Skip to content

Latest commit

 

History

History
147 lines (100 loc) · 7.56 KB

0020-version-type-field-migration.md

File metadata and controls

147 lines (100 loc) · 7.56 KB
Raw

0020: Version Type Field Migration

  • Stage: X (abandoned)
  • Date: 2021-07-20

Abandoned

As the time this proposal was marked abandoned, adopting version is not a priority for the ECS team or other ECS stakeholders. The team may revisit reviewing how version could be beneficial later on.

Elasticsearch 7.10 introduced a new field data type specialized in handling software version values: version. The version type supports specialized precedence rules based on the rules outlined in Semantic Versioning (semver). A range query against a version field for values between 1.0.0 and 1.5.0 will include 1.2.3 but not 1.11.2. This differs from keyword fields where the range ordering is alphabetical.

Examples:

  • Return documents with .version greater-than or equal to 1.1.0 and less-than 2.0.0
  • Query across multiple versions without the need to know in advance ever possible versions in the index (e.g. ecs.version:(1.3.0 OR 1.4.0 OR 1.5.0)
  • Return all documents where minor version is 3 (x.3.y) or the major version is considered unstable (0.x.y).

The purpose of this proposal is to identify which fields may be good candidates for adopting the version data type and design considerations for that migration.

Fields

  • agent.version
  • ecs.version
  • os.version
  • package.version
  • rule.version
  • service.version

Usage

Source data

Scope of impact

Mapping conflicts

Changing the field type will result in a mapping conflict across indices mapping version fields using type: keyword and indices mapping version fields as type: version.

Concerns

Version fields containing non-semantic version values

Version string values that are not valid under the semver rules will still be indexed and retrieved as exact matches but will only appear after any valid semver value with regular alphabetical ordering.

Fields that expect version values but often contains values that do not align with semver rules are probably best to remain using keyword. The list of proposed fields will be assessed in a later stage to determine if each field's expected values make it a good candidate for version.

Kibana support

Support in Kibana for the version data for index patterns, aggregations, and Lens is still in-progress.

People

The following are the people that consulted on the contents of this RFC.

  • @ebeahan | author, sponsor

References

RFC Pull Requests