Find a better solution for address/ip/domain #37
Labels
feature
New feature or request
Comments
widhalmt
added a commit
that referenced
this issue
Sep 27, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have all three fields for
clientandserver. ECS says,.addresshas to be set. If there's an IP address in that field, copy it into.ipand if it's a FQDN, copy it into.domain.The problem we have is that sometimes one is set but the other is not. Or both are set. Or one is set to a dummy value like
unkownor while the other has a valid value. The current implementation tries to always use the most meaningful information for.addressbut this ends up different values inaddressdepending on what log event it is.We could work around it in Kibana by never using
.addressbut I'm not sure if that's feasible. I'm opening this issue to search for a better solution to this problem.The text was updated successfully, but these errors were encountered: