Skip to content

Commit

Permalink
Rename all nested fields mentioned in #103 to .keyword (#118)
Browse files Browse the repository at this point in the history
Closes #103
  • Loading branch information
webmat authored and ruflin committed Sep 25, 2018
1 parent 189b13a commit f33e5d6
Show file tree
Hide file tree
Showing 7 changed files with 27 additions and 24 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ All notable changes to this project will be documented in this file based on the
* Rename log.message to log.original. #106
* Rename `event.raw` to `event.original`.
* Rename `user_agent.raw` to `user_agent.original` and make it a keyword.
* Rename `file.path.raw` to `file.path.keyword`, `file.target_path.raw` to `file.target_path.keyword`,
`url.href.raw` to `url.href.keyword`, `url.path.raw` to `url.path.keyword`,
`url.query.raw` to `url.query.keyword`, and `network.name.raw` to `network.name.keyword`.

### Bugfixes

Expand Down
12 changes: 6 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -198,9 +198,9 @@ File fields provide details about each file.
| Field | Description | Type | Multi Field | Example |
|---|---|---|---|---|
| <a name="file.path"></a>file.path | Path to the file. | text | | |
| <a name="file.path.raw"></a>file.path.raw | Path to the file. This is a non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="file.path.keyword"></a>file.path.keyword | Path to the file. This is a non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="file.target_path"></a>file.target_path | Target path for symlinks. | text | | |
| <a name="file.target_path.raw"></a>file.target_path.raw | Path to the file. This is a non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="file.target_path.keyword"></a>file.target_path.keyword | Path to the file. This is a non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="file.extension"></a>file.extension | File extension.<br/>This should allow easy filtering by file extensions. | keyword | | `png` |
| <a name="file.type"></a>file.type | File type (file, dir, or symlink). | keyword | | |
| <a name="file.device"></a>file.device | Device that is the source of the file. | keyword | | |
Expand Down Expand Up @@ -299,7 +299,7 @@ Fields related to network data.
| Field | Description | Type | Multi Field | Example |
|---|---|---|---|---|
| <a name="network.name"></a>network.name | Name given by operators to sections of their network. | text | | `Guest Wifi` |
| <a name="network.name.raw"></a>network.name.raw | Name given by operators to sections of their network. | keyword | 1 | |
| <a name="network.name.keyword"></a>network.name.keyword | Name given by operators to sections of their network. | keyword | 1 | |
| <a name="network.protocol"></a>network.protocol | Network protocol name. | keyword | | `http` |
| <a name="network.direction"></a>network.direction | Direction of the network traffic.<br/>Recommended values are:<br/> * inbound<br/> * outbound<br/> * unknown | keyword | | `inbound` |
| <a name="network.forwarded_ip"></a>network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | `192.1.1.2` |
Expand Down Expand Up @@ -404,14 +404,14 @@ URL fields provide a complete URL, with scheme, host, and path. The URL object c
| Field | Description | Type | Multi Field | Example |
|---|---|---|---|---|
| <a name="url.href"></a>url.href | Full url. The field is stored as keyword.<br/>`url.href` is a [multi field](https://www.elastic.co/guide/en/ elasticsearch/reference/6.2/ multi-fields.html#_multi_fields_with_multiple_analyzers). The data is stored as keyword `url.href` and test `url.href.analyzed`. These fields enable you to run a query against part of the url still works splitting up the URL at ingest time.<br/>`href` is an analyzed field so the parsed information can be accessed through `href.analyzed` in queries. | text | | `https://elastic.co:443/search?q=elasticsearch#top` |
| <a name="url.href.raw"></a>url.href.raw | The full URL. This is a non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="url.href.keyword"></a>url.href.keyword | The full URL. This is a non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="url.scheme"></a>url.scheme | Scheme of the request, such as "https".<br/>Note: The `:` is not part of the scheme. | keyword | | `https` |
| <a name="url.host.name"></a>url.host.name | Hostname of the request, such as "example.com".<br/>For correlation the this field can be copied into the `host.name` field. | keyword | | `elastic.co` |
| <a name="url.port"></a>url.port | Port of the request, such as 443. | integer | | `443` |
| <a name="url.path"></a>url.path | Path of the request, such as "/search". | text | | |
| <a name="url.path.raw"></a>url.path.raw | URL path. A non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="url.path.keyword"></a>url.path.keyword | URL path. A non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="url.query"></a>url.query | The query field describes the query string of the request, such as "q=elasticsearch".<br/>The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | text | | |
| <a name="url.query.raw"></a>url.query.raw | URL query part. A non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="url.query.keyword"></a>url.query.keyword | URL query part. A non-analyzed field that is useful for aggregations. | keyword | 1 | |
| <a name="url.fragment"></a>url.fragment | Portion of the url after the `#`, such as "top".<br/>The `#` is not part of the fragment. | keyword | | |
| <a name="url.username"></a>url.username | Username of the request. | keyword | | |
| <a name="url.password"></a>url.password | Password of the request. | keyword | | |
Expand Down
12 changes: 6 additions & 6 deletions fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -454,7 +454,7 @@
type: text
description: Path to the file.
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
Path to the file. This is a non-analyzed field that is useful
Expand All @@ -464,7 +464,7 @@
type: text
description: Target path for symlinks.
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
Path to the file. This is a non-analyzed field that is useful
Expand Down Expand Up @@ -764,7 +764,7 @@
Name given by operators to sections of their network.
example: Guest Wifi
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
Name given by operators to sections of their network.
Expand Down Expand Up @@ -1083,7 +1083,7 @@
through `href.analyzed` in queries.

multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
The full URL. This is a non-analyzed field that is useful
Expand Down Expand Up @@ -1114,7 +1114,7 @@
description: >
Path of the request, such as "/search".
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
URL path. A non-analyzed field that is useful
Expand All @@ -1130,7 +1130,7 @@
the query field exists with an empty string. The `exists`
query can be used to differentiate between the two cases.
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
URL query part. A non-analyzed field that is useful
Expand Down
4 changes: 2 additions & 2 deletions schemas/file.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
type: text
description: Path to the file.
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
Path to the file. This is a non-analyzed field that is useful
Expand All @@ -20,7 +20,7 @@
type: text
description: Target path for symlinks.
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
Path to the file. This is a non-analyzed field that is useful
Expand Down
2 changes: 1 addition & 1 deletion schemas/network.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
Name given by operators to sections of their network.
example: Guest Wifi
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
Name given by operators to sections of their network.
Expand Down
6 changes: 3 additions & 3 deletions schemas/url.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
through `href.analyzed` in queries.
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
The full URL. This is a non-analyzed field that is useful
Expand Down Expand Up @@ -55,7 +55,7 @@
description: >
Path of the request, such as "/search".
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
URL path. A non-analyzed field that is useful
Expand All @@ -71,7 +71,7 @@
the query field exists with an empty string. The `exists`
query can be used to differentiate between the two cases.
multi_fields:
- name: raw
- name: keyword
type: keyword
description: >
URL query part. A non-analyzed field that is useful
Expand Down
12 changes: 6 additions & 6 deletions template.json
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@
},
"path": {
"fields": {
"raw": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
Expand All @@ -310,7 +310,7 @@
},
"target_path": {
"fields": {
"raw": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
Expand Down Expand Up @@ -514,7 +514,7 @@
},
"name": {
"fields": {
"raw": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
Expand Down Expand Up @@ -700,7 +700,7 @@
},
"href": {
"fields": {
"raw": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
Expand All @@ -714,7 +714,7 @@
},
"path": {
"fields": {
"raw": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
Expand All @@ -727,7 +727,7 @@
},
"query": {
"fields": {
"raw": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
Expand Down

0 comments on commit f33e5d6

Please sign in to comment.