[netflow] Use wildcard type

packages/netflow/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.4.1"
+  changes:
+    - description: Use `wildcard` field type for the relevant ECS fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1179
 - version: "0.4.0"
   changes:
     - description: update to ECS 1.10.0

packages/netflow/data_stream/log/fields/ecs.yml

@@ -762,7 +762,7 @@
       description: Error message.
     - name: stack_trace
       level: extended
-      type: keyword
+      type: wildcard
       ignore_above: 1024
       description: The stack trace of this error in plain text.
     - name: type
@@ -1393,7 +1393,7 @@
       example: 887
     - name: request.body.content
       level: extended
-      type: keyword
+      type: wildcard
       ignore_above: 1024
       description: The full HTTP request body.
       example: Hello world
@@ -1425,7 +1425,7 @@
       example: 887
     - name: response.body.content
       level: extended
-      type: keyword
+      type: wildcard
       ignore_above: 1024
       description: The full HTTP response body.
       example: Hello world
@@ -2585,13 +2585,13 @@
         The `#` is not part of the fragment.'
     - name: full
       level: extended
-      type: keyword
+      type: wildcard
       ignore_above: 1024
       description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
       example: https://www.elastic.co:443/search?q=elasticsearch#top
     - name: original
       level: extended
-      type: keyword
+      type: wildcard
       ignore_above: 1024
       description: 'Unmodified original url as seen in the event source.
 
@@ -2606,7 +2606,7 @@
       description: Password of the request.
     - name: path
       level: extended
-      type: keyword
+      type: wildcard
       ignore_above: 1024
       description: Path of the request, such as "/search".
     - name: port

packages/netflow/docs/README.md

@@ -129,7 +129,7 @@ The `log` dataset collects netflow logs.
 | error.code | Error code describing the error. | keyword |
 | error.id | Unique identifier for the error. | keyword |
 | error.message | Error message. | text |
-| error.stack_trace | The stack trace of this error in plain text. | keyword |
+| error.stack_trace | The stack trace of this error in plain text. | wildcard |
 | error.type | The type of the error, for example the class name of the exception. | keyword |
 | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
 | event.category | Event category. This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. | keyword |
@@ -228,12 +228,12 @@ The `log` dataset collects netflow logs.
 | host.user.id | One or multiple unique identifiers of the user. | keyword |
 | host.user.name | Short name or login of the user. | keyword |
 | http.request.body.bytes | Size in bytes of the request body. | long |
-| http.request.body.content | The full HTTP request body. | keyword |
+| http.request.body.content | The full HTTP request body. | wildcard |
 | http.request.bytes | Total size in bytes of the request (body and headers). | long |
 | http.request.method | HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
 | http.request.referrer | Referrer for this HTTP request. | keyword |
 | http.response.body.bytes | Size in bytes of the response body. | long |
-| http.response.body.content | The full HTTP response body. | keyword |
+| http.response.body.content | The full HTTP response body. | wildcard |
 | http.response.bytes | Total size in bytes of the response (body and headers). | long |
 | http.response.status_code | HTTP response status code. | long |
 | http.version | HTTP version. | keyword |
@@ -1724,10 +1724,10 @@ The `log` dataset collects netflow logs.
 | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword |
 | url.extension | The field contains the file extension from the original request url. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". | keyword |
 | url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
-| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | keyword |
-| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
 | url.password | Password of the request. | keyword |
-| url.path | Path of the request, such as "/search". | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
 | url.port | Port of the request, such as 443. | long |
 | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
 | url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |

packages/netflow/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: netflow
 title: NetFlow
-version: 0.4.0
+version: 0.4.1
 license: basic
 description: NetFlow Integration
 type: integration