Temporarily remove the http object...

CHANGELOG.md

@@ -27,6 +27,7 @@ All notable changes to this project will be documented in this file based on the
 * Rename `url.href` to `url.original`.
 * Remove `source.subdomain` and `destination.subdomain` fields.
 * Rename `event.version` to `ecs.version`. #169
+* Remove the `http` field set temporarily. #171
 
 ### Bugfixes
 

README.md

@@ -47,7 +47,6 @@ ECS defines these fields.
  * [File fields](#file)
  * [Geo fields](#geo)
  * [Host fields](#host)
- * [HTTP fields](#http)
  * [Log fields](#log)
  * [Network fields](#network)
  * [Organization fields](#organization)
@@ -255,20 +254,6 @@ Normally the host information is related to the machine on which the event was g
 | <a name="host.architecture"></a>host.architecture | Operating system architecture. | core | keyword | `x86_64` |
 
 
-## <a name="http"></a> HTTP fields
-
-Fields related to HTTP requests and responses.
-
-
-| Field  | Description  | Level  | Type  | Example  |
-|---|---|---|---|---|
-| <a name="http.request.method"></a>http.request.method | Http request method. | extended | keyword | `GET, POST, PUT` |
-| <a name="http.request.referrer"></a>http.request.referrer | Referrer for this HTTP request. | extended | keyword | `https://blog.example.com/` |
-| <a name="http.response.status_code"></a>http.response.status_code | Http response status code. | extended | long | `404` |
-| <a name="http.response.body"></a>http.response.body | The full http response body. | extended | keyword | `Hello world` |
-| <a name="http.version"></a>http.version | Http version. | extended | keyword | `1.1` |
-
-
 ## <a name="log"></a> Log fields
 
 Fields which are specific to log events.
@@ -445,6 +430,7 @@ Contributions of additional uses cases on top of ECS are welcome.
  * [Logging](https://github.com/elastic/ecs/blob/master/use-cases/logging.md)
  * [Metricbeat](https://github.com/elastic/ecs/blob/master/use-cases/metricbeat.md)
  * [TLS](https://github.com/elastic/ecs/blob/master/use-cases/tls.md)
+ * [Parsing web server logs](https://github.com/elastic/ecs/blob/master/use-cases/web-logs.md)
 
 
 

fields.yml

@@ -710,49 +710,6 @@
           description: >
             Operating system architecture.
 
-    - name: http
-      title: HTTP
-      group: 2
-      description: >
-        Fields related to HTTP requests and responses.
-      type: group
-      fields:
-
-        - name: request.method
-          level: extended
-          type: keyword
-          description: >
-            Http request method.
-          example: GET, POST, PUT
-
-        - name: request.referrer
-          level: extended
-          type: keyword
-          description: >
-            Referrer for this HTTP request.
-          example: https://blog.example.com/
-
-        - name: response.status_code
-          level: extended
-          type: long
-          description: >
-            Http response status code.
-          example: 404
-
-        - name: response.body
-          level: extended
-          type: keyword
-          description: >
-            The full http response body.
-          example: Hello world
-
-        - name: version
-          level: extended
-          type: keyword
-          description: >
-            Http version.
-          example: 1.1
-
     - name: log
       title: Log
       description: >

schema.csv

@@ -75,11 +75,6 @@ host.id,keyword,core,
 host.ip,ip,core,
 host.mac,keyword,core,
 host.type,keyword,core,
-http.request.method,keyword,extended,"GET, POST, PUT"
-http.request.referrer,keyword,extended,https://blog.example.com/
-http.response.body,keyword,extended,Hello world
-http.response.status_code,long,extended,404
-http.version,keyword,extended,1.1
 log.level,keyword,core,ERR
 log.original,keyword,core,Sep 19 08:26:10 localhost My log
 network.application,keyword,extended,AIM

template.json

@@ -359,37 +359,6 @@
             }
           }
         },
-        "http": {
-          "properties": {
-            "request": {
-              "properties": {
-                "method": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "referrer": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "response": {
-              "properties": {
-                "body": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "status_code": {
-                  "type": "long"
-                }
-              }
-            },
-            "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
         "labels": {
           "type": "object"
         },

use-cases/filebeat-apache-access.md

@@ -16,7 +16,7 @@ ECS fields used in Filebeat for the apache module.
 | [user.name](https://github.com/elastic/ecs#user.name)  | User name in the request. Currently apache.access.user_name | core | keyword | `ruflin` |
 | <a name="http.method"></a>*http.method* | *Http method, currently apache.access.method* | (use case) | keyword | `GET` |
 | <a name="http.url"></a>*http.url* | *Http url, currently apache.access.url* | (use case) | keyword | `http://elastic.co/` |
-| [http.version](https://github.com/elastic/ecs#http.version)  | Http version, currently apache.access.http_version | extended | keyword | `1.1` |
+| <a name="http.version"></a>*http.version* | *Http version, currently apache.access.http_version* | (use case) | keyword | `1.1` |
 | <a name="http.response.code"></a>*http.response.code* | *Http response code, currently apache.access.response_code* | (use case) | keyword | `404` |
 | <a name="http.response.body_sent.bytes"></a>*http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` |
 | <a name="http.referer"></a>*http.referer* | *Http referrer code, currently apache.access.referrer<br/>NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` |

use-cases/web-logs.md

@@ -0,0 +1,19 @@
+## Parsing web server logs use case
+
+Represenging web server access logs in ECS
+
+### <a name="web-logs"></a> Parsing web server logs fields
+
+
+| Field  | Description  | Level  | Type  | Example  |
+|---|---|---|---|---|
+| [@timestamp](https://github.com/elastic/ecs#@timestamp)  | Time at which the response was sent, and the web server log created. | core | date | `2016-05-23T08:05:34.853Z` |
+| <a name="http.&ast;"></a>*http.&ast;* | *Fields related to HTTP requests and responses.<br/>* |  |  |  |
+| <a name="http.request.method"></a>*http.request.method* | *Http request method.* | (use case) | keyword | `GET, POST, PUT` |
+| <a name="http.request.referrer"></a>*http.request.referrer* | *Referrer for this HTTP request.* | (use case) | keyword | `https://blog.example.com/` |
+| <a name="http.response.status_code"></a>*http.response.status_code* | *Http response status code.* | (use case) | long | `404` |
+| <a name="http.response.body"></a>*http.response.body* | *The full http response body.* | (use case) | keyword | `Hello world` |
+| <a name="http.version"></a>*http.version* | *Http version.* | (use case) | keyword | `1.1` |
+
+
+

schemas/http.yml → use-cases/web-logs.yml

@@ -1,4 +1,18 @@
----
+title: Parsing web server logs
+name: web-logs
+description:
+  Represenging web server access logs in ECS
+fields:
+
+- name: base
+  fields:
+    - name: "@timestamp"
+      type: date
+      phase: 1
+      example: "2016-05-23T08:05:34.853Z"
+      description: >
+        Time at which the response was sent, and the web server log created.
+
 - name: http
   title: HTTP
   group: 2
@@ -8,35 +22,30 @@
   fields:
 
     - name: request.method
-      level: extended
       type: keyword
       description: >
         Http request method.
       example: GET, POST, PUT
 
     - name: request.referrer
-      level: extended
       type: keyword
       description: >
         Referrer for this HTTP request.
       example: https://blog.example.com/
 
     - name: response.status_code
-      level: extended
       type: long
       description: >
         Http response status code.
       example: 404
 
     - name: response.body
-      level: extended
       type: keyword
       description: >
         The full http response body.
       example: Hello world
 
     - name: version
-      level: extended
       type: keyword
       description: >
         Http version.