Background:
As we transitioned beats to ECS in 6.x and 7.0, we made breaking changes to change beat.hostname to agent.hostname. However, agent.hostname is not an ECS field, and is not expected to ever become an ECS field (see elastic/ecs#178 (comment))
ECS has two relevant fields host.name and host.hostname. host.name is populated for most beats, except for heartbeat (see #12107) and APM, even if add_host_metadata is not enabled.
host.hostname is added when add_host_metadata is enabled.
Generally, host.name and host.hostname will contain the same information.
Describe the enhancement:
Modify any dashboard, saved search, alert, ML job, or other module content or solution widget that uses agent.hostname to instead use ECS host.name.
** Strikethrough if not applicable
Note 1: If the module or solution expressly and by default enables add_host_metadata, and there is a specific need the capture the (uncommon) distinction of host.hostname vs. host.name, then host.hostname may be used. Otherwise, all use of agent.hostname should be changed to host.name.
Note 2: It is probably best to continue to populate agent.hostname in the events themselves since users have built content using it, and we don't want to make yet another breaking change for them.
Describe a specific use case for the enhancement or feature:
Users are confused as to which field they should be using in their dashboards, as there has been a number of changes starting with 6.3. They hoped that they'd need to make one set of changes to get to ECS. They see agent.hostname being used in our dashboards and think it is the default, and that they should use it, but it's not an ECS field.
Related Issues:
#11860
#11790
Background:
As we transitioned beats to ECS in 6.x and 7.0, we made breaking changes to change
beat.hostnametoagent.hostname. However,agent.hostnameis not an ECS field, and is not expected to ever become an ECS field (see elastic/ecs#178 (comment))ECS has two relevant fields
host.nameandhost.hostname.host.nameis populated for most beats, except for heartbeat (see #12107) and APM, even if add_host_metadata is not enabled.host.hostnameis added when add_host_metadata is enabled.Generally,
host.nameandhost.hostnamewill contain the same information.Describe the enhancement:
Modify any dashboard, saved search, alert, ML job, or other module content or solution widget that uses
agent.hostnameto instead use ECShost.name.SIEM App Widgets**
Strikethroughif not applicableNote 1: If the module or solution expressly and by default enables add_host_metadata, and there is a specific need the capture the (uncommon) distinction of
host.hostnamevs.host.name, thenhost.hostnamemay be used. Otherwise, all use ofagent.hostnameshould be changed tohost.name.Note 2: It is probably best to continue to populate
agent.hostnamein the events themselves since users have built content using it, and we don't want to make yet another breaking change for them.Describe a specific use case for the enhancement or feature:
Users are confused as to which field they should be using in their dashboards, as there has been a number of changes starting with 6.3. They hoped that they'd need to make one set of changes to get to ECS. They see agent.hostname being used in our dashboards and think it is the default, and that they should use it, but it's not an ECS field.
Related Issues:
#11860
#11790