schema:

- adding first draft for opensearch observability schema
  - client attributes
  - container attributes
  - destination attributes
  - host attributes
  - network attributes
  - observer attributes
  - os attributes
  - additional common fields attributes

experimental/schema/logs/base.graphql

@@ -2,6 +2,8 @@ scalar Time
 scalar Json
 scalar Long
 scalar URL
+scalar IP
+scalar GeoPoint
 
 # type of supported streams
 enum StreamType {
@@ -63,4 +65,57 @@ type LogRecord {
     event: Event!
     #    A list of top-level observations which describe 'things' that happened, where observed and reported
     observations: [BaseRecord]
-}
+}
+
+# geographic related fields container
+type Geo {
+    timezone:String
+    regionName:String
+    regionIsoCode:String
+    postalCode:String
+    #    User-defined description of a location, at the level of granularity
+    #        they care about
+    name:String
+    #    Longitude and latitude
+    location:GeoPoint
+    countryName:String
+    countryIsoCode:String
+    continentName:String
+    #    Two-letter code representing continent's name
+    continentCode:String
+    cityName:String
+}
+
+#An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
+type AutonomousSystem {
+    #    Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+    number: Long
+    #    organization name such as amazon.com
+    organizationName:String
+}
+
+type Group {
+    #    Unique identifier for the group on the system/platform.
+    id:String!
+    #    Name of the directory the group is a member of
+    domain:String
+}
+
+type User {
+    #    Unique identifier of the user.
+    id:String!
+    #    Short name or login of the user
+    name:String
+    #    User full name
+    fullName:String
+    #   Name of the directory the user is a member of
+    domain:String
+    #    User email address
+    email:String
+    #  Array of user roles at the time of the event
+    roles:[String]
+    #    Unique user hash to correlate information for a user in anonymized form.
+    hash:String
+    #    the group in which the client is a member of
+    group:Group
+}

experimental/schema/logs/client.graphql

@@ -0,0 +1,49 @@
+#A client is defined as the initiator of a network connection for events
+#    regarding sessions, connections, or bidirectional flow records.
+#
+#    For TCP events, the client is the initiator of the TCP connection that sends the
+#    SYN packet(s). For other protocols, the client is generally the initiator or requestor
+#    in the network transaction. Some systems use the term "originator" to refer the
+#    client in TCP connections. The client fields describe details about the system
+#    acting as the client in the network event. Client fields are usually populated
+#    in conjunction with server fields. Client fields are generally not populated for
+#    packet-level events.
+#
+#    Client / server representations can add semantic context to an exchange, which
+#    is helpful to visualize the data in certain situations. If your context falls
+#    in that category, you should still ensure that source and destination are filled
+#    appropriately.
+type Client implements BaseRecord {
+    #    Client network address
+    address: String
+    #
+    as:AutonomousSystem
+    #    The domain name of the client system.
+    domain:String
+    #    Bytes sent from the client to the server
+    bytes:Long
+    #    geographic related fields deriving from client's location
+    geo:Geo
+    #    Translated IP of source based NAT sessions (e.g. internal client to internet)
+    natIpp:IP
+    #    IP address of the client (IPv4 or IPv6).
+    ip:IP
+    # mac address of the client
+    mac:String
+    # port of the client
+    port:Long
+    #    Translated port of source based NAT sessions
+    natPort:Long
+    #    Packets sent from the client to the server
+    packets:Long
+    #    The highest registered client domain, stripped of the subdomain.
+    registeredDomain:String
+    #    The subdomain portion of a fully qualified domain name includes
+    #        all of the names except the host name under the registered_domain
+    subdomain:String
+    #    he effective top level domain (eTLD), also known as the domain
+    #        suffix, is the last part of the domain name.
+    topLevelDomain:String
+    #    Fields about the client side of a network connection, used with server
+    user:User
+}

experimental/schema/logs/container.graphql

@@ -0,0 +1,32 @@
+type Container implements BaseRecord {
+    #    container's unique id
+    id:ID!
+    #    container's name
+    name:String
+    #Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.
+    cpuUsage:Float
+    #The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
+    diskReadBytes:Long
+    #The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
+    diskWriteBytes:Long
+    #    An array of digests of the image the container was built on
+    imageHash:String
+    #    Name of the image the container was built on.
+    imageName:String
+    #    Container image tags.
+    imageTag:[String]
+    #    Container image labels.
+    labels:Json
+    #    Memory usage percentage and it ranges from 0 to 1
+    memoryUsage:Long
+    #    The number of bytes sent on all network interfaces
+    networkEgressBytes:Long
+    #    The number of packets (gauge) sent out on all network interfaces
+    networkIngressPackets:Long
+    #    The number of bytes received from all network interfaces
+    networkEgressBytes:Long
+    #    The number of packets (gauge) received  from all network interfaces
+    networkIngressPackets:Long
+    #    Runtime managing this container.
+    runtime:String
+}

experimental/schema/logs/destination.graphql

@@ -0,0 +1,38 @@
+#Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.
+#
+#Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.
+type Destination implements BaseRecord {
+    #    Destination network address
+    address:String
+    #    Bytes sent from the destination to the source.
+    bytes:Long
+    #The domain name of the destination system.
+    domain:String
+    #The ip address of the destination system.
+    ip:IP
+    #The mac address  of the destination system.
+    mac:String
+    #    Translated IP of source based NAT sessions (e.g. internal client to internet)
+    natIpp:IP
+    # port of the client
+    port:Long
+    #    Translated port of source based NAT sessions
+    natPort:Long
+    #    Packets sent from the destination to the source.
+    packets:Long
+    #    The highest registered client domain, stripped of the subdomain.
+    registeredDomain:String
+    #    The subdomain portion of a fully qualified domain name includes
+    #        all of the names except the host name under the registered_domain
+    subdomain:String
+    #    he effective top level domain (eTLD), also known as the domain
+    #        suffix, is the last part of the domain name.
+    topLevelDomain:String
+
+    #Fields describing an Autonomous System (Internet routing prefix).
+    as:AutonomousSystem
+    #    Fields describing a location.
+    geo:Geo
+    #Fields to describe the user relevant to the event.
+    user:User
+}