Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add event.start and event.end #185

Merged
merged 1 commit into from
Nov 28, 2018
Merged

Add event.start and event.end #185

merged 1 commit into from
Nov 28, 2018

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Nov 21, 2018
edited
Loading

event.start and event.end are date fields that demarcate the beginning and end, respectively,
of an activity. For example in a network flow the event.start is the time of the first packet in the
flow and event.end time the time of the last observed packet in the flow.

The event.duration value is then computed as the difference between end and start times.

ruflin
ruflin requested changes Nov 23, 2018
View reviewed changes
Copy link
Contributor

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a changelog entry?

fields.yml Outdated
@@ -491,6 +494,20 @@

In case the two timestamps are identical, @timestamp should be used.

- name: start
level: core
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest to put both these values in extended for now

webmat
webmat approved these changes Nov 23, 2018
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but agree that they should be introduced as extended first.

@andrewkroh
Add event.start and event.end
614dd7b 
`event.start` and `event.end` are date fields that demarcate the beginning and end, respectively,
of an activity. For example in a network flow the event.start is time time of the first packet in the
flow and `event.end` time the time of the last observed packet in the flow.

The `event.duration` value is then computed as the difference between end and start times.
@andrewkroh andrewkroh force-pushed the feature-event-start-end branch from 30627c1 to 614dd7b Compare November 28, 2018 03:33
@andrewkroh
Copy link
Member Author

Updated with:

  • Fields are now extended.
  • CHANGELOG entry added.

@ruflin ruflin merged commit 394a8cc into elastic:master Nov 28, 2018
@webmat webmat mentioned this pull request Nov 30, 2018
Closed
MikePaquette pushed a commit to MikePaquette/ecs-1 that referenced this pull request Dec 4, 2018
@andrewkroh @MikePaquette
Add event.start and event.end (elastic#185)
e20dc12 
`event.start` and `event.end` are date fields that demarcate the beginning and end, respectively,
of an activity. For example in a network flow the event.start is time time of the first packet in the
flow and `event.end` time the time of the last observed packet in the flow.

The `event.duration` value is then computed as the difference between end and start times.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruflin ruflin ruflin requested changes

@webmat webmat webmat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @webmat @ruflin