You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In #84, there was a good conversation about what source.domain and destination.domain mean. However, today, the documentation for destination.domain reads:
Destination domain.
This field (and source.domain) is not documented sufficiently. If someone can explain to me what it is supposed to be (is it just FQDN?), I can add an example to the documentation.
The text was updated successfully, but these errors were encountered:
The [source|destination].domain should be populated with the domain name system address of the source/destination, if present in the event or known through some sort of event enrichment. As the docs describe, the .address field is populated first, and then the value duplicated to .ip or .domain.
I agree that the current descriptions for destination.domain and source.domain need improvement. These field descriptions were part of the original ECS 0.1.0 spec and never revisited when [destination|source].hostname was later removed (as you linked). There's also a section in the docs that describes mapping network events, which we could also include examples that populate the .domain fields.
In #84, there was a good conversation about what
source.domain
anddestination.domain
mean. However, today, the documentation fordestination.domain
reads:This field (and
source.domain
) is not documented sufficiently. If someone can explain to me what it is supposed to be (is it just FQDN?), I can add an example to the documentation.The text was updated successfully, but these errors were encountered: