Migration of system network metricset to ECS

[jsoriano]

@ruflin @webmat current network metricset creates an event with all data, but ECS is intended to have different events for inbound and outbound flows (there is an only network.bytes field).

I try here the approach of splitting events in two, one for inbound and another one for outbound traffic.

Some questions:

• What to do with fields not present in ECS (dropped and errors), should I leave them in some module-specific field like system.network.dropped? This would be confusing as we'd have related data in different places.
• What field should be used for the network interface name? I have used network.name by now but seems intended for network names, not for network devices.
• Is this approach ok or I should migrate only the fields that could help in corelation (the interface name in this case), and leave the rest of fields where they are?

[webmat]

In ECS, network.direction is really meant for packets and connections. You should not split the network state metrics in two. In short, here's how I see it:

• Don't populate network.direction, as this is a state you're sending.
• Keep all the metrics in.*, out.*, errors, dropped etc exactly as they are.
• You are correct about network.name, it's not for devices, there's nothing for network devices yet in ECS, so leave as is.

[webmat]

Note that for socket it's different. Since there's a direct relation between the metricbeat event and one socket, network.[direction|transport|bytes|packets] all make sense there

[jsoriano]

Ok, so I leave then everything as is for this metricset, easy 😉