Add process.working_directory and process.start. (elastic#215)

MikePaquette · Dec 4, 2018 · 80fa71a · 80fa71a
1 parent 468e8a4
commit 80fa71a
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,7 @@ All notable changes to this project will be documented in this file based on the
 * Create new `group` field set with `group.id` and `group.name`. #203
 * Add `url.full` field. #207
 * Add `process.executable` field. #209
+* Add `process.working_directory` and `process.start`. #215
 
 ### Improvements
 * Improve and clarify the definition of Device fields #192

diff --git a/README.md b/README.md
@@ -357,6 +357,8 @@ These fields contain information about a process. These fields can help you corr
 | <a name="process.executable"></a>process.executable | Absolute path to the process executable. | extended | keyword | `/usr/bin/ssh` |
 | <a name="process.title"></a>process.title | Process title.<br/>The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | extended | keyword |  |
 | <a name="process.thread.id"></a>process.thread.id | Thread ID. | extended | long | `4242` |
+| <a name="process.start"></a>process.start | The time the process started. | extended | date | `2016-05-23T08:05:34.853Z` |
+| <a name="process.working_directory"></a>process.working_directory | The working directory of the process. | extended | keyword | `/home/alice` |
 
 
 ## <a name="related"></a> Related fields

diff --git a/fields.yml b/fields.yml
@@ -1038,6 +1038,20 @@
           description: >
             Thread ID.
     
+        - name: start
+          level: extended
+          type: date
+          example: "2016-05-23T08:05:34.853Z"
+          description: >
+            The time the process started.
+    
+        - name: working_directory
+          level: extended
+          type: keyword
+          example: /home/alice
+          description: >
+            The working directory of the process.
+    
     - name: related
       title: Related
       group: 2

diff --git a/schema.csv b/schema.csv
@@ -107,8 +107,10 @@ process.executable,keyword,extended,/usr/bin/ssh
 process.name,keyword,extended,ssh
 process.pid,long,core,
 process.ppid,long,extended,
+process.start,date,extended,2016-05-23T08:05:34.853Z
 process.thread.id,long,extended,4242
 process.title,keyword,extended,
+process.working_directory,keyword,extended,/home/alice
 related.ip,ip,extended,
 service.ephemeral_id,keyword,extended,8a4f500f
 service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6

diff --git a/schemas/process.yml b/schemas/process.yml
@@ -63,3 +63,17 @@
       example: 4242
       description: >
         Thread ID.
+
+    - name: start
+      level: extended
+      type: date
+      example: "2016-05-23T08:05:34.853Z"
+      description: >
+        The time the process started.
+
+    - name: working_directory
+      level: extended
+      type: keyword
+      example: /home/alice
+      description: >
+        The working directory of the process.
diff --git a/template.json b/template.json
@@ -519,6 +519,9 @@
             "ppid": {
               "type": "long"
             },
+            "start": {
+              "type": "date"
+            },
             "thread": {
               "properties": {
                 "id": {
@@ -529,6 +532,10 @@
             "title": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "working_directory": {
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         },