In ECS Elastic Common Schema...
Is there a field for indicating if a service (or anything) is active or passive?
I tried looking through the spec but was unable to find anything.
In ECS Elastic Common Schema...
Is there a field for indicating if a service (or anything) is active or passive?
I tried looking through the spec but was unable to find anything.
What about service.state
?
Oh. I missed that. Thanks very much for helping me find it.
I think it might be a good field for this.
It's very generic, as "state" could refer to so much. But I would imagine activeness/passiveness would be a major potential / common use.
I think if we adopted this field for this particular purpose, we'd want to internally override the schema. That is, since the schema is defined as names, types, and meanings, we'd have to override the meaning to indicate that service.state
specifically means "activeness or passiveness", not other potential meanings of "state", and even provide an enumeration of values (a fourth part of the schema that's rarely discussed).
We've designed a three-part master schema that's composed of ECS at the base, company-specific fields atop that, and service-specific fields atop that. While the company-specific fields have mostly been namespaced to avoid colliding, something like service.XYZ.state
, I'm only now realizing that some company-specific fields might need to be name-identical overrides of ECS. (That is, compliant with ECS, but with locally strict requirements.)
I think it could work.
Learning a lot about schema adoption and working with ECS. Thanks again for being so responsive and helpful.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.