Phase 2 in conversion to asciidoc #334
Conversation
| feedback on the general structure, missing fields, or existing fields is appreciated. | ||
| For contributions please read the https://github.com/elastic/ecs/blob/master/CONTRIBUTING.md[Contribution Guidelines]. | ||
| feedback on the general structure, missing fields, or existing fields is | ||
| appreciated. For contributions please read the |
There was a problem hiding this comment.
I think for 1.0, we should change the message here.
Here's what we're now shooting for:
- We are following Semantic Versioning, meaning:
- Backwards compatibility during the 1.x lifetime
- Possibility of breaking changes only at major versions
- Related: We will align ECS major version with Elastic Stack major versions
At least that's how I think we should approach it. This stability will be a big decision factor for people deciding whether or not to adopt ECS.
WDYT @MikePaquette?
cc @ruflin
There was a problem hiding this comment.
Also while not technically a beta anymore, perhaps we should still guard and say "this is the first official version, so consider accordingly".
There was a problem hiding this comment.
@webmat I like the message you propose. I would make sure to position these as goals, as there may be unforeseen situations that cause us to change these plans.
I would skip the "first official version" note - I the 1.0.0 version already makes that clear.
| * *Extended fields.* Any fields that are not a core field. | ||
| Extended fields may apply to more narrow use cases, or may be more open | ||
| to interpretation depending on the use case. Extended fields are more likely to | ||
| change over time. |
There was a problem hiding this comment.
Love the very direct and straightforward mention of what core and extended mean, right in the ECS index page ❤️
There was a problem hiding this comment.
@MarkSettleES let me know that "core" and "custom" have been proposed instead of "core" and "extended".
WDYT @webmat? @MikePaquette? @MarkSettleES? Others?
There was a problem hiding this comment.
Core and extended are absolutely both the main levels we use to define ECS fields.
However Mark makes a good point. I have seen some of Mike's content list the 3 together, and I think that's a great idea. I think it could reinforce the idea that ECS is a standard that still embraces the custom that people need around it.
I agree we should add it as a third bullet point in there.
There was a problem hiding this comment.
@karenzone @MarkSettleES to close the loop here, "Custom" can be included as a third level, but is not an alternative to "extended".
So I agree with @webmat let's go with three levels:
- Core
- Extended
- Custom
docs/glossary.asciidoc
Outdated
| Describes an implementation with all existing fields mapped to ECS fields. | ||
|
|
||
| ECS compliant:: Describes an implementation with all existing fields mapped to | ||
| ECS fields, and with as many ECS core fields populated as is practical. |
There was a problem hiding this comment.
I think we wanted to remove these two distinctions, right @MikePaquette?
These concepts haven't been fully fleshed out, I would remove for now, and only introduce when we're ready to have these kinds of discussions.
There was a problem hiding this comment.
@webmat @karenzone
I agree to remove these definitions for now, but I want to make sure we include guidance like: "In order to increase the level of interoperability of your data with future analysis content, your implementation should attempt to populate as many of the Core fields as practical, even if these fields or values are metadata that are not present in your original event, or are already populated in another ECS field"
I think this guidance is fundamental to the success of a common schema, and one I've not been very successful at articulating.
Simple example: when converting a syslog firewall log event to ECS, there maybe no field in the event with the value "syslog" , but a good ECS implementation will still populate agent.type: syslog so that future ECS-aware analysis content that filters events by agent.type will work properly.
There was a problem hiding this comment.
I've taken an additional note to reinforce the docs this way, in the docs plan
docs/convert.asciidoc
Outdated
| implementations to ECS to help you correlate data across all of your products | ||
| and solutions. | ||
|
|
||
| Before you start a conversion, be sure that you understand the basic <link here>. |
There was a problem hiding this comment.
Let's keep a todo to finish this sentence. Or can we for now just say "the basics outlined below:"?
docs/convert.asciidoc
Outdated
|
|
||
| An implementation would be considered *compliant* with ECS only if it also | ||
| populates as many of the ECS core fields as is practical. Duplication, adding | ||
| metadata, or deriving values via manipulation and math are acceptable. |
There was a problem hiding this comment.
In line with my other comment on compatible/compliant, we should consider removing this section.
docs/faq.asciidoc
Outdated
| * Dot notation: `user.firstname: Nicolas`, `user.lastname: Ruflin` | ||
| * Underline notation: `user_firstname: Nicolas`, `user_lastname: Ruflin` | ||
|
|
||
| For ECS we decided to use the dot notation. Here's some background on this decision. |
There was a problem hiding this comment.
Let's reinforce the meaning of dots here at the introduction of the concept. It's well laid out below for those who will pore over each section. Would this make sense?
| For ECS we decided to use the dot notation. Here's some background on this decision. | |
| For ECS we decided to use the dot notation, representing nested objects. Here's some background on this decision. |
Trying the new suggest feature for changing v7.1 to v7.0. Co-Authored-By: karenzone <[email protected]>
There was a problem hiding this comment.
Thanks for fixing all of these links. This documentation build script is great! It's great to finally be taken through how to leverage it like this :-)
Just noticed one typo in one of the IDs. Once fixed, we can merge.
I can take care of adjusting, if we decide to add "Other", once Mike weighs in.
docs/faq.asciidoc
Outdated
|
|
||
| [float] | ||
| [[nptation-diff]] |
There was a problem hiding this comment.
I'd go for "notation-diff" here instead ;-)
Fix typo in anchor
Trying to work Mike's points in, as mentioned [here](elastic#334 (comment)).
Trying to work Mike's points in, as mentioned [here](elastic#334 (comment)).
* Phase 2 in conversion to asciidoc * Update docs/convert.asciidoc Trying the new suggest feature for changing v7.1 to v7.0. Co-Authored-By: karenzone <[email protected]> * Start incorporating review comments * Update faq.asciidoc Fix typo in anchor
* Phase 2 in conversion to asciidoc * Update docs/convert.asciidoc Trying the new suggest feature for changing v7.1 to v7.0. Co-Authored-By: karenzone <[email protected]> * Start incorporating review comments * Update faq.asciidoc Fix typo in anchor
* Phase 2 in conversion to asciidoc * Update docs/convert.asciidoc Trying the new suggest feature for changing v7.1 to v7.0. Co-Authored-By: karenzone <[email protected]> * Start incorporating review comments * Update faq.asciidoc Fix typo in anchor
Backport of PR #334 to 1.0 branch. Original message: More work toward the move to asciidoc: * Added new files and content. * Played with the content of Base Fields to demonstrate a three-column format. * Watch for possible terminology change from "core and extended" to "core and custom" for fields.
More work toward the move to asciidoc:
Want to see this rendered? https://ecs-docs.firebaseapp.com/ecs2/