Add process.working_directory and process.start.

elastic · Dec 4, 2018 · c557b0f · c557b0f
1 parent 3d1e7a7
commit c557b0f
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -356,6 +356,8 @@ These fields contain information about a process. These fields can help you corr
 | <a name="process.ppid"></a>process.ppid | Process parent id. | extended | long |  |
 | <a name="process.title"></a>process.title | Process title.<br/>The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | extended | keyword |  |
 | <a name="process.thread.id"></a>process.thread.id | Thread ID. | extended | long | `4242` |
+| <a name="process.start"></a>process.start | The time the process started. | extended | date | `2016-05-23T08:05:34.853Z` |
+| <a name="process.working_directory"></a>process.working_directory | The working directory of the process. | extended | keyword | `/home/alice` |
 
 
 ## <a name="related"></a> Related fields

diff --git a/fields.yml b/fields.yml
@@ -1032,6 +1032,20 @@
           description: >
             Thread ID.
     
+        - name: start
+          level: extended
+          type: date
+          example: "2016-05-23T08:05:34.853Z"
+          description: >
+            The time the process started.
+    
+        - name: working_directory
+          level: extended
+          type: keyword
+          example: /home/alice
+          description: >
+            The working directory of the process.
+    
     - name: related
       title: Related
       group: 2

diff --git a/schema.csv b/schema.csv
@@ -106,8 +106,10 @@ process.args,keyword,extended,"['-l', 'user', '10.0.0.16']"
 process.name,keyword,extended,ssh
 process.pid,long,core,4242
 process.ppid,long,extended,
+process.start,date,extended,2016-05-23T08:05:34.853Z
 process.thread.id,long,extended,4242
 process.title,keyword,extended,
+process.working_directory,keyword,extended,/home/alice
 related.ip,ip,extended,
 service.ephemeral_id,keyword,extended,8a4f500f
 service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6

diff --git a/schemas/process.yml b/schemas/process.yml
@@ -56,3 +56,17 @@
       example: 4242
       description: >
         Thread ID.
+
+    - name: start
+      level: extended
+      type: date
+      example: "2016-05-23T08:05:34.853Z"
+      description: >
+        The time the process started.
+
+    - name: working_directory
+      level: extended
+      type: keyword
+      example: /home/alice
+      description: >
+        The working directory of the process.
diff --git a/template.json b/template.json
@@ -515,6 +515,9 @@
             "ppid": {
               "type": "long"
             },
+            "start": {
+              "type": "date"
+            },
             "thread": {
               "properties": {
                 "id": {
@@ -525,6 +528,10 @@
             "title": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "working_directory": {
+              "ignore_above": 1024,
+              "type": "keyword"
             }
           }
         },