From 08a2ea543fdd47b4128cabd26a9968bcf9d609d3 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Fri, 7 Dec 2018 15:15:25 -0500 Subject: [PATCH 1/2] Index `user_agent.original`, after all. --- README.md | 2 +- fields.yml | 1 - schema.csv | 2 +- schemas/user_agent.yml | 1 - template.json | 1 - use-cases/filebeat-apache-access.md | 2 +- use-cases/web-logs.md | 2 +- 7 files changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 1247885d5a..b74131e32f 100644 --- a/README.md +++ b/README.md @@ -497,7 +497,7 @@ The user_agent fields normally come from a browser request. They often show up i | Field | Description | Level | Type | Example | |---|---|---|---|---| -| user_agent.original | Unparsed version of the user_agent. | extended | (not indexed) | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | +| user_agent.original | Unparsed version of the user_agent. | extended | keyword | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | | user_agent.name | Name of the user agent. | extended | keyword | `Safari` | | user_agent.version | Version of the user agent. | extended | keyword | `12.0` | | user_agent.device.name | Name of the device. | extended | keyword | `iPhone` | diff --git a/fields.yml b/fields.yml index 3c1fa093ac..f45936fdf1 100644 --- a/fields.yml +++ b/fields.yml @@ -1581,7 +1581,6 @@ - name: original level: extended type: keyword - index: false description: > Unparsed version of the user_agent. example: "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" diff --git a/schema.csv b/schema.csv index 99e5a80437..1ea057f025 100644 --- a/schema.csv +++ b/schema.csv @@ -164,5 +164,5 @@ user.id,keyword,core, user.name,keyword,core,albert user_agent.device.name,keyword,extended,iPhone user_agent.name,keyword,extended,Safari -user_agent.original,(not indexed),extended,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" +user_agent.original,keyword,extended,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" user_agent.version,keyword,extended,12.0 diff --git a/schemas/user_agent.yml b/schemas/user_agent.yml index 7f102c6e6f..015824a9fa 100644 --- a/schemas/user_agent.yml +++ b/schemas/user_agent.yml @@ -11,7 +11,6 @@ - name: original level: extended type: keyword - index: false description: > Unparsed version of the user_agent. example: "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" diff --git a/template.json b/template.json index 49361ff668..6e19e02521 100644 --- a/template.json +++ b/template.json @@ -778,7 +778,6 @@ }, "original": { "ignore_above": 1024, - "index": false, "type": "keyword" }, "version": { diff --git a/use-cases/filebeat-apache-access.md b/use-cases/filebeat-apache-access.md index b0f96e3659..a9ef41840f 100644 --- a/use-cases/filebeat-apache-access.md +++ b/use-cases/filebeat-apache-access.md @@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module. | *http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` | | *http.referer* | *Http referrer code, currently apache.access.referrer
NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` | | *user_agent.** | *User agent fields as in schema. Currently under apache.access.user_agent.*
* | | | | -| [user_agent.original](../README.md#user_agent.original) | Original user agent. Currently apache.access.agent | extended | (not indexed) | `http://elastic.co/` | +| [user_agent.original](../README.md#user_agent.original) | Original user agent. Currently apache.access.agent | extended | keyword | `http://elastic.co/` | | *geoip.** | *User agent fields as in schema. Currently under apache.access.geoip.*
These are extracted from source.ip
Should they be under source.geoip?
* | | | | | *geoip....* | *All geoip fields.* | (use case) | keyword | | diff --git a/use-cases/web-logs.md b/use-cases/web-logs.md index 34208237c9..2d0920d4e0 100644 --- a/use-cases/web-logs.md +++ b/use-cases/web-logs.md @@ -17,7 +17,7 @@ Using the fields as represented here is not expected to conflict with ECS, but m | [http.response.body](../README.md#http.response.body) | The full http response body. | extended | keyword | `Hello world` | | [http.version](../README.md#http.version) | Http version. | extended | keyword | `1.1` | | *user_agent.** | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
* | | | | -| [user_agent.original](../README.md#user_agent.original) | Unparsed version of the user_agent. | extended | (not indexed) | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | +| [user_agent.original](../README.md#user_agent.original) | Unparsed version of the user_agent. | extended | keyword | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | | *user_agent.device* | *Name of the physical device.* | (use case) | keyword | | | [user_agent.version](../README.md#user_agent.version) | Version of the physical device. | extended | keyword | `12.0` | | *user_agent.major* | *Major version of the user agent.* | (use case) | long | | From 0e7c38dfb1a01435a4df1c985055f02d27990d9e Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Fri, 7 Dec 2018 15:17:47 -0500 Subject: [PATCH 2/2] Changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ed5dfd6de..609cf68dd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,7 +35,7 @@ All notable changes to this project will be documented in this file based on the * Add fields `geo.country_name` and `geo.region_iso_code`. #214 * Add `event.kind` and `event.outcome`. #242 * Add `client` and `server` objects and fields. #236 -* Reintroduce a streamlined `user_agent` field set. #240 +* Reintroduce a streamlined `user_agent` field set. #240, #262 * Add `geo.name` for ad hoc location names. #248 * Add `event.timezone` to allow for proper interpretation of incomplete timestamps. #258