Add dns.question.subdomain field

CHANGELOG.next.md

@@ -13,6 +13,7 @@ Thanks, you're awesome :-) -->
 
 * Added fields in `log.*` to allow for full Syslog mapping. #525
 * Add group.domain field #547
+* Added `dns.question.subdomain` field. #561, #574
 * Added `error.stack_trace` field. #562
 * Added `log.origin.file.name`, `log.origin.function` and `log.origin.file.line` fields. #563
 * Added `service.node.name` to allow distinction between different nodes of the same service running on the same host. #565

docs/field-details.asciidoc

@@ -890,6 +890,19 @@ example: `google.com`
 
 // ===============================================================
 
+| dns.question.subdomain
+| The subdomain is all of the labels under the registered_domain.
+
+If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+
+type: keyword
+
+example: `www`
+
+| extended
+
+// ===============================================================
+
 | dns.question.type
 | The type of record being queried.
 

generated/beats/fields.ecs.yml

@@ -749,6 +749,15 @@
         list (http://publicsuffix.org). Trying to approximate this by simply taking
         the last two labels will not work well for TLDs such as "co.uk".'
       example: google.com
+    - name: question.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain is all of the labels under the registered_domain.
+
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: www
     - name: question.type
       level: extended
       type: keyword

generated/csv/fields.csv

@@ -93,6 +93,7 @@ dns.op_code,keyword,extended,QUERY,1.2.0-dev
 dns.question.class,keyword,extended,IN,1.2.0-dev
 dns.question.name,keyword,extended,www.google.com,1.2.0-dev
 dns.question.registered_domain,keyword,extended,google.com,1.2.0-dev
+dns.question.subdomain,keyword,extended,www,1.2.0-dev
 dns.question.type,keyword,extended,AAAA,1.2.0-dev
 dns.resolved_ip,ip,extended,"['10.10.10.10', '10.10.10.11']",1.2.0-dev
 dns.response_code,keyword,extended,NOERROR,1.2.0-dev

generated/ecs/ecs_flat.yml

@@ -893,7 +893,7 @@ dns.answers:
   level: extended
   name: answers
   object_type: keyword
-  order: 9
+  order: 10
   short: Array of DNS answers.
   type: object
 dns.answers.class:
@@ -903,7 +903,7 @@ dns.answers.class:
   ignore_above: 1024
   level: extended
   name: answers.class
-  order: 12
+  order: 13
   short: The class of DNS data contained in this resource record.
   type: keyword
 dns.answers.data:
@@ -915,7 +915,7 @@ dns.answers.data:
   ignore_above: 1024
   level: extended
   name: answers.data
-  order: 14
+  order: 15
   short: The data describing the resource.
   type: keyword
 dns.answers.name:
@@ -929,7 +929,7 @@ dns.answers.name:
   ignore_above: 1024
   level: extended
   name: answers.name
-  order: 10
+  order: 11
   short: The domain name to which this resource record pertains.
   type: keyword
 dns.answers.ttl:
@@ -939,7 +939,7 @@ dns.answers.ttl:
   flat_name: dns.answers.ttl
   level: extended
   name: answers.ttl
-  order: 13
+  order: 14
   short: The time interval in seconds that this resource record may be cached before
     it should be discarded. Zero values mean that the data should not be cached.
   type: long
@@ -950,7 +950,7 @@ dns.answers.type:
   ignore_above: 1024
   level: extended
   name: answers.type
-  order: 11
+  order: 12
   short: The type of data contained in this resource record.
   type: keyword
 dns.header_flags:
@@ -1032,6 +1032,19 @@ dns.question.registered_domain:
   order: 8
   short: The highest registered domain, stripped of the subdomain.
   type: keyword
+dns.question.subdomain:
+  description: 'The subdomain is all of the labels under the registered_domain.
+
+    If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+    the subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: www
+  flat_name: dns.question.subdomain
+  ignore_above: 1024
+  level: extended
+  name: question.subdomain
+  order: 9
+  short: The subdomain of the domain.
+  type: keyword
 dns.question.type:
   description: The type of record being queried.
   example: AAAA
@@ -1055,7 +1068,7 @@ dns.resolved_ip:
   flat_name: dns.resolved_ip
   level: extended
   name: resolved_ip
-  order: 15
+  order: 16
   short: Array containing all IPs seen in answers.data
   type: ip
 dns.response_code:

