Remove src/dst.hostname, rename url.hostname to url.domain. (#175)

Also part of this PR: * Bring `source` description in line with `destination`'s * Add 'www.' to elastic.co in the URL examples. * Remove ambiguous comment about reusing `url`. It hasn't been made into an official 'reuseable' object, so this comment could be misleading.
elastic · Nov 7, 2018 · bf3271e · bf3271e
1 parent 1feb951
commit bf3271e
Show file tree

Hide file tree

Showing 8 changed files with 26 additions and 62 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,8 @@ All notable changes to this project will be documented in this file based on the
 * Rename `event.version` to `ecs.version`. #169
 * Remove the `http` field set temporarily. #171
 * Remove the `user_agent` field set temporarily. #172
+* Rename `url.hostname` to `url.domain`. #175
+* Remove `source.hostname` and `destination.hostname`. #175
 
 ### Bugfixes
 

diff --git a/README.md b/README.md
@@ -129,7 +129,6 @@ Destination fields describe details about the destination of a packet/event.
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
 | <a name="destination.ip"></a>destination.ip | IP address of the destination.<br/>Can be one or multiple IPv4 or IPv6 addresses. | core | ip |  |
-| <a name="destination.hostname"></a>destination.hostname | Hostname of the destination. | core | keyword |  |
 | <a name="destination.port"></a>destination.port | Port of the destination. | core | long |  |
 | <a name="destination.mac"></a>destination.mac | MAC address of the destination. | core | keyword |  |
 | <a name="destination.domain"></a>destination.domain | Destination domain. | core | keyword |  |
@@ -347,28 +346,27 @@ The service fields describe the service for or from which the data was collected
 
 ## <a name="source"></a> Source fields
 
-Source fields describe details about the source of the event.
+Source fields describe details about the destination of a packet/event.
 
 
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
 | <a name="source.ip"></a>source.ip | IP address of the source.<br/>Can be one or multiple IPv4 or IPv6 addresses. | core | ip |  |
-| <a name="source.hostname"></a>source.hostname | Hostname of the source. | core | keyword |  |
 | <a name="source.port"></a>source.port | Port of the source. | core | long |  |
 | <a name="source.mac"></a>source.mac | MAC address of the source. | core | keyword |  |
 | <a name="source.domain"></a>source.domain | Source domain. | core | keyword |  |
 
 
 ## <a name="url"></a> URL fields
 
-URL fields provide a complete URL, with scheme, host, and path. The URL object can be reused in other prefixes, such as `host.url.*` for example. Keep the structure consistent whenever you use URL fields.
+URL fields provide a complete URL, with scheme, host, and path.
 
 
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
-| <a name="url.original"></a>url.original | Full original url. The field is stored as keyword. | extended | keyword | `https://elastic.co:443/search?q=elasticsearch#top` |
+| <a name="url.original"></a>url.original | Full original url. The field is stored as keyword. | extended | keyword | `https://www.elastic.co:443/search?q=elasticsearch#top` |
 | <a name="url.scheme"></a>url.scheme | Scheme of the request, such as "https".<br/>Note: The `:` is not part of the scheme. | extended | keyword | `https` |
-| <a name="url.hostname"></a>url.hostname | Hostname of the request, such as "elastic.co".<br/>In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `hostname` field. | extended | keyword | `elastic.co` |
+| <a name="url.domain"></a>url.domain | Domain of the request, such as "www.elastic.co".<br/>In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | extended | keyword | `www.elastic.co` |
 | <a name="url.port"></a>url.port | Port of the request, such as 443. | extended | integer | `443` |
 | <a name="url.path"></a>url.path | Path of the request, such as "/search". | extended | keyword |  |
 | <a name="url.query"></a>url.query | The query field describes the query string of the request, such as "q=elasticsearch".<br/>The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | extended | keyword |  |

diff --git a/fields.yml b/fields.yml
@@ -252,12 +252,6 @@
     
             Can be one or multiple IPv4 or IPv6 addresses.
 
-        - name: hostname
-          level: core
-          type: keyword
-          description: >
-            Hostname of the destination.
-    
         - name: port
           level: core
           type: long
@@ -1069,7 +1063,8 @@
       title: Source
       group: 2
       description: >
-        Source fields describe details about the source of the event.
+        Source fields describe details about the destination of a
+        packet/event.
       type: group
       fields:
 
@@ -1081,12 +1076,6 @@
     
             Can be one or multiple IPv4 or IPv6 addresses.
 
