Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

This issue is meant to collect breaking changes we want to do for ECS 8.0 #839

Closed
webmat opened this issue May 7, 2020 · 7 comments
Closed

Comments

@webmat
Copy link
Contributor

webmat commented May 7, 2020

Any suggestion for breaking changes should be submitted via their own github issue, not as a comment on this issue.

Decided

Schema

Tooling

Under consideration

Tooling

No longer under consideration for 8.0

Items previous listed as Under consideration but subsequently removed. May still have value in the future, so capturing below.

@rw-access
Copy link
Contributor

There was also talk about embedding file in more places, since several fieldsets use .file and .path. The names we get as a result are a little confusing. Maybe we can find better ways to accomplish reusability

The first ones that I remember:

  • process.file.*
  • dll.file.*
  • driver.file.* (haven't created driver yet)

@ebeahan
Copy link
Member

ebeahan commented Aug 5, 2020

#838 Remove guidance to lowercase http.request.method

This is going in for 1.6, right?

@webmat
Copy link
Contributor Author

webmat commented Aug 5, 2020

@ebeahan Yes it is

@djptek
Copy link
Contributor

djptek commented Mar 4, 2021

Do we need to change the type of http.response.status_code to keyword, in order to allow users to bucket HTTP traffic by status code? See #564

Prior to Lens, this might have been accomplished using e.g. ranges to bucket the 2xx, 3xx, 4xx, 5xx codes

This has been improved and simplified with Lens, which (tested 7.11.2) supports Break down by and other bucket strategies vs long out of the box, for example this one gives a full breakdown of status codes

lens_vs_http_response_status_code

Note: to get a count per value in Lens you may need to increase Number of Values in Break down by configuration. The max value of 100 is sufficient to exceed the 41 response codes listed in https://tools.ietf.org/html/rfc7231#section-6.1

Here is a data set if you'd like to try that, the field will map to long using dynamic mapping

POST test/_bulk
{ "index" : { "_id" : "1" } }
{ "http.response.status_code" : 200 }
{ "index" : { "_id" : "2" } }
{ "http.response.status_code" : 200 }
{ "index" : { "_id" : "3" } }
{ "http.response.status_code" : 200 }
{ "index" : { "_id" : "4" } }
{ "http.response.status_code" : 201 }
{ "index" : { "_id" : "5" } }
{ "http.response.status_code" : 201 }
{ "index" : { "_id" : "6" } }
{ "http.response.status_code" : 202 }
{ "index" : { "_id" : "7" } }
{ "http.response.status_code" : 300 }
{ "index" : { "_id" : "8" } }
{ "http.response.status_code" : 301 }
{ "index" : { "_id" : "9"} }
{ "http.response.status_code" : 404 }
{ "index" : { "_id" : "10"} }
{ "http.response.status_code" : 404 }

@ebeahan ebeahan self-assigned this Mar 31, 2021
@ebeahan
Copy link
Member

ebeahan commented Mar 31, 2021

@jamiehynds I believe you added this item?

Consider removal of host.os.full.caseless/text fields and host.os.name.caseless/text fields. Example where these fields can cause unnecessary duplication.

The *.caseless fields are actually not specified in ECS. I believe it's a custom multi-field added in the endpoint schema: https://github.com/elastic/endpoint-package/blob/master/custom_schemas/custom_os.yml

I'm removing it from consideration for now. Happy to re-add if I'm misunderstanding.

@jamiehynds
Copy link
Contributor

Good catch - thanks @ebeahan. I'll discuss further with the endpoint team, but fine to remove from our list of proposed breaking changes.

@ebeahan ebeahan changed the title This issue is meant to collect breaking changes we want to do for ECS 2.0 This issue is meant to collect breaking changes we want to do for ECS 8.0 Apr 15, 2021
@ebeahan ebeahan added the 8.0.0 label Aug 26, 2021
@ebeahan
Copy link
Member

ebeahan commented Oct 29, 2021

A release branch has been cut for ECS 8.0, and the information in the changelog supersedes what's included in this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants