[DOCS] Network community ID processor for ingest pipelines#66592
[DOCS] Network community ID processor for ingest pipelines#66592danhermann merged 4 commits intoelastic:masterfrom
Conversation
|
Pinging @elastic/es-docs (Team:Docs) |
|
Pinging @elastic/es-core-features (Team:Core/Features) |
| <titleabbrev>Community ID</titleabbrev> | ||
| ++++ | ||
|
|
||
| Computes the Community ID for flow data as defined in the |
There was a problem hiding this comment.
WDYT about copying the first three paragraphs from Beats verbatim?
There was a problem hiding this comment.
I'll defer to the ES Docs team reviewer on this one as I have no strong inclination either way.
There was a problem hiding this comment.
I don't think we should copy the paragraphs verbatim. That text is pretty Beats-centric. However, we can include a brief sentence about how a community ID is used and the ECS defaults. I've included a related suggestion below.
| | `iana_number` | no | `network.iana_number` | Field containing the IANA number. | ||
| | `icmp_type` | no | `icmp.type` | Field containing the ICMP type. | ||
| | `icmp_code` | no | `icmp.code` | Field containing the ICMP code. | ||
| | `transport` | no | `network.transport` | Field containing the transport protocol. |
There was a problem hiding this comment.
Should we mention that this field is only used when the iana_number field does not exist?
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
jrodewig
left a comment
There was a problem hiding this comment.
LGTM. I left a few suggestions but nothing I would consider blocking (except a minor typo).
Thanks, @danhermann!
| include::common-options.asciidoc[] | ||
| |====== | ||
|
|
||
| Here is an example definition of the URI parts processor: |
There was a problem hiding this comment.
| Here is an example definition of the URI parts processor: | |
| Here is an example definition of the community ID processor: |
| Computes the Community ID for flow data as defined in the | ||
| https://github.com/corelight/community-id-spec[Community ID Specification]. |
There was a problem hiding this comment.
Lowercases community ID. Also adds a few additional sentences as noted above.
| Computes the Community ID for flow data as defined in the | |
| https://github.com/corelight/community-id-spec[Community ID Specification]. | |
| Computes the community ID for network flow data as defined in the | |
| https://github.com/corelight/community-id-spec[Community ID Specification]. You | |
| can use a community ID to correlate network events related to a single flow. | |
| The community ID processor reads network flow data from related | |
| {ecs-ref}[Elastic Common Schema (ECS)] fields by default. If you use the ECS, no | |
| configuration is required. |
| <titleabbrev>Community ID</titleabbrev> | ||
| ++++ | ||
|
|
||
| Computes the Community ID for flow data as defined in the |
There was a problem hiding this comment.
I don't think we should copy the paragraphs verbatim. That text is pretty Beats-centric. However, we can include a brief sentence about how a community ID is used and the ECS defaults. I've included a related suggestion below.
| Used only when the `iana_number` field is not present. | ||
| | `target_field` | no | `network.community_id` | Output field for the community ID. | ||
| | `seed` | no | `0` | Seed for the community ID hash. Must be between | ||
| 0 and 65535. This can be use to prevent hash collisions between network domains |
There was a problem hiding this comment.
It's not clear if this range is inclusive or exclusive, though you can guess from the default. I'd just add a parenthetical afterward, e.g. (inclusive).
| 0 and 65535. This can be use to prevent hash collisions between network domains | |
| `0` and `65535` (inclusive). The seed prevents hash collisions between network domains, |
Depends on #66534.