diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 07872e22dd..1dba260c89 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,8 @@ Thanks, you're awesome :-) --> #### Improvements +* Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131 + #### Deprecated ### Tooling and Artifact Changes diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go index 6c1ac3be75..5aaf22d0d1 100644 --- a/code/go/ecs/url.go +++ b/code/go/ecs/url.go @@ -42,6 +42,9 @@ type Url struct { // In some cases a URL may refer to an IP and/or port directly, without a // domain name. In this case, the IP address would go to the `domain` // field. + // If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF + // RFC 2732), the `[` and `]` characters should also be captured in the + // `domain` field. Domain string `ecs:"domain"` // The highest registered url domain, stripped of the subdomain. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index ae14752657..d85690758e 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -6236,6 +6236,8 @@ URL fields provide support for complete or partial URLs, and supports the breaki In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 3ee89c2a22..90e68410ac 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -5262,7 +5262,11 @@ description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co - name: extension level: extended diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 5aefba80d3..1b6d2129a3 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -8027,7 +8027,10 @@ url.domain: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain level: extended diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 977a5c2232..e96e30c132 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -9291,7 +9291,11 @@ url: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co flat_name: url.domain level: extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 0361f97cdf..db2ffdf35a 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5350,7 +5350,11 @@ description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co - name: extension level: extended diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 78ef1eaec8..8168a9bf92 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8110,7 +8110,10 @@ url.domain: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 1352e844e5..a937ce34fd 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -9379,7 +9379,11 @@ url: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 diff --git a/schemas/url.yml b/schemas/url.yml index 8a523fbc8d..4e0829e626 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -58,6 +58,9 @@ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field. example: www.elastic.co - name: registered_domain