RFC-Stage-0: Proposal to add a "ticket" schema / field definition to ECS #1383
Conversation
|
💚 CLA has been signed |
|
Not sure why it is saying I haven't sign the Contributor Agreement, I completed one yesterday and my company has a Contributor License Agreement with Elastic. Guessing I signed the wrong one yesterday since I selected the company option, just signed the individual as well. |
|
Hi @kc-comcast ! It appears the check is failing because you signed the CLA with a different email address than is associated with your commit. I think you should be able to just add the email you committed with to your GitHub profile. |
Should all be from my same work email. |
They are both your work domain, but the one you signed with follows first_last, and your commit appears more like a username (ends in 00). |
Didn't realize it used an email alias on me. I signed the agreement with that email as well, and have linked that alias to my GitHub account. |
|
Thanks, @kc-comcast; the CLA check is ✅ now! Sorry for the delay in providing an initial review. We're taking a look and will have some feedback for you shortly. |
|
Hey @kc-comcast! There are some big picture concepts here that would definitely benefit ECS, like metadata for Enterprise Search. However, I have some concerns about how broad the fieldset would be if we try to cover all the potentially different types (change requests, incidents, etc) that you mention. Also, the name Do you happen to have a high level example of how you would utilize this proposed fieldset? |
|
Agree there is a broad scope here for various types of tickets. I had first thought about handling this on smaller scale focusing on the types of tickets, but the field duplication would be huge. As I thought more about it, I came to the realization we are talking about any type of ticket in a general scope, and almost all have some of the same basic characteristics/properties for the object. There are a great many ticketing tools out there (Jira, ServiceNow, Remedy, Trello, Rally, etc.). Customization on these platforms is extensive to allow users to add their own personalized fields to fit their business case. However, one thing all platforms have in common, is they predominantly all rely on the same core fields being available "out of the box". Those core fields are the things a user are most likely to search on. ticket.number --> Ticket number The sample schema I created in my repo has some more, but the above are fairly constant properties of a ticket which would likely be heavily used. The In terms of my use case, my team develops our ITSM ticketing platform. We are working on the observability aspect of our platform by centralizing our logs within Elasticsearch. As I worked to defined the schema for our logging, one key thing came up, which is most troubleshooting or queries we will perform will be based on the ticket entered into our platform. Also, to better understand the success / failure of our platform processing the ticket, we need to understand the details and attributes assigned to it. I proposed, and implemented this light weight schema for us to enable that use. As I was developing the mapping, it occurred to me there is a much larger application for this, especially with Enterprise Search, thus I sought approval for making the OS contribution. In the Enterprise Search aspect, these same properties of tickets generally exist through all of the various ticketing platforms mentioned above. Additionally, many companies employ multiple ticketing platforms. Trying to know which platform to search to find the ticket to account for an action can be difficult, especially if a company is transitioning ticketing platforms, or isn't standardized on a single one for things like Incidents and Change requests. Depending upon the company, different business policies can be implemented. It is not uncommon to say every change requires a |
There was a problem hiding this comment.
I think capturing certain ticket management details might make sense in ECS for some use cases.
Like @kgeller, I'm unsure about using ticket.* for the naming, but we can continue to discuss as the RFC advances 😃 .
I do think it'd be preferred if we can leverage other ECS fields where possible versus replicating fields underneath a new field set, like ticket.*. For example, thinking of how to leverage the existing, top-level user.* fields or relying on @timestamp over ticket.created. However, for stage 0 we don't have to get into details about specific fields.
* master: Stage 2 changes for RFC 0018 - extending the `threat.*` field set (elastic#1438) Remove deprecated `host.user.*` fields (elastic#1439) Explicitly include user identifiers in `related.user` field description (elastic#1420) Set the merge date on RFC 0018 stage 2 (elastic#1429) [RFC] Extend Threat Fieldset - Stage 2 Proposal (elastic#1395) [Tooling] Add --exclude flag to Generator to support field removal testing (elastic#1411) Add `host.user.*` deprecation notice in field reuse description (elastic#1422) Stage 2 changes for RFC 0015 - `elf` header (elastic#1410) Stage 3 changes for RFC 0012 - `orchestrator` field set (elastic#1417) Support `match_only_text` in Go code generator (elastic#1418) Stage 3 Orchestrator RFC (elastic#1343) moving into folder (elastic#1416) removing use-cases (elastic#1405) removing --oss (elastic#1404) Set the merge date on RFC 0015 stage 2 (elastic#1409) Consolidate `Breaking changes` sections in `CHANGELOG.next` (elastic#1408) RFC-Stage-0: Proposal to add a "ticket" schema / field definition to ECS (elastic#1383) [RFC] `match_only_text` type migration - Stage 0 (elastic#1396) Client port is wrongly documented (elastic#1402) (elastic#1406)
RFC Stage 0: Strawperson use case for creation of a ticket schema within ECS.
make test? N/Amakeand committed those changes? N/A for now