.