Elastic Common Schema for website domain

What would be the ideal field name following the Elastic Common Schema for the domain name of a website?

For example, in a setup using nginx + apache, with multiple domains, I end up with different logs per domain, and I would like to distinct those in Kibana.

I've read the ECS but I'm not able to decide which field is better for this purpose. Perhaps network.app?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

By default, web server logs don't include the vhost. But yes, if you want to distinguish traffic from different vhosts, make sure to add it to your logs (or produce distinct logs per vhost).

Next I assume you're already breaking down your http traffic between the http and url field sets.

Trivial (and incomplete) example document:

{ "http": { "method": "get", "status_code": 200, ...}
  "url": { "path": "/assets/stylesheet.css", "domain": "www.example.com", ...}
}

So url.domain would be my recommendation :slight_smile:

Check this out as well Parsing URL with Logstash (using ECS fields) nested!

1 Like