Switch most fields to keyword as the type #137
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We started to use multi fields in ECS and if we used a multi field, the base field was text as is the default in Elasticsearch. The problem with this is we decide in the future to make a field multi field, it would be breaking change as what was before a keyword now becomes text. To prevent this all fields except `message` are by default a keyword. Making a multifield out of a field is then a non breaking change. On the ECS side we still need to figure out what our recommendation is for naming multiple fields like `.analyzed, .text` or others. This change has also an affect on Beats as in ttps://github.com/elastic/beats/pull/8313 the fields.yml from ECS was added to Beats. There was even a breaking change I think we missed when switch to ECS there as the `http.response.body` in packetbeat was text and in Metricbeat keyword. The following fields were changed to keyword and multifield removed for now. We can add it later again when we figure out the convention: * device.vendor * file.path * file.target_path * http.response.body * network.name * organization.name * url.href * url.path * url.query * user_agent.original
|
@adriansr After this is merged we should update the ECS fields.yml in Beats again and mention the breaking change that happened in Packetbeat. |
ruflin
changed the title
webmat
approved these changes
Oct 19, 2018
webmat
pushed a commit
to webmat/ecs
that referenced
this pull request
Oct 19, 2018
webmat
pushed a commit
to webmat/ecs
that referenced
this pull request
Oct 23, 2018
webmat
pushed a commit
to webmat/ecs
that referenced
this pull request
Oct 23, 2018
webmat
pushed a commit
to webmat/ecs
that referenced
this pull request
Oct 24, 2018
1 task
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We started to use multi fields in ECS and if we used a multi field, the base field was text as is the default in Elasticsearch. The problem with this is we decide in the future to make a field multi field, it would be breaking change as what was before a keyword now becomes text. To prevent this all fields except
messageare by default a keyword. Making a multifield out of a field is then a non breaking change.On the ECS side we still need to figure out what our recommendation is for naming multiple fields like
.analyzed, .textor others.This change has also an affect on Beats as in ttps://github.com/elastic/beats/pull/8313 the fields.yml from ECS was added to Beats. There was even a breaking change I think we missed when switch to ECS there as the
http.response.bodyin packetbeat was text and in Metricbeat keyword.The following fields were changed to keyword and multifield removed for now. We can add it later again when we figure out the convention: