Rename .raw to .original fields #107
Conversation
schemas/user_agent.yml
Outdated
| - name: raw | ||
| type: text | ||
| - name: original | ||
| type: keyword |
There was a problem hiding this comment.
I would actually make this one multi-field.
Full text search will be useful for weird user agents that aren't recognized by the US parsers (various language HTTP libs, obscure crawlers, etc). Still useful to filter for everything that contains "Python", for example. So for this we need to retain full text search.
So I would go with FTS at the top + .keyword for the nested field.
There was a problem hiding this comment.
Or you can consider this out of scope for now, and wait for the full review of fields in #104 to go MF. In that case we should leave it at text indexing.
There was a problem hiding this comment.
I consider it out of scope for now :-)
There was a problem hiding this comment.
Agreed. So you'll revert back to text indexing?
There was a problem hiding this comment.
Can do. So far I was thinking it's a bug that it's text :-)
use-cases/filebeat-apache-access.md
Outdated
| @@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module. | |||
| | <a name="http.response.body_sent.bytes"></a>*http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | long | | `117` | | |||
| | <a name="http.referer"></a>*http.referer* | *Http referrer code, currently apache.access.referrer<br/>NOTE: In the RFC its misspell as referer and has become accepted standard* | keyword | | `http://elastic.co/` | | |||
| | <a name="user_agent.*"></a>*user_agent.** | *User agent fields as in schema. Currently under apache.access.user_agent.*<br/>* | | | | | |||
| | [user_agent.raw](https://github.com/elastic/ecs#user_agent.raw) | Raw user agent. Currently apache.access.agent | text | | `http://elastic.co/` | | |||
| | <a name="user_agent.raw"></a>*user_agent.raw* | *Raw user agent. Currently apache.access.agent* | text | | `http://elastic.co/` | | |||
There was a problem hiding this comment.
Ha, good catch. You've looked for event.raw in the examples as well, I assume?
There was a problem hiding this comment.
you mean the use cases? Hm, I didn't :-(
* Rename `user_agent.raw` to `user_agent.original` and make it a keyword. I think this always should have been a keyword. * Rename `event.raw` to `event.original`. Closes elastic#102
ruflin
force-pushed
the
raw-to-original
branch
from
e708361 to
b2a2fa4
Compare
|
@webmat New version pushed and use cases updated. |
user_agent.rawtouser_agent.originaland make it a keyword. I think this always should have been a keyword.event.rawtoevent.original.Closes #102