Metricbeat: Collect accumulated docker network metrics

[jsoriano]

Collect accumulated docker network metrics and mark previous metrics as deprecated.

Fixes #7240

[ruflin]

Needs rebase

[ruflin]

To follow ECS, should it be on the root level? Meaning having it under network.inbound.bytes ?

[jsoriano]

Umm, you are right, I was misinterpreting ECS for this case, would it be ok to have this without the docker preffix?

[ruflin]

If the content of the field matches ECS I would say yes.

[jsoriano]

@ruflin I have done the changes for more proper ECS, this would probably require its own PR, but lets discuss all together before.

[jsoriano]

I have added this for common fields that are not (yet) in ECS, but they could be in the future. Changes here should be followed by discussions/PRs in ECS repo.
We could also use the commons file for that, but I think that it's fine to leave the common file for things needed by beats but that don't make sense in ECS.

[jsoriano]

This file should probably be automatically generated from https://github.com/elastic/ecs/tree/master/schemas

[ruflin]

Agree. Let's keep it manual for now to not add fields we don't use at the moment.

[jsoriano]

Three events would be created now:

• Incoming traffic
• Outgoing traffic
• Legacy event

[jsoriano]

This event contains only inbound data, there would be another one with outbound data.

[ruflin]

In general I like the addition of ECS on the top level. The part I worry about is that for example winlogbeat template contains now more unused fields then before but I think it's a worthy tradeoff. Perhaps we could let each beat configure which ECS prefixes he wants to use.

Left a few comments / questions.

[ruflin]

Agree. Let's keep it manual for now to not add fields we don't use at the moment.

[ruflin]

We should start making use of this flag in the docs.

[ruflin]

I would still expect that 1 event is sent out with all the stats inside. It seems now we send out 3 events? Why not combine inbound and outbound?

[jsoriano]

I did that initially, but then I saw that we have a network.direction field in ECS, then I though that according to ECS we'd have different events for inbound and outbound traffic. Not sure what would be the use case for this field if not used for something like this.

[ruflin]

Not sure I would mix the container to the root level into this PR.

[jsoriano]

The idea is to move the container fields to ECS structure too.

[ruflin]

yay, v2 reporter.

[jsoriano]

Essential for migration to ECS 😄

[ruflin]

As discussed yesterday, lets move the ECS part to an other PR and continue at the moment with just adding the new fields. I still would like to see the change to v2 reporter ;-)

[jsoriano]

I have reverted the changes for ECS, but kept the change to v2 reporter, I opened #7301 to continue discussion on ECS. I think we should backport this for 6.3.1.

[ruflin]

Should this be long?

[jsoriano]

Yes, all these fields should be long, I'll change it.

[ruflin]

Long?

[ruflin]

@jsoriano Do you want to backport it to 6.3?

[jsoriano]

I have opened backport (#7363), but this is not a fix. In any case all related changes are already in 6.3, so I think it can make sense to merge this too.