The useragent filter (https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html), when applied to the user agent that is produced by apache access logs (through the built in COMBINEDAPACHELOG pattern) appears to produce two fields that hold the exact same content: “os” and “os_name”. I am just testing in a development environment, but do these two fields ever differ? I tried accessing a site from various OS’s (Windows/Linux) and both fields always contained the same information. I thought this may be a bug unless I am overlooking something that could cause these two fields to hold different information.
Yes, they occasionally differ. The most common case I've seen is for Mac OS X.
The os field contains the name and version of the operating system while os.name contains the name only. In practice, the parser rarely extracts the version of the operating system in which case os falls back to os.name. Of course, in the Windows case the version number/name is included in os.name (Windows Vista, Windows 7, Windows8, ...).
I've filed an issue for improving the documentation of this.
Thank you for clarifying. I'll look forward to the updated docs.