-        - name: hostname
-          level: core
-          type: keyword
-          description: >
-            Hostname of the source.
-    
         - name: port
           level: core
           type: long
@@ -1108,9 +1097,7 @@
     - name: url
       title: URL
       description: >
-        URL fields provide a complete URL, with scheme, host, and path. The URL
-        object can be reused in other prefixes, such as `host.url.*` for
-        example. Keep the structure consistent whenever you use URL fields.
+        URL fields provide a complete URL, with scheme, host, and path.
       type: group
       fields:
 
@@ -1119,7 +1106,7 @@
           type: keyword
           description: >
             Full original url. The field is stored as keyword.
-          example: https://elastic.co:443/search?q=elasticsearch#top
+          example: https://www.elastic.co:443/search?q=elasticsearch#top
 
         - name: scheme
           level: extended
@@ -1130,15 +1117,15 @@
             Note: The `:` is not part of the scheme.
           example: https
 
-        - name: hostname
+        - name: domain
           level: extended
           type: keyword
           description: >
-            Hostname of the request, such as "elastic.co".
+            Domain of the request, such as "www.elastic.co".
     
             In some cases a URL may refer to an IP and/or port directly, without a
-            domain name. In this case, the IP address would go to the `hostname` field.
-          example: elastic.co
+            domain name. In this case, the IP address would go to the `domain` field.
+          example: www.elastic.co
 
         - name: port
           level: extended

diff --git a/schema.csv b/schema.csv
@@ -22,7 +22,6 @@ container.labels,object,extended,
 container.name,keyword,extended,
 container.runtime,keyword,extended,docker
 destination.domain,keyword,core,
-destination.hostname,keyword,core,
 destination.ip,ip,core,
 destination.mac,keyword,core,
 destination.port,long,core,
@@ -110,13 +109,12 @@ service.state,keyword,core,
 service.type,keyword,core,elasticsearch
 service.version,keyword,core,3.2.4
 source.domain,keyword,core,
-source.hostname,keyword,core,
 source.ip,ip,core,
 source.mac,keyword,core,
 source.port,long,core,
+url.domain,keyword,extended,www.elastic.co
 url.fragment,keyword,extended,
-url.hostname,keyword,extended,elastic.co
-url.original,keyword,extended,https://elastic.co:443/search?q=elasticsearch#top
+url.original,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top
 url.password,keyword,extended,
 url.path,keyword,extended,
 url.port,integer,extended,443

diff --git a/schemas/destination.yml b/schemas/destination.yml
@@ -16,12 +16,6 @@
 
         Can be one or multiple IPv4 or IPv6 addresses.
 
-    - name: hostname
-      level: core
-      type: keyword
-      description: >
-        Hostname of the destination.
-
     - name: port
       level: core
       type: long

diff --git a/schemas/source.yml b/schemas/source.yml
@@ -3,7 +3,8 @@
   title: Source
   group: 2
   description: >
-    Source fields describe details about the source of the event.
+    Source fields describe details about the destination of a
+    packet/event.
   type: group
   fields:
 
@@ -15,12 +16,6 @@
 
         Can be one or multiple IPv4 or IPv6 addresses.
 
-    - name: hostname
-      level: core
-      type: keyword
-      description: >
-        Hostname of the source.
-
     - name: port
       level: core
       type: long

diff --git a/schemas/url.yml b/schemas/url.yml
@@ -2,9 +2,7 @@
 - name: url
   title: URL
   description: >
-    URL fields provide a complete URL, with scheme, host, and path. The URL
-    object can be reused in other prefixes, such as `host.url.*` for
-    example. Keep the structure consistent whenever you use URL fields.
+    URL fields provide a complete URL, with scheme, host, and path.
   type: group
   fields:
 
@@ -13,7 +11,7 @@
       type: keyword
       description: >
         Full original url. The field is stored as keyword.
-      example: https://elastic.co:443/search?q=elasticsearch#top
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
 
     - name: scheme
       level: extended
@@ -24,15 +22,15 @@
         Note: The `:` is not part of the scheme.
       example: https
 
-    - name: hostname
+    - name: domain
       level: extended
       type: keyword
       description: >
-        Hostname of the request, such as "elastic.co".
+        Domain of the request, such as "www.elastic.co".
 
         In some cases a URL may refer to an IP and/or port directly, without a
-        domain name. In this case, the IP address would go to the `hostname` field.
-      example: elastic.co
+        domain name. In this case, the IP address would go to the `domain` field.
+      example: www.elastic.co
 
     - name: port
       level: extended

diff --git a/template.json b/template.json
@@ -128,10 +128,6 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
-            "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
             "ip": {
               "type": "ip"
             },
@@ -537,10 +533,6 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
-            "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
             "ip": {
               "type": "ip"
             },
@@ -559,11 +551,11 @@
         },
         "url": {
           "properties": {
-            "fragment": {
+            "domain": {
               "ignore_above": 1024,
               "type": "keyword"
             },
-            "hostname": {
+            "fragment": {
               "ignore_above": 1024,
               "type": "keyword"
             },