Skip to content

Commit

Permalink
Introduce the related. field set with only one field, to start. (#206)
Browse files Browse the repository at this point in the history
  • Loading branch information
webmat authored Dec 3, 2018
1 parent 6826277 commit e54400a
Show file tree
Hide file tree
Showing 6 changed files with 68 additions and 0 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ All notable changes to this project will be documented in this file based on the
* Add `host.name` field and clarify usage of `host.hostname`. #187
* Add `event.start` and `event.end` date fields. #185
* Add `process.thread.id` field. #200
* Add `host.name` field and clarify usage of `host.hostname`.
* Add `event.start` and `event.end` date fields.
* Create new `related` field set with `related.ip`. #206

### Improvements

Expand Down
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ ECS defines these fields.
* [Organization fields](#organization)
* [Operating System fields](#os)
* [Process fields](#process)
* [Related fields](#related)
* [Service fields](#service)
* [Source fields](#source)
* [URL fields](#url)
Expand Down Expand Up @@ -345,6 +346,18 @@ These fields contain information about a process. These fields can help you corr
| <a name="process.thread.id"></a>process.thread.id | Thread ID. | extended | long | `4242` |


## <a name="related"></a> Related fields

This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in ECS. To facilitate searching for them, append values to their corresponding field in `related.`.

A concrete example is IP addresses, which can be under host, device, source, destination, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`.


| Field | Description | Level | Type | Example |
|---|---|---|---|---|
| <a name="related.ip"></a>related.ip | All of the IPs seen on your event. | extended | ip | |


## <a name="service"></a> Service fields

The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.
Expand Down
22 changes: 22 additions & 0 deletions fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1011,6 +1011,28 @@
description: >
Thread ID.
- name: related
title: Related
group: 2
description: >
This field set is meant to facilitate pivoting around a piece of data.
Some pieces of information can be seen in many places in ECS. To facilitate
searching for them, append values to their corresponding field in
`related.`.
A concrete example is IP addresses, which can be under host, device, source,
destination, and network.forwarded_ip. If you append all IPs to
`related.ip`, you can then search for a given IP trivially,
no matter where it appeared, by querying `related.ip:a.b.c.d`.
type: group
fields:

- name: ip
level: extended
type: ip
description: >
All of the IPs seen on your event.
- name: service
title: Service
group: 2
Expand Down
1 change: 1 addition & 0 deletions schema.csv
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ process.pid,long,core,4242
process.ppid,long,extended,
process.thread.id,long,extended,4242
process.title,keyword,extended,
related.ip,ip,extended,
service.ephemeral_id,keyword,extended,8a4f500f
service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
service.name,keyword,core,elasticsearch-metrics
Expand Down
22 changes: 22 additions & 0 deletions schemas/related.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
- name: related
title: Related
group: 2
description: >
This field set is meant to facilitate pivoting around a piece of data.
Some pieces of information can be seen in many places in ECS. To facilitate
searching for them, append values to their corresponding field in
`related.`.
A concrete example is IP addresses, which can be under host, device, source,
destination, and network.forwarded_ip. If you append all IPs to
`related.ip`, you can then search for a given IP trivially,
no matter where it appeared, by querying `related.ip:a.b.c.d`.
type: group
fields:

- name: ip
level: extended
type: ip
description: >
All of the IPs seen on your event.
7 changes: 7 additions & 0 deletions template.json
Original file line number Diff line number Diff line change
Expand Up @@ -516,6 +516,13 @@
}
}
},
"related": {
"properties": {
"ip": {
"type": "ip"
}
}
},
"service": {
"properties": {
"ephemeral_id": {
Expand Down

0 comments on commit e54400a

Please sign in to comment.