Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

event fields confuse what "event" refers to #1059

Closed
rsk0 opened this issue Oct 28, 2020 · 4 comments
Closed

event fields confuse what "event" refers to #1059

rsk0 opened this issue Oct 28, 2020 · 4 comments
Labels
review

Comments

@rsk0
Copy link

rsk0 commented Oct 28, 2020

Description of the issue:
There are two different senses of the term "event" being used in this field set.

  • an “event” is something that happened, like a client requesting a URL or a process starting on a host
  • an “event” is a record of something that happened

The most natural common expectation for what "event" means is the first item here. An event is something that happens, and we can talk about that particular happening: when it occurred, how long it lasted, what exactly happened, etc. Most event fields are for this sense. I say it's a "common" expectation because it depends on context. Sometimes instead...

There is another useful sense, talking about "event" as the record of the happening. We care about this sense in certain contexts, like when we're dealing with the record of the event moving through our event capturing/recording pipeline. For this, fields like ingested and created help us know about movement through the pipeline of the record of the event. But note that we're not talking about "event" in the sense of the original thing that happened now. created is not talking about how or when the original process activation got "created". It's talking about this record.

Any additional context or examples:
This is maybe something of a small issue, or at least subtle and maybe inconvenient or awkward to try to resolve. I found myself temporarily boggling when trying to figure out the specific meanings of the various time-related fields until I realized we were talking about two different things. (My context here is trying to add pipeline processing timing metadata to event records.)

This is not a pipe.
@rsk0 rsk0 added the bug Something isn't working label Oct 28, 2020
@rsk0
Copy link
Author

rsk0 commented Oct 28, 2020

Additional discussion context in the Elastic community Slack channel for ECS

@rsk0
Copy link
Author

rsk0 commented Oct 28, 2020

Pardon me, is there a way to link additional relevant issues (outside of commenting)?

  • [meta] Add support for pipeline details in ECS (#940)

@webmat webmat removed the bug Something isn't working label Nov 3, 2020
@ebeahan ebeahan added the review label Nov 17, 2020
@webmat webmat mentioned this issue Dec 1, 2020
Open
@webmat
Copy link
Contributor

webmat commented Dec 1, 2020

Thanks for capturing your thoughts here @rsk0!

I agree that these two timestamps don't currently have the best names. They indeed stand out as very Elastic-centric amidst a lot of fields that are centered on actual event details.

This is indeed related to #940: when fleshing out how to capture pipeline information (including timings), we should find better names for these two fields. When those are available, we can deprecate the timestamp fields you're bringing up above.

I've added a reference to this issue in #940 to make sure we consider the points you're raised here, when we work on the pipeline details.

Are you ok if we close this issue?

@ebeahan
Copy link
Member

ebeahan commented Dec 15, 2020

Will continue pursuing in #940

@ebeahan ebeahan closed this as completed Dec 15, 2020
@rsk0 rsk0 mentioned this issue Aug 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@webmat @ebeahan @rsk0