From fb0e31424f719a72cfae2ec110bebf0a06f7d335 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 7 Oct 2020 10:08:15 -0400 Subject: [PATCH 1/5] Clarify that file extension should exclude the dot. It was only implicit via the example --- code/go/ecs/file.go | 2 +- docs/field-details.asciidoc | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/csv/fields.csv | 2 +- generated/ecs/ecs_flat.yml | 4 ++-- generated/ecs/ecs_nested.yml | 4 ++-- schemas/file.yml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go index 1dc53d28b..edef1f73a 100644 --- a/code/go/ecs/file.go +++ b/code/go/ecs/file.go @@ -55,7 +55,7 @@ type File struct { // Target path for symlinks. TargetPath string `ecs:"target_path"` - // File extension. + // File extension, excluding the dot. Extension string `ecs:"extension"` // File type (file, dir, or symlink). diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 9bd030d0a..416128593 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2109,7 +2109,7 @@ example: `C` // =============================================================== | file.extension -| File extension. +| File extension, excluding the dot. type: keyword diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 8b9cca49b..c0bfa5ec4 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1604,7 +1604,7 @@ level: extended type: keyword ignore_above: 1024 - description: File extension. + description: File extension, excluding the dot. example: png - name: gid level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 2e023a323..f2e380640 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -175,7 +175,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 2.0.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. 2.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +2.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the dot." 2.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 2.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 2.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 08277b437..c4bf14dfb 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2544,14 +2544,14 @@ file.drive_letter: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: File extension, excluding the dot. example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the dot. type: keyword file.gid: dashed_name: file-gid diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b4fecef93..0d69183ec 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2968,14 +2968,14 @@ file: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: File extension, excluding the dot. example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the dot. type: keyword file.gid: dashed_name: file-gid diff --git a/schemas/file.yml b/schemas/file.yml index 4856f2264..485aad185 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -74,7 +74,7 @@ - name: extension level: extended type: keyword - description: File extension. + description: File extension, excluding the dot. example: png - name: type From 9ab98562ee98941a39fb750a10b2261d75b627e5 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 7 Oct 2020 10:39:32 -0400 Subject: [PATCH 2/5] Address multiple extensions explicitly --- code/go/ecs/file.go | 4 +++- docs/field-details.asciidoc | 4 +++- generated/beats/fields.ecs.yml | 5 ++++- generated/csv/fields.csv | 2 +- generated/ecs/ecs_flat.yml | 7 +++++-- generated/ecs/ecs_nested.yml | 7 +++++-- schemas/file.yml | 7 ++++++- 7 files changed, 27 insertions(+), 9 deletions(-) diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go index edef1f73a..be598987e 100644 --- a/code/go/ecs/file.go +++ b/code/go/ecs/file.go @@ -55,7 +55,9 @@ type File struct { // Target path for symlinks. TargetPath string `ecs:"target_path"` - // File extension, excluding the dot. + // File extension, excluding the leading dot. + // If the file name has multime extensions (example.tar.gz), this field + // should contain all extensions without the leading dot (tar.gz). Extension string `ecs:"extension"` // File type (file, dir, or symlink). diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 416128593..da031db59 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2109,7 +2109,9 @@ example: `C` // =============================================================== | file.extension -| File extension, excluding the dot. +| File extension, excluding the leading dot. + +If the file name has multime extensions (example.tar.gz), this field should contain all extensions without the leading dot (tar.gz). type: keyword diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index c0bfa5ec4..971fc5bcc 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1604,7 +1604,10 @@ level: extended type: keyword ignore_above: 1024 - description: File extension, excluding the dot. + description: 'File extension, excluding the leading dot. + + If the file name has multime extensions (example.tar.gz), this field should + contain all extensions without the leading dot (tar.gz).' example: png - name: gid level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index f2e380640..2a8688c22 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -175,7 +175,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 2.0.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. 2.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the dot." +2.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 2.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 2.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 2.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index c4bf14dfb..a0ca658f8 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2544,14 +2544,17 @@ file.drive_letter: type: keyword file.extension: dashed_name: file-extension - description: File extension, excluding the dot. + description: 'File extension, excluding the leading dot. + + If the file name has multime extensions (example.tar.gz), this field should contain + all extensions without the leading dot (tar.gz).' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension, excluding the dot. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 0d69183ec..086487e99 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2968,14 +2968,17 @@ file: type: keyword file.extension: dashed_name: file-extension - description: File extension, excluding the dot. + description: 'File extension, excluding the leading dot. + + If the file name has multime extensions (example.tar.gz), this field should + contain all extensions without the leading dot (tar.gz).' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension, excluding the dot. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/schemas/file.yml b/schemas/file.yml index 485aad185..3780e35f0 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -74,7 +74,12 @@ - name: extension level: extended type: keyword - description: File extension, excluding the dot. + short: File extension, excluding the leading dot. + description: > + File extension, excluding the leading dot. + + If the file name has multime extensions (example.tar.gz), + this field should contain all extensions without the leading dot (tar.gz). example: png - name: type From bfa20b87d3f7061a1b92495708194330d1cf51fe Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 7 Oct 2020 10:51:07 -0400 Subject: [PATCH 3/5] Build experimental artifacts. --- experimental/generated/beats/fields.ecs.yml | 5 ++++- experimental/generated/csv/fields.csv | 2 +- experimental/generated/ecs/ecs_flat.yml | 7 +++++-- experimental/generated/ecs/ecs_nested.yml | 7 +++++-- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 0ee843e80..179fbffd2 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1568,7 +1568,10 @@ level: extended type: keyword ignore_above: 1024 - description: File extension. + description: 'File extension, excluding the leading dot. + + If the file name has multime extensions (example.tar.gz), this field should + contain all extensions without the leading dot (tar.gz).' example: png - name: gid level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index c7fc56ab2..964fa9acc 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -174,7 +174,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 2.0.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. 2.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +2.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 2.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 2.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 2.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 5f2792526..f00e77ffa 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2502,14 +2502,17 @@ file.drive_letter: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + If the file name has multime extensions (example.tar.gz), this field should contain + all extensions without the leading dot (tar.gz).' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 1c40d63df..62f441394 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2925,14 +2925,17 @@ file: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + If the file name has multime extensions (example.tar.gz), this field should + contain all extensions without the leading dot (tar.gz).' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid From 3948b5503915d6c0de675526fcf1a3a143865978 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 7 Oct 2020 14:34:34 -0400 Subject: [PATCH 4/5] Multiple extensions are either: - not a thing - or a pandora's box (to parse) Your pick. --- code/go/ecs/file.go | 4 ++-- docs/field-details.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 4 ++-- experimental/generated/ecs/ecs_flat.yml | 4 ++-- experimental/generated/ecs/ecs_nested.yml | 4 ++-- generated/beats/fields.ecs.yml | 4 ++-- generated/ecs/ecs_flat.yml | 4 ++-- generated/ecs/ecs_nested.yml | 4 ++-- schemas/file.yml | 4 ++-- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go index be598987e..09713b7bf 100644 --- a/code/go/ecs/file.go +++ b/code/go/ecs/file.go @@ -56,8 +56,8 @@ type File struct { TargetPath string `ecs:"target_path"` // File extension, excluding the leading dot. - // If the file name has multime extensions (example.tar.gz), this field - // should contain all extensions without the leading dot (tar.gz). + // Note that when the file name has multiple extensions (example.tar.gz), + // only the last one should be captured ("gz", not "tar.gz"). Extension string `ecs:"extension"` // File type (file, dir, or symlink). diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index da031db59..f961b6fa8 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2111,7 +2111,7 @@ example: `C` | file.extension | File extension, excluding the leading dot. -If the file name has multime extensions (example.tar.gz), this field should contain all extensions without the leading dot (tar.gz). +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 179fbffd2..be3a96763 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1570,8 +1570,8 @@ ignore_above: 1024 description: 'File extension, excluding the leading dot. - If the file name has multime extensions (example.tar.gz), this field should - contain all extensions without the leading dot (tar.gz).' + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index f00e77ffa..13a7c3232 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2504,8 +2504,8 @@ file.extension: dashed_name: file-extension description: 'File extension, excluding the leading dot. - If the file name has multime extensions (example.tar.gz), this field should contain - all extensions without the leading dot (tar.gz).' + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 62f441394..bfb2df366 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2927,8 +2927,8 @@ file: dashed_name: file-extension description: 'File extension, excluding the leading dot. - If the file name has multime extensions (example.tar.gz), this field should - contain all extensions without the leading dot (tar.gz).' + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 971fc5bcc..b2d3e4ef5 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1606,8 +1606,8 @@ ignore_above: 1024 description: 'File extension, excluding the leading dot. - If the file name has multime extensions (example.tar.gz), this field should - contain all extensions without the leading dot (tar.gz).' + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index a0ca658f8..81a1ee495 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2546,8 +2546,8 @@ file.extension: dashed_name: file-extension description: 'File extension, excluding the leading dot. - If the file name has multime extensions (example.tar.gz), this field should contain - all extensions without the leading dot (tar.gz).' + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 086487e99..1ca8779d5 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2970,8 +2970,8 @@ file: dashed_name: file-extension description: 'File extension, excluding the leading dot. - If the file name has multime extensions (example.tar.gz), this field should - contain all extensions without the leading dot (tar.gz).' + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 diff --git a/schemas/file.yml b/schemas/file.yml index 3780e35f0..545b4661f 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -78,8 +78,8 @@ description: > File extension, excluding the leading dot. - If the file name has multime extensions (example.tar.gz), - this field should contain all extensions without the leading dot (tar.gz). + Note that when the file name has multiple extensions (example.tar.gz), + only the last one should be captured ("gz", not "tar.gz"). example: png - name: type From a2c20a3bde20c6da55ebe93e54b1df81bd090e29 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 7 Oct 2020 14:36:29 -0400 Subject: [PATCH 5/5] Changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27c5171ca..2150e1c38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file based on the #### Bugfixes * The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964 +* Clarify the definition of `file.extension` (no dots). #1016 #### Added