Clarify the difference between @timestamp and event.created #329
Conversation
schemas/base.yml
Outdated
| @@ -14,8 +14,11 @@ | |||
| description: > | |||
| Date/time when the event originated. | |||
|
|
|||
| For log events this is the date/time when the event was generated, and | |||
| not when it was read. | |||
| This is the date/time extracted from the event, representing when the | |||
There was a problem hiding this comment.
should probably say "This is the date/time extracted from the event, typically representing when the"
schemas/base.yml
Outdated
| This is the date/time extracted from the event, representing when the | ||
| event was generated by the source. | ||
|
|
||
| If the event source has no original timestamp, this value must be |
There was a problem hiding this comment.
"this value must be" seems too restrictive. We've previously defined must and should semantics to indicate whether ECS will break or will cause unexpected results. I suggest changing this to "this value is typically"
schemas/event.yml
Outdated
| The same could apply to package capturing where @timestamp contains the | ||
| timestamp extracted from the network package and event.created when the | ||
| event was created. | ||
| event.created contains the time when the event was first read by an |
There was a problem hiding this comment.
"event.created contains the time when the event was first read by an" should be
"event.created typically contains the date/time when the event was first read by an"
schemas/event.yml
Outdated
| event.created contains the time when the event was first read by an | ||
| agent, or by your pipeline. | ||
|
|
||
| This field is distinct from @timestamp in that @timestamp should contain |
There was a problem hiding this comment.
"This field is distinct from @timestamp in that @timestamp should contain" should be
"This field is distinct from @timestamp in that @timestamp typically contains"
schemas/event.yml
Outdated
| the time extracted from the original event. | ||
|
|
||
| In most situations, these two timestamps will be slightly different. | ||
| The difference will represent the delay between your source |
There was a problem hiding this comment.
"The difference will represent the delay between your source" could be
"The difference can be used to calculate the delay between your source"
schemas/event.yml
Outdated
|
|
||
| In most situations, these two timestamps will be slightly different. | ||
| The difference will represent the delay between your source | ||
| generating it, when your agent first processed it. This can be used to |
There was a problem hiding this comment.
"generating it, when your agent first processed it. This can be used to" should be
"generating an event, and the time when your agent first processed it. This can be used to"
schemas/event.yml
Outdated
| In most situations, these two timestamps will be slightly different. | ||
| The difference will represent the delay between your source | ||
| generating it, when your agent first processed it. This can be used to | ||
| monitor your agent's ability to keep up with your event source. |
There was a problem hiding this comment.
"monitor your agent's ability to keep up with your event source." should be
"monitor your agent's or pipeline's ability to keep up with your event source."
f8634b5
to
f2b66cd
Compare
a204120
to
7de764b
Compare
76bf9ed
to
812280c
Compare
Latter to try to avoid further conflicts with other PRs
Closes #326