Keep unparsed user agent information in user_agent.original#8537
Keep unparsed user agent information in user_agent.original#8537kvch merged 5 commits intoelastic:masterfrom
Conversation
|
Change LGTM. I think it will need a Changelog entry. I have second thoughts if we should backport this to 6.x or not (not only raw to original, but the overall change). |
|
Why? I think it can provide useful information is case of exotic user agents. I assume when someone investigates weird events happening in his/her network, it's possible that the person who might be lurking around leaves behind "unconventional" user agents. |
bc1e9e9 to
3b450ed
Compare
|
Added changelog entry && rebased the branch |
CHANGELOG.asciidoc
Outdated
| - Add tag "multiline" to "log.flags" if event consists of multiple lines. {pull}7997[7997] | ||
| - Add haproxy module. {pull}8014[8014] | ||
| - Release `docker` input as GA. {pull}8328[8328] | ||
| - Rename user_agent.raw to user_ageint.original to follow ECS conventions. {pull}8537[8537] |
There was a problem hiding this comment.
If this hasn't been released yet, what about editing the previous entry instead of adding two for the same thing?
|
@kvch Few thoughts around this that recently came up:
|
|
|
@ruflin are you ok with merging this as is? |
| The name of the operating system. | ||
| - name: raw | ||
| - name: original | ||
| type: text |
There was a problem hiding this comment.
As we set index: false it should not matter here what type is defined. In ECS it seems we put keyword. Only reason I mention this is we should check later what shows up in the docs for non indexed fields.
There was a problem hiding this comment.
Got it. Thanks for the info.
|
@kvch LGTM. Did an additional commit to resolve a CHANGELOG conflict. |
|
Failing tests are unrelated. |
user_agent.rawhas been renamed touser_agent.original. As this field is not yet released I am renaming it to follow conventions.