diff --git a/CHANGELOG.md b/CHANGELOG.md index 27c5171ca3..2150e1c38f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file based on the #### Bugfixes * The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964 +* Clarify the definition of `file.extension` (no dots). #1016 #### Added diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go index 1dc53d28b0..09713b7bf4 100644 --- a/code/go/ecs/file.go +++ b/code/go/ecs/file.go @@ -55,7 +55,9 @@ type File struct { // Target path for symlinks. TargetPath string `ecs:"target_path"` - // File extension. + // File extension, excluding the leading dot. + // Note that when the file name has multiple extensions (example.tar.gz), + // only the last one should be captured ("gz", not "tar.gz"). Extension string `ecs:"extension"` // File type (file, dir, or symlink). diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 9bd030d0af..f961b6fa89 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2109,7 +2109,9 @@ example: `C` // =============================================================== | file.extension -| File extension. +| File extension, excluding the leading dot. + +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 35064b122e..981a6f217b 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1568,7 +1568,10 @@ level: extended type: keyword ignore_above: 1024 - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 62979dd9b5..9dbed4737d 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -174,7 +174,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 1.7.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. 1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.7.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 5f27925261..13a7c32325 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2502,14 +2502,17 @@ file.drive_letter: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 1c40d63dfd..bfb2df366d 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2925,14 +2925,17 @@ file: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 807ffd2115..413ab7a318 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1604,7 +1604,10 @@ level: extended type: keyword ignore_above: 1024 - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index baa380bfb8..90ca8601f7 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -175,7 +175,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 1.7.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. 1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.7.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 08277b4372..81a1ee4950 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2544,14 +2544,17 @@ file.drive_letter: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b4fecef933..1ca8779d5e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2968,14 +2968,17 @@ file: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/schemas/file.yml b/schemas/file.yml index 4856f22648..545b4661fa 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -74,7 +74,12 @@ - name: extension level: extended type: keyword - description: File extension. + short: File extension, excluding the leading dot. + description: > + File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), + only the last one should be captured ("gz", not "tar.gz"). example: png - name: type