diff --git a/packages/system/data_stream/diskio/fields/agent.yml b/packages/system/data_stream/diskio/fields/agent.yml
index 1f0fadedb76..5e2fd81c445 100644
--- a/packages/system/data_stream/diskio/fields/agent.yml
+++ b/packages/system/data_stream/diskio/fields/agent.yml
@@ -156,17 +156,6 @@
       ignore_above: 1024
       description: Operating system kernel version as a raw string.
       example: 4.4.0-112-generic
-    - name: os.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-        - name: text
-          type: text
-          norms: false
-          default_field: false
-      description: Operating system name, without the version.
-      example: Mac OS X
     - name: os.platform
       level: extended
       type: keyword
diff --git a/packages/system/data_stream/load/fields/agent.yml b/packages/system/data_stream/load/fields/agent.yml
index a23b0b76729..f7fba4ae7f1 100644
--- a/packages/system/data_stream/load/fields/agent.yml
+++ b/packages/system/data_stream/load/fields/agent.yml
@@ -156,17 +156,6 @@
       ignore_above: 1024
       description: Operating system kernel version as a raw string.
       example: 4.4.0-112-generic
-    - name: os.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-        - name: text
-          type: text
-          norms: false
-          default_field: false
-      description: Operating system name, without the version.
-      example: Mac OS X
     - name: os.platform
       level: extended
       type: keyword
diff --git a/packages/system/data_stream/process/fields/agent.yml b/packages/system/data_stream/process/fields/agent.yml
index ff081deb945..f82d68cd83f 100644
--- a/packages/system/data_stream/process/fields/agent.yml
+++ b/packages/system/data_stream/process/fields/agent.yml
@@ -131,11 +131,6 @@
       level: core
       type: ip
       description: Host ip addresses.
-    - name: mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Host mac addresses.
     - name: name
       level: core
       type: keyword
@@ -156,17 +151,6 @@
       ignore_above: 1024
       description: Operating system kernel version as a raw string.
       example: 4.4.0-112-generic
-    - name: os.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-        - name: text
-          type: text
-          norms: false
-          default_field: false
-      description: Operating system name, without the version.
-      example: Mac OS X
     - name: os.platform
       level: extended
       type: keyword
diff --git a/packages/system/data_stream/socket_summary/fields/base-fields.yml b/packages/system/data_stream/socket_summary/fields/base-fields.yml
index 1ed72ba281e..0e1c056093a 100644
--- a/packages/system/data_stream/socket_summary/fields/base-fields.yml
+++ b/packages/system/data_stream/socket_summary/fields/base-fields.yml
@@ -7,9 +7,6 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
-- name: '@timestamp'
-  type: date
-  description: Event timestamp.
 - name: event.module
   type: constant_keyword
   description: Event module
diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md
index 5a90cdf0381..8f1c5f0c0b5 100644
--- a/packages/system/docs/README.md
+++ b/packages/system/docs/README.md
@@ -1349,7 +1349,7 @@ This data should be available without elevated permissions.
 | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |  |  |
 | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |  |  |
 | host.ip | Host ip addresses. | ip |  |  |
-| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |  |  |
+| host.mac | Host mac addresses. | keyword |  |  |
 | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |  |  |
 | host.os.build | OS build information. | keyword |  |  |
 | host.os.codename | OS codename, if any. | keyword |  |  |
@@ -1358,7 +1358,7 @@ This data should be available without elevated permissions.
 | host.os.full.text | Multi-field of `host.os.full`. | match_only_text |  |  |
 | host.os.kernel | Operating system kernel version as a raw string. | keyword |  |  |
 | host.os.name | Operating system name, without the version. | keyword |  |  |
-| host.os.name.text | Multi-field of `host.os.name`. | text |  |  |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |  |  |
 | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |  |  |
 | host.os.version | Operating system version as a raw string. | keyword |  |  |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |  |  |
@@ -1827,7 +1827,7 @@ If running as less privileged user, it may not be able to read process data belo
 | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |  |  |
 | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |  |  |
 | host.ip | Host ip addresses. | ip |  |  |
-| host.mac | Host mac addresses. | keyword |  |  |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |  |  |
 | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |  |  |
 | host.os.build | OS build information. | keyword |  |  |
 | host.os.codename | OS codename, if any. | keyword |  |  |
@@ -2108,7 +2108,7 @@ This data should be available without elevated permissions.
 
 | Field | Description | Type | Unit | Metric Type |
 |---|---|---|---|---|
-| @timestamp | Event timestamp. | date |  |  |
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |  |  |
 | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword |  |  |
 | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |  |  |
 | cloud.availability_zone | Availability zone in which this host is running. | keyword |  |  |