Change structure of URL #7
Conversation
README.md
Outdated
| | <a name="url.port"></a>`url.port` | The port of the request, e.g. 443. | long | | `443` | | ||
| | <a name="url.path"></a>`url.path` | The path of the request, e.g. "/search". | text | | | | ||
| | <a name="url.path.raw"></a>`url.path.raw` | The url path. This is a non-analyzed field that is useful for aggregations. | keyword | 1 | | | ||
| | <a name="url.query"></a>`url.query` | The search describes the query string of the request, e.g. "q=elasticsearch".<br/>The `?` is excluded from the query string. In case an URL contains no `?` it is expected that the query field is left out. In case there is a `?` but no query, the query field is expected to exist with an empty string. Like this the `exists` query can be used to differentiate between the two cases. | text | | | |
There was a problem hiding this comment.
“The search” still references the old field name.
README.md
Outdated
| | <a name="url.hash"></a>`url.hash` | The hash of the request URL, e.g. "top". | keyword | | | | ||
| | <a name="url.scheme"></a>`url.scheme` | The scheme of the request, e.g. "https".<br/>Note: The `:` is not part of the scheme. | keyword | | `https` | | ||
| | <a name="url.hostname"></a>`url.hostname` | The hostname of the request, e.g. "example.com".<br/>For correlation the this field can be copied into the `host.name` field. | keyword | | `elastic.co` | | ||
| | <a name="url.port"></a>`url.port` | The port of the request, e.g. 443. | long | | `443` | |
There was a problem hiding this comment.
The integer type should be large enough, is there any reason for going with long instead?
There was a problem hiding this comment.
In ES it does not really matter from a compression perspective if it is set as integer or long so we default to long. Agree that it is not needed here but it also does not make a difference.
There was a problem hiding this comment.
Still makes sense IMO to go with integer to signal to anyone implementing ECS the appropriate type to use in their implementation.
There was a problem hiding this comment.
@Mpdreamz The template example Elasticsearch template still has long inside because I reuse the code from Beats and there it automatically converts all integer to long for the template generation. Please ignore that for now.
schemas/url.yml
Outdated
| - name: port | ||
| type: keyword | ||
| type: long |
There was a problem hiding this comment.
integer since port numbers are unsigned 16-bit integers? Nitpicking :)
There was a problem hiding this comment.
And again already covered in a previous comment, I'll see myself out :)
So far the url structure was heavily inspired by whatwg/url#337. I initially only wanted to make some tweaks to it to improve querying but I realised I never fully felt comfortable with the field names used here. So I started to look at the url parser of different languages like Go, Ruby, Python and the output they provide are surprisingly similar but not consistent with whatwg. The change made here brings the field names closer to what most url parsers output.
So far the url structure was heavily inspired by whatwg/url#337. I initially only wanted to make some tweaks to it to improve querying but I realised I never fully felt comfortable with the field names used here. So I started to look at the url parser of different languages like Go, Ruby, Python and the output they provide are surprisingly similar but not consistent with whatwg. The change made here brings the field names closer to what most url parsers output.