Update ECS version to 1.12 (#1693)

Author: marc-gr

packages/haproxy/_dev/build/build.yml

@@ -1,3 +1,3 @@
 dependencies:
  ecs:
- reference: git@1.11
+ reference: git@1.12

packages/haproxy/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.6.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1693
 - version: "0.5.3"
  changes:
  - description: Convert to generated ECS fields

packages/haproxy/data_stream/info/fields/ecs.yml

@@ -1,16 +1,8 @@
-- fields:
- - description: Process id.
- format: string
- level: core
- name: pid
- type: long
- group: 2
+- external: ecs
  name: process
- title: Process
- type: group
-- description: Service address
+- external: ecs
+ name: process.pid
+- external: ecs
  name: service.address
- type: keyword
-- description: Service type
+- external: ecs
  name: service.type
- type: keyword

packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json

@@ -7,7 +7,7 @@
  },
  "@timestamp": "2021-09-20T15:42:59.000Z",
  "ecs": {
- "version": "1.11.0"
+ "version": "1.12.0"
  },
  "related": {
  "ip": [

packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json

@@ -33,7 +33,7 @@
  ],
  "@timestamp": "2018-07-30T09:03:52.726Z",
  "ecs": {
- "version": "1.11.0"
+ "version": "1.12.0"
  },
  "related": {
  "ip": [
@@ -115,7 +115,7 @@
  ],
  "@timestamp": "2021-05-22T02:22:22.222Z",
  "ecs": {
- "version": "1.11.0"
+ "version": "1.12.0"
  },
  "haproxy": {
  "server_name": "node2",

packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json

@@ -20,7 +20,7 @@
  ],
  "@timestamp": "2018-12-10T12:01:46.395Z",
  "ecs": {
- "version": "1.11.0"
+ "version": "1.12.0"
  },
  "related": {
  "ip": [
@@ -97,7 +97,7 @@
  ],
  "@timestamp": "2018-12-10T15:46:49.497Z",
  "ecs": {
- "version": "1.11.0"
+ "version": "1.12.0"
  },
  "related": {
  "ip": [
@@ -174,7 +174,7 @@
  ],
  "@timestamp": "2018-12-10T15:48:56.017Z",
  "ecs": {
- "version": "1.11.0"
+ "version": "1.12.0"
  },
  "related": {
  "ip": [

packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json

@@ -8,7 +8,7 @@
  },
  "@timestamp": "2018-09-20T15:44:23.285Z",
  "ecs": {
- "version": "1.11.0"
+ "version": "1.12.0"
  },
  "related": {
  "ip": [

packages/haproxy/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -7,7 +7,7 @@ processors:
  value: "{{ _ingest.timestamp }}"
  - set:
  field: ecs.version
- value: '1.11.0'
+ value: '1.12.0'
  - rename:
  field: message
  target_field: event.original

packages/haproxy/data_stream/stat/fields/ecs.yml

@@ -1,16 +1,8 @@
-- fields:
- - description: Process id.
- format: string
- level: core
- name: pid
- type: long
- group: 2
+- external: ecs
  name: process
- title: Process
- type: group
-- description: Service address
+- external: ecs
+ name: process.pid
+- external: ecs
  name: service.address
- type: keyword
-- description: Service type
+- external: ecs
  name: service.type
- type: keyword

packages/haproxy/docs/README.md

@@ -86,12 +86,12 @@ The `log` dataset collects the HAProxy application logs.
 | host.os.version | Operating system version as a raw string. | keyword |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
 | http.request.body.bytes | Size in bytes of the request body. | long |
-| http.request.body.content | The full HTTP request body. | keyword |
+| http.request.body.content | The full HTTP request body. | wildcard |
 | http.request.bytes | Total size in bytes of the request (body and headers). | long |
 | http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword |
 | http.request.referrer | Referrer for this HTTP request. | keyword |
 | http.response.body.bytes | Size in bytes of the response body. | long |
-| http.response.body.content | The full HTTP response body. | keyword |
+| http.response.body.content | The full HTTP response body. | wildcard |
 | http.response.bytes | Total size in bytes of the response (body and headers). | long |
 | http.response.status_code | HTTP response status code. | long |
 | http.version | HTTP version. | keyword |
@@ -115,10 +115,10 @@ The `log` dataset collects the HAProxy application logs.
 | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
 | url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
 | url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
-| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | keyword |
-| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
 | url.password | Password of the request. | keyword |
-| url.path | Path of the request, such as "/search". | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
 | url.port | Port of the request, such as 443. | long |
 | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
 | url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
@@ -348,9 +348,10 @@ The fields reported are:
 | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
 | host.os.version | Operating system version as a raw string. | keyword |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group |
 | process.pid | Process id. | long |
-| service.address | Service address | keyword |
-| service.type | Service type | keyword |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
 
 
 ### stat
@@ -575,7 +576,8 @@ The fields reported are:
 | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
 | host.os.version | Operating system version as a raw string. | keyword |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group |
 | process.pid | Process id. | long |
-| service.address | Service address | keyword |
-| service.type | Service type | keyword |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |