Re-introduce a simplified version of user_agent. (#240)

elastic · Dec 7, 2018 · 23ce673 · 23ce673
1 parent d741600
commit 23ce673
Show file tree

Hide file tree

Showing 8 changed files with 118 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -35,6 +35,7 @@ All notable changes to this project will be documented in this file based on the
 * Add fields `geo.country_name` and `geo.region_iso_code`. #214
 * Add `event.kind` and `event.outcome`. #242
 * Add `client` and `server` objects and fields. #236
+* Reintroduce a streamlined `user_agent` field set. #240
 
 ### Improvements
 * Improved the definition of the file fields #196

diff --git a/README.md b/README.md
@@ -73,6 +73,7 @@ ECS defines these fields.
  * [Source fields](#source)
  * [URL fields](#url)
  * [User fields](#user)
+ * [User agent fields](#user_agent)
 
 ## <a name="base"></a> Base fields
 
@@ -489,6 +490,19 @@ Note also that the `user` fields may be used directly at the top level.
 | <a name="user.group"></a>user.group | Group the user is a part of. This field can contain a list of groups, if necessary. | extended | keyword |  |
 
 
+## <a name="user_agent"></a> User agent fields
+
+The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
+
+
+| Field  | Description  | Level  | Type  | Example  |
+|---|---|---|---|---|
+| <a name="user_agent.original"></a>user_agent.original | Unparsed version of the user_agent. | extended | keyword |  |
+| <a name="user_agent.name"></a>user_agent.name | Name of the user agent. | extended | keyword | `Chrome` |
+| <a name="user_agent.version"></a>user_agent.version | Version of the user agent. | extended | keyword |  |
+| <a name="user_agent.device.name"></a>user_agent.device.name | Name of the device. | extended | keyword | `Chrome` |
+
+
 
 
 

diff --git a/fields.yml b/fields.yml
@@ -1549,3 +1549,38 @@
           description: >
             Group the user is a part of. This field can contain a list of groups, if
             necessary.
+    
+    - name: user_agent
+      title: User agent
+      group: 2
+      description: >
+        The user_agent fields normally come from a browser request. They often
+        show up in web service logs coming from the parsed user agent string.
+      type: group
+      fields:
+
+        - name: original
+          level: extended
+          type: keyword
+          index: false
+          description: >
+            Unparsed version of the user_agent.
+    
+        - name: name
+          level: extended
+          type: keyword
+          example: Chrome
+          description: >
+            Name of the user agent.
+        - name: version
+          level: extended
+          type: keyword
+          description: >
+            Version of the user agent.
+    
+        - name: device.name
+          level: extended
+          type: keyword
+          example: Chrome
+          description: >
+            Name of the device.
diff --git a/schema.csv b/schema.csv
@@ -162,3 +162,7 @@ user.group,keyword,extended,
 user.hash,keyword,extended,
 user.id,keyword,core,
 user.name,keyword,core,albert
+user_agent.device.name,keyword,extended,Chrome
+user_agent.name,keyword,extended,Chrome
+user_agent.original,keyword,extended,
+user_agent.version,keyword,extended,
diff --git a/schemas/user_agent.yml b/schemas/user_agent.yml
@@ -0,0 +1,35 @@
+---
+- name: user_agent
+  title: User agent
+  group: 2
+  description: >
+    The user_agent fields normally come from a browser request. They often
+    show up in web service logs coming from the parsed user agent string.
+  type: group
+  fields:
+
+    - name: original
+      level: extended
+      type: keyword
+      index: false
+      description: >
+        Unparsed version of the user_agent.
+
+    - name: name
+      level: extended
+      type: keyword
+      example: Chrome
+      description: >
+        Name of the user agent.
+    - name: version
+      level: extended
+      type: keyword
+      description: >
+        Version of the user agent.
+
+    - name: device.name
+      level: extended
+      type: keyword
+      example: Chrome
+      description: >
+        Name of the device.
diff --git a/template.json b/template.json
@@ -753,6 +753,31 @@
               "type": "keyword"
             }
           }
+        },
+        "user_agent": {
+          "properties": {
+            "device": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
         }
       }
     }

diff --git a/use-cases/filebeat-apache-access.md b/use-cases/filebeat-apache-access.md
@@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module.
 | <a name="http.response.body_sent.bytes"></a>*http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` |
 | <a name="http.referer"></a>*http.referer* | *Http referrer code, currently apache.access.referrer<br/>NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` |
 | <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *User agent fields as in schema. Currently under apache.access.user_agent.*<br/>* |  |  |  |
-| <a name="user_agent.original"></a>*user_agent.original* | *Original user agent. Currently apache.access.agent* | (use case) | keyword | `http://elastic.co/` |
+| [user_agent.original](../README.md#user_agent.original)  | Original user agent. Currently apache.access.agent | extended | keyword | `http://elastic.co/` |
 | <a name="geoip.&ast;"></a>*geoip.&ast;* | *User agent fields as in schema. Currently under apache.access.geoip.*<br/>These are extracted from source.ip<br/>Should they be under source.geoip?<br/>* |  |  |  |
 | <a name="geoip...."></a>*geoip....* | *All geoip fields.* | (use case) | keyword |  |
 

diff --git a/use-cases/web-logs.md b/use-cases/web-logs.md
@@ -17,13 +17,13 @@ Using the fields as represented here is not expected to conflict with ECS, but m
 | [http.response.body](../README.md#http.response.body)  | The full http response body. | extended | keyword | `Hello world` |
 | [http.version](../README.md#http.version)  | Http version. | extended | keyword | `1.1` |
 | <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.<br/>* |  |  |  |
-| <a name="user_agent.original"></a>*user_agent.original* | *Unparsed version of the user_agent.* | (use case) | keyword |  |
+| [user_agent.original](../README.md#user_agent.original)  | Unparsed version of the user_agent. | extended | keyword |  |
 | <a name="user_agent.device"></a>*user_agent.device* | *Name of the physical device.* | (use case) | keyword |  |
-| <a name="user_agent.version"></a>*user_agent.version* | *Version of the physical device.* | (use case) | keyword |  |
+| [user_agent.version](../README.md#user_agent.version)  | Version of the physical device. | extended | keyword |  |
 | <a name="user_agent.major"></a>*user_agent.major* | *Major version of the user agent.* | (use case) | long |  |
 | <a name="user_agent.minor"></a>*user_agent.minor* | *Minor version of the user agent.* | (use case) | long |  |
 | <a name="user_agent.patch"></a>*user_agent.patch* | *Patch version of the user agent.* | (use case) | keyword |  |
-| <a name="user_agent.name"></a>*user_agent.name* | *Name of the user agent.* | (use case) | keyword | `Chrome` |
+| [user_agent.name](../README.md#user_agent.name)  | Name of the user agent. | extended | keyword | `Chrome` |