diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6888be6628..27ab7050c1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,8 @@ All notable changes to this project will be documented in this file based on the
* Rename `event.version` to `ecs.version`. #169
* Remove the `http` field set temporarily. #171
* Remove the `user_agent` field set temporarily. #172
+* Rename `url.hostname` to `url.domain`. #175
+* Remove `source.hostname` and `destination.hostname`. #175
### Bugfixes
diff --git a/README.md b/README.md
index d58a9d78da..70364a3290 100644
--- a/README.md
+++ b/README.md
@@ -129,7 +129,6 @@ Destination fields describe details about the destination of a packet/event.
| Field | Description | Level | Type | Example |
|---|---|---|---|---|
| destination.ip | IP address of the destination.
Can be one or multiple IPv4 or IPv6 addresses. | core | ip | |
-| destination.hostname | Hostname of the destination. | core | keyword | |
| destination.port | Port of the destination. | core | long | |
| destination.mac | MAC address of the destination. | core | keyword | |
| destination.domain | Destination domain. | core | keyword | |
@@ -347,13 +346,12 @@ The service fields describe the service for or from which the data was collected
## Source fields
-Source fields describe details about the source of the event.
+Source fields describe details about the destination of a packet/event.
| Field | Description | Level | Type | Example |
|---|---|---|---|---|
| source.ip | IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses. | core | ip | |
-| source.hostname | Hostname of the source. | core | keyword | |
| source.port | Port of the source. | core | long | |
| source.mac | MAC address of the source. | core | keyword | |
| source.domain | Source domain. | core | keyword | |
@@ -361,14 +359,14 @@ Source fields describe details about the source of the event.
## URL fields
-URL fields provide a complete URL, with scheme, host, and path. The URL object can be reused in other prefixes, such as `host.url.*` for example. Keep the structure consistent whenever you use URL fields.
+URL fields provide a complete URL, with scheme, host, and path.
| Field | Description | Level | Type | Example |
|---|---|---|---|---|
-| url.original | Full original url. The field is stored as keyword. | extended | keyword | `https://elastic.co:443/search?q=elasticsearch#top` |
+| url.original | Full original url. The field is stored as keyword. | extended | keyword | `https://www.elastic.co:443/search?q=elasticsearch#top` |
| url.scheme | Scheme of the request, such as "https".
Note: The `:` is not part of the scheme. | extended | keyword | `https` |
-| url.hostname | Hostname of the request, such as "elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `hostname` field. | extended | keyword | `elastic.co` |
+| url.domain | Domain of the request, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | extended | keyword | `www.elastic.co` |
| url.port | Port of the request, such as 443. | extended | integer | `443` |
| url.path | Path of the request, such as "/search". | extended | keyword | |
| url.query | The query field describes the query string of the request, such as "q=elasticsearch".
The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | extended | keyword | |
diff --git a/fields.yml b/fields.yml
index 9c8e09b42e..cb23f0eb4b 100644
--- a/fields.yml
+++ b/fields.yml
@@ -252,12 +252,6 @@
Can be one or multiple IPv4 or IPv6 addresses.
- - name: hostname
- level: core
- type: keyword
- description: >
- Hostname of the destination.
-
- name: port
level: core
type: long
@@ -1069,7 +1063,8 @@
title: Source
group: 2
description: >
- Source fields describe details about the source of the event.
+ Source fields describe details about the destination of a
+ packet/event.
type: group
fields:
@@ -1081,12 +1076,6 @@
Can be one or multiple IPv4 or IPv6 addresses.
- - name: hostname
- level: core
- type: keyword
- description: >
- Hostname of the source.
-
- name: port
level: core
type: long
@@ -1108,9 +1097,7 @@
- name: url
title: URL
description: >
- URL fields provide a complete URL, with scheme, host, and path. The URL
- object can be reused in other prefixes, such as `host.url.*` for
- example. Keep the structure consistent whenever you use URL fields.
+ URL fields provide a complete URL, with scheme, host, and path.
type: group
fields:
@@ -1119,7 +1106,7 @@
type: keyword
description: >
Full original url. The field is stored as keyword.
- example: https://elastic.co:443/search?q=elasticsearch#top
+ example: https://www.elastic.co:443/search?q=elasticsearch#top
- name: scheme
level: extended
@@ -1130,15 +1117,15 @@
Note: The `:` is not part of the scheme.
example: https
- - name: hostname
+ - name: domain
level: extended
type: keyword
description: >
- Hostname of the request, such as "elastic.co".
