Geo fields at root?

rsk0 · August 21, 2023, 11:41pm

ECS geo docs say:

The geo fields are expected to be nested at:
client.geo
destination.geo
host.geo
server.geo
...
Note also that the geo fields are not expected to be used directly at the root of the events.

I was thinking we might want to maintain orthogonality between events and any particular event aspect. That is, we should be able to just say an event happened at some geo.

This is a little theoretical, but should we not be able to log event location regardless of whether there was a client or server or even host involved?

I suppose it's reasonable to think of ECS as only addressing software events. That's the implied domain we're working in. I have to assume that ECS is not meant for recording things like earthquakes or police activity or news events.

stephenb · August 22, 2023, 12:58am

Not just SW, HW, IOT etc but yes mostly technology events.

For pure non technology events like news earthquake etc... ECS is not really contemplative of those domains.

You could use

source.geo

Or create your own geo the suggestion to not put it at the root is just a suggestion because there can be more than one geo.

You can add fields to your events. As long as they don't collide with ECS, you should be fine.

system · September 19, 2023, 12:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.