Update HTTP protocol to use ECS fields #9976
Conversation
andrewkroh
force-pushed
the
feature/pb/http-ecs
branch
3 times, most recently
from
0873437
to
a085e44
Compare
| @@ -10,10 +10,6 @@ | |||
| description: HTTP request | |||
| type: group | |||
| fields: | |||
| - name: params | |||
There was a problem hiding this comment.
Should this become an alias type with migration: true? Same for the other fields which were removed.
There was a problem hiding this comment.
I thought this is what the ecs-migration's alias: true was going to be used for. So for any aliases that I want I should put them in fields.yml?
There was a problem hiding this comment.
Yes, you need to put them in both places.
There was a problem hiding this comment.
I added aliases for the HTTP fields where possible.
| "enabled": true, | ||
| "id": "1", | ||
| "params": { | ||
| "field": "responsetime", |
There was a problem hiding this comment.
shouldn't this be event.duration?
There was a problem hiding this comment.
It should. Despite the huge diff I only changed the "Web Transactions" visualization of the overview dashboard. I will cycle back towards the end of this effort and do all of the general parts of the overview dashboard.
There was a problem hiding this comment.
I would hope this PR does it automatically for you: #9998
andrewkroh
force-pushed
the
feature/pb/http-ecs
branch
3 times, most recently
from
4212936
to
d6f1045
Compare
Here's a summary of what fields changed. Part of elastic#7968 Changed - bytes_in -> source.bytes - bytes_out -> destination.bytes - http.request.body -> http.request.body.content - http.response.body -> http.response.body.content - http.response.code -> http.response.status_code - http.response.phrase -> http.response.status_phrase - method -> http.request.method (lowercased) - notes -> error.message - params -> url.query - path -> url.path - real_ip -> network.forwarded_ip - responsetime -> event.duration (unit are now nanoseconds) - transport -> network.transport Added - event.dataset = http - event.end - event.start - http.request.referrer (always added if Referer header is present) - http.version - network.bytes - network.community_id - network.protocol = http - network.type - source.domain (added if Host header is present and not an IP address) - url.domain - set with the Host header value - url.full (synthesized from data in the request/response) - url.port (when port is != 80) - user_agent.original - (always added if User-Agent header is present) Unchanged Packetbeat Fields - query = {{ http.request.method }} {{ url.path }} - request - text representation of the entire request - response - text representation of the entire response - status - type = http (we might remove this since we have event.dataset) The HTTP dashboard was updated too.
andrewkroh
force-pushed
the
feature/pb/http-ecs
branch
from
d6f1045
to
983c752
Compare
|
Rebased to resolve an ecs-migration.yml conflict. |
NOTE: This is based on #9941 so ignore the first two commits. They will be removed after that PR merges.
Here's a summary of what fields changed.
Changed
Added
Unchanged Packetbeat Fields