generated/ecs/ecs_nested.yml

@@ -1061,7 +1061,7 @@ dns:
       level: extended
       name: answers
       object_type: keyword
-      order: 9
+      order: 10
       short: Array of DNS answers.
       type: object
     answers.class:
@@ -1071,7 +1071,7 @@ dns:
       ignore_above: 1024
       level: extended
       name: answers.class
-      order: 12
+      order: 13
       short: The class of DNS data contained in this resource record.
       type: keyword
     answers.data:
@@ -1083,7 +1083,7 @@ dns:
       ignore_above: 1024
       level: extended
       name: answers.data
-      order: 14
+      order: 15
       short: The data describing the resource.
       type: keyword
     answers.name:
@@ -1097,7 +1097,7 @@ dns:
       ignore_above: 1024
       level: extended
       name: answers.name
-      order: 10
+      order: 11
       short: The domain name to which this resource record pertains.
       type: keyword
     answers.ttl:
@@ -1108,7 +1108,7 @@ dns:
       flat_name: dns.answers.ttl
       level: extended
       name: answers.ttl
-      order: 13
+      order: 14
       short: The time interval in seconds that this resource record may be cached
         before it should be discarded. Zero values mean that the data should not be
         cached.
@@ -1120,7 +1120,7 @@ dns:
       ignore_above: 1024
       level: extended
       name: answers.type
-      order: 11
+      order: 12
       short: The type of data contained in this resource record.
       type: keyword
     header_flags:
@@ -1203,6 +1203,19 @@ dns:
       order: 8
       short: The highest registered domain, stripped of the subdomain.
       type: keyword
+    question.subdomain:
+      description: 'The subdomain is all of the labels under the registered_domain.
+
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: www
+      flat_name: dns.question.subdomain
+      ignore_above: 1024
+      level: extended
+      name: question.subdomain
+      order: 9
+      short: The subdomain of the domain.
+      type: keyword
     question.type:
       description: The type of record being queried.
       example: AAAA
@@ -1226,7 +1239,7 @@ dns:
       flat_name: dns.resolved_ip
       level: extended
       name: resolved_ip
-      order: 15
+      order: 16
       short: Array containing all IPs seen in answers.data
       type: ip
     response_code:

generated/elasticsearch/6/template.json

@@ -460,6 +460,10 @@
                   "ignore_above": 1024, 
                   "type": "keyword"
                 }, 
+                "subdomain": {
+                  "ignore_above": 1024, 
+                  "type": "keyword"
+                }, 
                 "type": {
                   "ignore_above": 1024, 
                   "type": "keyword"

generated/elasticsearch/7/template.json

@@ -459,6 +459,10 @@
                 "ignore_above": 1024, 
                 "type": "keyword"
               }, 
+              "subdomain": {
+                "ignore_above": 1024, 
+                "type": "keyword"
+              }, 
               "type": {
                 "ignore_above": 1024, 
                 "type": "keyword"

generated/legacy/template.json

@@ -273,6 +273,10 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "subdomain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "type": {
                   "ignore_above": 1024,
                   "type": "keyword"

schema.json

@@ -625,6 +625,16 @@
         "required": false, 
         "type": "keyword"
       }, 
+      "dns.question.subdomain": {
+        "description": "The subdomain is all of the labels under the registered_domain.\nIf the domain has multiple levels of subdomain, such as \"sub2.sub1.example.com\", the subdomain field should contain \"sub2.sub1\", with no trailing period.", 
+        "example": "www", 
+        "footnote": "", 
+        "group": 2, 
+        "level": "extended", 
+        "name": "dns.question.subdomain", 
+        "required": false, 
+        "type": "keyword"
+      }, 
       "dns.question.type": {
         "description": "The type of record being queried.", 
         "example": "AAAA", 

schemas/dns.yml

@@ -101,6 +101,17 @@
         simply taking the last two labels will not work well for TLDs such as "co.uk".
       example: google.com
 
+    - name: question.subdomain
+      level: extended
+      type: keyword
+      short: The subdomain of the domain.
+      description: >
+        The subdomain is all of the labels under the registered_domain.
+
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.
+      example: www
+
     - name: answers
       level: extended
       type: object