Geo fields at root?

rsk0 · August 21, 2023, 11:41pm

ECS geo docs say:

The geo fields are expected to be nested at:
client.geo
destination.geo
host.geo
server.geo
...
Note also that the geo fields are not expected to be used directly at the root of the events.

I was thinking we might want to maintain orthogonality between events and any particular event aspect. That is, we should be able to just say an event happened at some geo.

This is a little theoretical, but should we not be able to log event location regardless of whether there was a client or server or even host involved?

I suppose it's reasonable to think of ECS as only addressing software events. That's the implied domain we're working in. I have to assume that ECS is not meant for recording things like earthquakes or police activity or news events.

stephenb · August 22, 2023, 12:58am

Not just SW, HW, IOT etc but yes mostly technology events.

For pure non technology events like news earthquake etc... ECS is not really contemplative of those domains.

You could use

source.geo

Or create your own geo the suggestion to not put it at the root is just a suggestion because there can be more than one geo.

You can add fields to your events. As long as they don't collide with ECS, you should be fine.

system · September 19, 2023, 12:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem when there is a field called "geo" Elasticsearch	4	292	July 6, 2017
Trying to query geo_distance Elasticsearch	7	452	July 6, 2017
Just Pushed: (breaking) Geo Overhaul Elasticsearch	1	258	July 6, 2017
Geoip's dotted fields and ES2.0 Logstash	3	650	July 6, 2017
Geoip creates everything but the geoip.location Logstash	10	4229	April 30, 2018

Geo fields at root?

Related topics