+ Domain of the request, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a
- domain name. In this case, the IP address would go to the `hostname` field.
- example: elastic.co
+ domain name. In this case, the IP address would go to the `domain` field.
+ example: www.elastic.co
- name: port
level: extended
diff --git a/schema.csv b/schema.csv
index f9c62f663e..7589eca1dd 100644
--- a/schema.csv
+++ b/schema.csv
@@ -22,7 +22,6 @@ container.labels,object,extended,
container.name,keyword,extended,
container.runtime,keyword,extended,docker
destination.domain,keyword,core,
-destination.hostname,keyword,core,
destination.ip,ip,core,
destination.mac,keyword,core,
destination.port,long,core,
@@ -110,13 +109,12 @@ service.state,keyword,core,
service.type,keyword,core,elasticsearch
service.version,keyword,core,3.2.4
source.domain,keyword,core,
-source.hostname,keyword,core,
source.ip,ip,core,
source.mac,keyword,core,
source.port,long,core,
+url.domain,keyword,extended,www.elastic.co
url.fragment,keyword,extended,
-url.hostname,keyword,extended,elastic.co
-url.original,keyword,extended,https://elastic.co:443/search?q=elasticsearch#top
+url.original,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top
url.password,keyword,extended,
url.path,keyword,extended,
url.port,integer,extended,443
diff --git a/schemas/destination.yml b/schemas/destination.yml
index 777c435ef7..cde74dc6c3 100644
--- a/schemas/destination.yml
+++ b/schemas/destination.yml
@@ -16,12 +16,6 @@
Can be one or multiple IPv4 or IPv6 addresses.
- - name: hostname
- level: core
- type: keyword
- description: >
- Hostname of the destination.
-
- name: port
level: core
type: long
diff --git a/schemas/source.yml b/schemas/source.yml
index 86e9ef8eb5..0465a95376 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -3,7 +3,8 @@
title: Source
group: 2
description: >
- Source fields describe details about the source of the event.
+ Source fields describe details about the destination of a
+ packet/event.
type: group
fields:
@@ -15,12 +16,6 @@
Can be one or multiple IPv4 or IPv6 addresses.
- - name: hostname
- level: core
- type: keyword
- description: >
- Hostname of the source.
-
- name: port
level: core
type: long
diff --git a/schemas/url.yml b/schemas/url.yml
index 7f87c8f16d..32a6b7d848 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -2,9 +2,7 @@
- name: url
title: URL
description: >
- URL fields provide a complete URL, with scheme, host, and path. The URL
- object can be reused in other prefixes, such as `host.url.*` for
- example. Keep the structure consistent whenever you use URL fields.
+ URL fields provide a complete URL, with scheme, host, and path.
type: group
fields:
@@ -13,7 +11,7 @@
type: keyword
description: >
Full original url. The field is stored as keyword.
- example: https://elastic.co:443/search?q=elasticsearch#top
+ example: https://www.elastic.co:443/search?q=elasticsearch#top
- name: scheme
level: extended
@@ -24,15 +22,15 @@
Note: The `:` is not part of the scheme.
example: https
- - name: hostname
+ - name: domain
level: extended
type: keyword
description: >
- Hostname of the request, such as "elastic.co".
+ Domain of the request, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a
- domain name. In this case, the IP address would go to the `hostname` field.
- example: elastic.co
+ domain name. In this case, the IP address would go to the `domain` field.
+ example: www.elastic.co
- name: port
level: extended
diff --git a/template.json b/template.json
index f3072d694b..f6628e4bf1 100644
--- a/template.json
+++ b/template.json
@@ -128,10 +128,6 @@
"ignore_above": 1024,
"type": "keyword"
},
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
"ip": {
"type": "ip"
},
@@ -537,10 +533,6 @@
"ignore_above": 1024,
"type": "keyword"
},
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
"ip": {
"type": "ip"
},
@@ -559,11 +551,11 @@
},
"url": {
"properties": {
- "fragment": {
+ "domain": {
"ignore_above": 1024,
"type": "keyword"
},
- "hostname": {
+ "fragment": {
"ignore_above": 1024,
"type": "keyword"
},