We see a lot of variation in how different fleet agent integrations report the hostname. Although we have configured our agent policies to report the FQDN. Some integrations still just report the hostname instead of the FQDN, and some integrations even don't report a hostname at all, for example the RabbitMQ log integration, it only reports the agent.name.
Would be great to see some standardization in that field to increase data quality.
1 Like
I completely agree on this. Lowercase fqdn is the best key imho, so we also configured our agent policies to report the FQDN. Otherwise your host names can get into conflict with identically named hosts from test domains or other networks. The original hostname should be in host.hostname.
ECS also recommends lowercasae FQDN => Host Fields | Elastic Common Schema (ECS) Reference [8.17] | Elastic