Adopting Wildcard Fields #1163
Assignees
Comments
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
While working on the elastic/package-spec#63 I introduced a simple dependency management to import ECS field definitions (name, type, description) directly from ECS repository. I will try to enable this feature for some packages in elastic/integrations. For reference: https://github.com/elastic/elastic-package/blob/master/test/packages/nginx/data_stream/access/fields/ecs.yml#L6 Sample PR: #1171 Is it something that will be useful here? |
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Wildcard is a data type for Elasticsearch string fields introduced in Elasticsearch 7.9. Wildcard optimizes performance for queries using wildcards (*) and regex, allowing users to perform grep-like searches without the limitations of the existing text and keyword types.
ECS is supporting wildcards (RFC here) for the following fields:
errorerror.stack_tracehttphttp.request.body.contenthttp.response.body.contentprocessprocess.command_lineregistryregistry.data.stringsurlurl.fullurl.originalurl.pathThere is an impact on indexing throughput (5% decrease on average) and storage (5% increase on average) based on our performance testing of wildcard fields.
With a set of security integrations GA'ing in 7.14, we will update these integrations to change keyword fields to wildcard in 7.14. Beats modules will not be updated to ensure existing Beats users are not impacted.
Integrations to be updated for 7.14
- [ ] auditd- [ ] OktaThe text was updated successfully, but these errors were encountered: