Geo fields at root?

rsk0 · August 21, 2023, 11:41pm

ECS geo docs say:

The geo fields are expected to be nested at:
client.geo
destination.geo
host.geo
server.geo
...
Note also that the geo fields are not expected to be used directly at the root of the events.

I was thinking we might want to maintain orthogonality between events and any particular event aspect. That is, we should be able to just say an event happened at some geo.

This is a little theoretical, but should we not be able to log event location regardless of whether there was a client or server or even host involved?

I suppose it's reasonable to think of ECS as only addressing software events. That's the implied domain we're working in. I have to assume that ECS is not meant for recording things like earthquakes or police activity or news events.

stephenb · August 22, 2023, 12:58am

Not just SW, HW, IOT etc but yes mostly technology events.

For pure non technology events like news earthquake etc... ECS is not really contemplative of those domains.

You could use

source.geo

Or create your own geo the suggestion to not put it at the root is just a suggestion because there can be more than one geo.

You can add fields to your events. As long as they don't collide with ECS, you should be fine.

system · September 19, 2023, 12:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic Common Schema and Logstash and Ingest node processing tagging Logstash ecs-elastic-common-schema	3	458	November 29, 2019
Emerging standards for ECS customization Elasticsearch ecs-elastic-common-schema	2	586	May 28, 2020
ECS - Squid proxy log normalization Elasticsearch ecs-elastic-common-schema	4	1692	August 14, 2019
ECS mappings for asset tracking and port scanning output Elasticsearch ecs-elastic-common-schema	2	448	December 21, 2020
Geo point for new ECS mapped Geo fields using JDBC Logstash	7	387	May 31, 2021

Geo fields at root?

Related topics