Hello Dan,
In our team, we try to align our fields with the ECS format (as far as possible) and try to prevent custom namespaces. We are naming our fields by the following priority list:
- field is defined in ECS: use ECS aligned field name (e.g.
service.name) - fields exists in Beats/APM: use Beats/APM aligned name (e.g.
service.environmentis used in APM but not in ECS) - similar fields/groups exist in ECS: align with this naming conventions(e.g. there is a field called
http.request.body.contentwhich stores the HTTP Request Body so we added our custom field forhttp.request.body.raw) - no similar fields/group exist and it is a single value: put it directly into root
- no similar fields/group exist and it is a group of values: create a custom namespace
We started with Elastic 6.5 where the ECS schema did not exist so we got the main application developers together and developed our shared schema which is stored on a wiki page. All applications align on this schema. After migration to 7.x we updated our schema to align with ECS and we update it whenever we require new fields or a new ECS version is released.
For field names, I found the following documentation from the ECS helpful:
- https://www.elastic.co/guide/en/ecs/current/ecs-guidelines.html
- https://www.elastic.co/guide/en/ecs/current/ecs-custom-fields-in-ecs.html
Best regards
Wolfram