Hi,
I have a question regarding the usage of the ECS fields event.id and event.code.
What is the intended difference between these two fields? Is there any guidance on how to use them?
The example for event.code references the Windows Event ID - which to me might be better put into event.id then?
Greetings!
This is my understanding of them.
event.id should be unique to the event instance (like the record ID in windows events).
event.code is identifier that indicates the type of event or message. Like if a log has a error code that you can lookup to learn more info then you could put that into event.code.
So you say that the windows event id should go into event.id. The documentation says otherwise and references event.code for this.
Is there a more practical example with an event that maybe uses both fields?
In Windows events, there's both a record ID and Event ID. Record ID is a unique number of the event in the event log, and Event ID describes the type of event, like 4624, 4625, etc.
Another example for event.code is MySQL error messages which have an assigned reference code for each error type.
Ok, I think I got it now. Thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.