How Elastic common schema names are define for the log fields

Hi Elastic Team,

I have certain fields which we use in Linux logs and can you please let me know what would be the Elastic common schema(ECS) name for those fields and how you define the ECS name for those fields ??

Fields : timestamp, ppid, msg, address, hostname, terminal, algo, comm, success, server etc

Example : we had src_ip defined in one of our logs and elastic common schema accepts source.ip how this is defined ?

please look into the section Example 2: Search from the above link where you can find the details of src_ip example which I mentioned about!

Hey @Mani2451, thanks for dropping by. All of the ECS fields are documented extensively in our documentation here: https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html

Most of the fields you mention here you'll find right away, either in the Base fields, or under the field sets event, process, host.

Some of the fields you mention aren't obvious in what they mean. So it depends on what's in there. If after looking at the docs, you're not sure where to map some of them, please ping me again here.

Final note, if ECS really doesn't cover a few of your fields, you're free to add them as custom fields. ECS is an inclusive schema. You map to ECS what you can, and you add your additional fields under a custom field set, e.g. myapp.algo

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.