Add a 'how to populate ECS fields' section to readme... #345
Conversation
There was a problem hiding this comment.
I think the following text would help clarify the "How to populate ECS fields" section.
How to perform a logical mapping of your event fields to ECS fields
In order to maximize the level of interoperability of your data with future analysis content (e.g., saved searches, visualizations, dashboards, alerts, machine learning jobs, reports, apps, etc.), whether this content is provided by Elastic or shared by the community, please keep the following guidelines in mind.
- Start by populating ECS Core fields. These fields are the most common across all use cases. Your implementation should attempt to populate as many of the ECS Core fields as practical.
-
- …even if these fields or values are metadata that are not present in your original event. For example, a firewall event shipped to the Elastic Stack over syslog may not actually include a field with value ”syslog,” but the ECS
agent.typefield should still be set to “syslog."
- …even if these fields or values are metadata that are not present in your original event. For example, a firewall event shipped to the Elastic Stack over syslog may not actually include a field with value ”syslog,” but the ECS
-
- …even if the data has already been mapped to one ECS field. For example, if you’ve mapped your event’s client IP address to ECS
client.ip, you can also copy the same value to ECSsource.ipand even ECSrelated.ip.
- …even if the data has already been mapped to one ECS field. For example, if you’ve mapped your event’s client IP address to ECS
- Populate as many ECS Extended fields as apply to the subject and use case of your event. ECS Extended fields generally apply to more narrow use cases, so feel free to skip ECS Extended fields that are not applicable to your use case.
- You're free to choose whether to copy your event fields to ECS fields, leaving your original fields intact as custom fields, or to rename your existing event fields to ECS, essentially migrating them to the ECS field names. Future ECS content and applications will depend only upon the presence of the ECS fields, and will ignore any custom fields.
Trying to work Mike's points in, as mentioned [here](elastic#334 (comment)).
|
Love this preamble. What if we reordered it like this?
|
|
Incorporated your feedback with the tweak I mention above. Let me know what you think of this proposal. |
|
@webmat LGTM 👍 |
Trying to work Mike's points in, as mentioned here: #334 (comment)