Skip to content

Commit

Permalink
Make user.group a nesting of the group field set (#308)
Browse files Browse the repository at this point in the history
Breaking change.

Field set name "group" was being used as a leaf field at `user.group`. It had different semantics as the field set: it was a keyword field, instead of being a nesting of the field set. This goes against a driving principle of ECS, and has been corrected.

We removed the `user.group` `keyword` field (introduced in #204), and made the `group` field set nestable at `user.group`.
  • Loading branch information
webmat authored Jan 23, 2019
1 parent d81f63a commit 337ddd4
Show file tree
Hide file tree
Showing 9 changed files with 25 additions and 36 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,15 @@ All notable changes to this project will be documented in this file based on the

### Breaking changes

* Remove the `user.group` `keyword` field, introduced in #204. Instead,
the `group` field set can be nested at `user.group`. #308

### Bugfixes

* Field set name "group" was being used as a leaf field at `user.group`, instead
of being a nesting of the field set. This goes against a driving principle of ECS,
and has been corrected. #308

### Added

### Improvements
Expand Down
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,10 @@ Note also that the `geo` fields are not expected to be used directly at the top
The group fields are meant to represent groups that are relevant to the event.


The `group` fields are expected to be nested at: `user.group`.

Note also that the `group` fields may be used directly at the top level.

| Field | Description | Level | Type | Example |
|---|---|---|---|---|
| <a name="group.id"></a>group.id | Unique identifier for the group on the system/platform. | extended | keyword | |
Expand Down Expand Up @@ -501,7 +505,6 @@ Note also that the `user` fields may be used directly at the top level.
| <a name="user.full_name"></a>user.full_name | User's full name, if available. | extended | keyword | `Albert Einstein` |
| <a name="user.email"></a>user.email | User email address. | extended | keyword | |
| <a name="user.hash"></a>user.hash | Unique user hash to correlate information for a user in anonymized form.<br/>Useful if `user.id` or `user.name` contain confidential information and cannot be used. | extended | keyword | |
| <a name="user.group"></a>user.group | Group the user is a part of. This field can contain a list of groups, if necessary. | extended | keyword | |


## <a name="user_agent"></a> User agent fields
Expand Down
4 changes: 0 additions & 4 deletions code/go/ecs/user.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 7 additions & 8 deletions fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -770,10 +770,16 @@
- name: group
title: Group
group: 2
type: group
description: >
The group fields are meant to represent groups that are relevant to the
event.
type: group
reusable:
top_level: true
expected:
- user

fields:

- name: id
Expand Down Expand Up @@ -1669,13 +1675,6 @@
Useful if `user.id` or `user.name` contain confidential information and
cannot be used.

- name: group
level: extended
type: keyword
description: >
Group the user is a part of. This field can contain a list of groups, if
necessary.
- name: user_agent
title: User agent
group: 2
Expand Down
1 change: 0 additions & 1 deletion schema.csv
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,6 @@ url.scheme,keyword,extended,https
url.username,keyword,extended,
user.email,keyword,extended,
user.full_name,keyword,extended,Albert Einstein
user.group,keyword,extended,
user.hash,keyword,extended,
user.id,keyword,core,
user.name,keyword,core,albert
Expand Down
10 changes: 0 additions & 10 deletions schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -1917,16 +1917,6 @@
"required": false,
"type": "keyword"
},
"user.group": {
"description": "Group the user is a part of. This field can contain a list of groups, if necessary.",
"example": "",
"footnote": "",
"group": 2,
"level": "extended",
"name": "user.group",
"required": false,
"type": "keyword"
},
"user.hash": {
"description": "Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.",
"example": "",
Expand Down
8 changes: 7 additions & 1 deletion schemas/group.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,16 @@
- name: group
title: Group
group: 2
type: group
description: >
The group fields are meant to represent groups that are relevant to the
event.
type: group
reusable:
top_level: true
expected:
- user

fields:

- name: id
Expand Down
7 changes: 0 additions & 7 deletions schemas/user.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,3 @@
Useful if `user.id` or `user.name` contain confidential information and
cannot be used.
- name: group
level: extended
type: keyword
description: >
Group the user is a part of. This field can contain a list of groups, if
necessary.
4 changes: 0 additions & 4 deletions template.json
Original file line number Diff line number Diff line change
Expand Up @@ -788,10 +788,6 @@
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
Expand Down

0 comments on commit 337ddd4

Please sign in to comment.