New network fields #43
Conversation
| - name: session_id | ||
| type: keyword | ||
| description: > | ||
| This is the session ID or connection ID, |
There was a problem hiding this comment.
Reading in this field and the next one about connection, I wonder if we should introduce `connection.* as mentioned in an other thread instead of uptting it under network.
There was a problem hiding this comment.
Sorry @ruflin I forgot to reply before closing this PR out for splitting. Are you just talking about a name change i.e. s/network/connection? The network.* field set is intended to pick up flow and connection-based fields, and also network events that are not flow/connection related. I think this requires a bit more thought before making a decision.
There was a problem hiding this comment.
I'm actually thinking if we could use a network and a connection prefix. I think a big chunk of the info we have right now in network is in the right place, but there a things like forwarded_ip which probably fit better into connection and also these fields here.
Definitively needs more discussions, just an idea.
| type: long | ||
| description: > | ||
| Network Total packets: Usually sum (inbound.packets, outbound.packets) | ||
| example: 24 |
There was a problem hiding this comment.
I would phrase both of these more directly, e.g. "The sum of inbound.packets + outbound.packets", same for bytes.
|
Closing this out to split into two PR's as requested. |
Added total.packets and total.bytes per discussion in PR #2
Added session_id and virtual_ip per discussion in Issue #37
Total of 4 new fields added.