Skip to content

Commit

Permalink
Revert "Add .caseless subfield to process.name & process.executable" (#…
Browse files Browse the repository at this point in the history 
…2350)

This reverts commit 7815b3f from #2341.

This is being reverted due to storage concerns. The goal will be to advance the native querying capabilities (ES|QL, KQL) of the Elastic stack such that this extra normalized multi-field is not necessary. In the meantime, localized overrides of the ECS field definition will be used to add the additional multi-field where needed. The downside of localized overrides are that it creates inconsistency across usages of the this field.
  • Loading branch information
@andrewkroh
andrewkroh authored Jul 23, 2024
1 parent 7815b3f commit 146c96a
Show file tree
Hide file tree
Showing 15 changed files with 0 additions and 570 deletions.
2 changes: 0 additions & 2 deletions CHANGELOG.next.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,6 @@ Thanks, you're awesome :-) -->

#### Improvements

* Added `.caseless` subfield to `process.name` and `process.executable`. #2341

#### Deprecated

### Tooling and Artifact Changes
Expand Down
6 changes: 0 additions & 6 deletions docs/fields/field-details.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8128,9 +8128,6 @@ type: keyword

Multi-fields:

* process.executable.caseless (type: keyword)


* process.executable.text (type: match_only_text)


Expand Down Expand Up @@ -8346,9 +8343,6 @@ type: keyword

Multi-fields:

* process.name.caseless (type: keyword)


* process.name.text (type: match_only_text)


Expand Down
46 changes: 0 additions & 46 deletions experimental/generated/beats/fields.ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5175,10 +5175,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -5217,10 +5213,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: 'Process name.
Expand Down Expand Up @@ -5490,11 +5482,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
default_field: false
- name: text
type: match_only_text
default_field: false
Expand Down Expand Up @@ -5573,10 +5560,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -5615,10 +5598,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: 'Process name.
Expand Down Expand Up @@ -6033,11 +6012,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
default_field: false
- name: text
type: match_only_text
default_field: false
Expand Down Expand Up @@ -6427,10 +6401,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -6674,10 +6644,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: 'Process name.
Expand Down Expand Up @@ -7264,10 +7230,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -7383,10 +7345,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -7425,10 +7383,6 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: 'Process name.
Expand Down
11 changes: 0 additions & 11 deletions experimental/generated/csv/fields.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -648,13 +648,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.entry_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.entry_leader.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
Expand Down Expand Up @@ -690,7 +688,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
8.12.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
Expand All @@ -701,13 +698,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.group_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.group_leader.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
Expand Down Expand Up @@ -767,7 +762,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
Expand Down Expand Up @@ -823,7 +817,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.parent.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
Expand Down Expand Up @@ -857,7 +850,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.parent.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
Expand Down Expand Up @@ -941,7 +933,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.previous.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
Expand All @@ -959,13 +950,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.session_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.session_leader.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
Expand Down
55 changes: 0 additions & 55 deletions experimental/generated/ecs/ecs_flat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8426,11 +8426,6 @@ process.entry_leader.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.entry_leader.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.entry_leader.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -8492,11 +8487,6 @@ process.entry_leader.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.entry_leader.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.entry_leader.name.text
name: text
type: match_only_text
Expand Down Expand Up @@ -8920,11 +8910,6 @@ process.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -9044,11 +9029,6 @@ process.group_leader.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.group_leader.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.group_leader.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -9110,11 +9090,6 @@ process.group_leader.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.group_leader.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.group_leader.name.text
name: text
type: match_only_text
Expand Down Expand Up @@ -9804,11 +9779,6 @@ process.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.name.text
name: text
type: match_only_text
Expand Down Expand Up @@ -10470,11 +10440,6 @@ process.parent.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.parent.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -10884,11 +10849,6 @@ process.parent.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.parent.name.text
name: text
type: match_only_text
Expand Down Expand Up @@ -11873,11 +11833,6 @@ process.previous.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.previous.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.previous.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -12063,11 +12018,6 @@ process.session_leader.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.session_leader.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.session_leader.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -12129,11 +12079,6 @@ process.session_leader.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.session_leader.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.session_leader.name.text
name: text
type: match_only_text
Expand Down
Loading

0 comments on commit 146c96a

Please sign in to comment.