Filebeat Apache module cannot assume browser patch version to be a number

[cwurm]

Version: Filebeat 5.3.0

In https://github.com/elastic/beats/blob/master/filebeat/module/apache2/access/_meta/fields.yml, we assume the browser patch version is a number:

        - name: patch
          type: long
          description: >
            The patch version of the user agent.

That is not a safe assumption, e.g. Firefox beta versions had a patch versions such as "b12". A full user agent string then looks like this:

Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12) Gecko/20110222 Firefox/4.0b12

There are a bunch of them, see for example http://www.useragentstring.com/pages/useragentstring.php?name=Firefox

I'm not 100% sure if the other components of the user agent version string - major, minor and build - are never not numbers. However, I've just ingested 300K log lines successfully and no error came up.

[cwurm]

This then also affects the nginx module, specifically https://github.com/elastic/beats/blob/master/filebeat/module/nginx/access/_meta/fields.yml

[ruflin]

I would suggest we switch the type here to a keyword. It would be great to have support for "version strings" in Lucene directly so someone could search for > 1.x but as far as I know this is not possible.

[cwurm]

I agree, keyword should do the trick.

[ruflin]

@tsg Could you see any potential issues with switching this to keyword?

[tsg]

No, i think we can change that.