[9.1](backport #46301) [docs] Replace placeholder URLs (#46772)

* [docs] Replace placeholder URLs (#46301)

* replace placeholder URLs

* replace more placeholder URLs

* use replaceable placeholders for requests

* update generated docs

* apply suggestions from code review

Co-authored-by: Brandon Morelli <bmorelli25@gmail.com>

* replace example dot co dot uk examples

* fix check-docs

---------

Co-authored-by: Brandon Morelli <bmorelli25@gmail.com>
(cherry picked from commit 3dc7203)

# Conflicts:
#	auditbeat/include/fields.go

* resolve conflicts

---------

Co-authored-by: Colleen McGinnis <colleen.mcginnis@elastic.co>

Author: mergify[bot]

auditbeat/include/fields.go

@@ -65,10 +65,10 @@ To use SSL mutual authentication:
 Before running Auditbeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
 
 ```shell
-curl -v --cacert ca.crt https://logs.example.com:5044 
+curl -v --cacert ca.crt https://logs.example.com:5044
 ```
 
-If the test is successful, you’ll receive an empty response error:
+If the test is successful, you’ll receive an empty response error. Here's an example response assuming the `HOST_URL` was `logs.example.com` and `PORT` was `5044`:
 
 ```shell
 * Rebuilt URL to: https://logs.example.com:5044/

docs/reference/auditbeat/configuring-ssl-logstash.md

@@ -317,7 +317,7 @@ Client / server representations can add semantic context to an exchange, which i
 
 
 **`client.subdomain`**
-:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.example.com" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
 
     type: keyword
 
@@ -1044,7 +1044,7 @@ Destination fields are usually populated in conjunction with source fields. The
 
 
 **`destination.subdomain`**
-:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.example.com" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
 
     type: keyword
 
@@ -5510,7 +5510,7 @@ Client / server representations can add semantic context to an exchange, which i
 
 
 **`server.subdomain`**
-:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.example.com" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
 
     type: keyword
 
@@ -6006,7 +6006,7 @@ Source fields are usually populated in conjunction with destination fields. The
 
 
 **`source.subdomain`**
-:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.example.com" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
 
     type: keyword
 
@@ -7195,7 +7195,7 @@ Field is not indexed.
 
 
 **`threat.enrichments.indicator.url.subdomain`**
-:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.example.com" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
 
     type: keyword
 
@@ -7413,7 +7413,7 @@ Field is not indexed.
 
     type: keyword
 
-    example: bad-domain.com
+    example: example.com
 
 
 **`threat.enrichments.matched.field`**
@@ -8569,7 +8569,7 @@ Field is not indexed.
 
 
 **`threat.indicator.url.subdomain`**
-:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.example.com" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
 
     type: keyword
 
@@ -9645,7 +9645,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki
 
 
 **`url.subdomain`**
-:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+:   The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.example.com" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
 
     type: keyword
 

docs/reference/auditbeat/exported-fields-ecs.md

@@ -42,7 +42,7 @@ Use internal collectors to send {{beats}} monitoring data directly to your monit
       enabled: true
       cluster_uuid: PRODUCTION_ES_CLUSTER_UUID <1>
       elasticsearch:
-        hosts: ["https://example.com:9200", "https://example2.com:9200"] <2>
+        hosts: ["<HOST_URL_1>:<PORT_1>", "<HOST_URL_2>:<PORT_2>"] <2>
         api_key:  id:api_key <3>
         username: beats_system
         password: somepassword
@@ -60,7 +60,7 @@ Use internal collectors to send {{beats}} monitoring data directly to your monit
       enabled: true
       cluster_uuid: PRODUCTION_ES_CLUSTER_UUID
       elasticsearch:
-        hosts: ["https://example.com:9200", "https://example2.com:9200"]
+        hosts: ["<HOST_URL_1>:<PORT_1>", "<HOST_URL_2>:<PORT_2>"]
         username: ""
         ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
         ssl.certificate: "/etc/pki/client/cert.pem"

docs/reference/auditbeat/monitoring-internal-collection.md

@@ -26,7 +26,7 @@ To use SSL mutual authentication:
 
         ```yaml
         output.logstash:
-          hosts: ["logs.mycompany.com:5044"]
+          hosts: ["<HOST_URL>:<PORT>"]
           ssl.certificate_authorities: ["/etc/ca.crt"]
           ssl.certificate: "/etc/client.crt"
           ssl.key: "/etc/client.key"
@@ -65,25 +65,25 @@ To use SSL mutual authentication:
 Before running Filebeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
 
 ```shell
-curl -v --cacert ca.crt https://logs.mycompany.com:5044
+curl -v --cacert ca.crt <HOST_URL>:<PORT>
 ```
 
-If the test is successful, you’ll receive an empty response error:
+If the test is successful, you’ll receive an empty response error. Here's an example response assuming the `HOST_URL` was `logs.example.com` and `PORT` was `5044`:
 
 ```shell
-* Rebuilt URL to: https://logs.mycompany.com:5044/
+* Rebuilt URL to: https://logs.example.com:5044/
 *   Trying 192.168.99.100...
-* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
+* Connected to logs.example.com (192.168.99.100) port 5044 (#0)
 * TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-* Server certificate: logs.mycompany.com
-* Server certificate: mycompany.com
+* Server certificate: logs.example.com
+* Server certificate: example.com
 > GET / HTTP/1.1
-> Host: logs.mycompany.com:5044
+> Host: logs.example.com:5044
 > User-Agent: curl/7.43.0
 > Accept: */*
 >
 * Empty reply from server
-* Connection #0 to host logs.mycompany.com left intact
+* Connection #0 to host logs.example.com left intact
 curl: (52) Empty reply from server
 ```
 
@@ -93,7 +93,7 @@ The following example uses the IP address rather than the hostname to validate t
 curl -v --cacert ca.crt https://192.168.99.100:5044
 ```
 
-Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
+Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.example.com`, the hostname that appears in the Subject field of the certificate.
 
 ```shell
 * Rebuilt URL to: https://192.168.99.100:5044/

docs/reference/filebeat/configuring-ssl-logstash.md

@@ -932,7 +932,7 @@ Collection of key-value pairs carried in the CEF extension field.
 
 
 **`cef.extensions.sourceHostName`**
-:   Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'.
+:   Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.example.com'.
 
     type: keyword