[ML] Update http access modules for ECS #29383
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Rename following fields event.module:apache event.dataset:access source.address url.original http.response.status_code source.geo.location Rationalise to only use one set of kibana saved objects for all http web access logs Rename files from apache Combined URL explorer into Count explorer dashboard as there was a lot of duplication Add filter to custom url Rename custom urls to Investigate Source IP and Status Code Add chart to show overall event rate split by event.module - can tell if multiple datasets are included Increase limit for top source ips from 5 to 50 Add created_by to custom setting for telemetry Rename jobs and saved objects to include ecs tag Tested side by side against v6 jobs
sophiec20
added
WIP
|
Pinging @elastic/ml-ui |
💔 Build Failed |
Also change custom URLs to lower case to match "View series" Change created_by to ml-module-apache-access
💔 Build Failed |
Rename http_status_code to status_code_rate Update custom url to use filters instead of lucene query bar
Copy files, keeping nginx logo Multiple renames to nginx
💚 Build Succeeded |
sophiec20
changed the title
|
This pr now contains nginx_ecs and apache_ecs modules and is ready for review. Data set is available for apache, nginx will be ready soon pending new build after elastic/beats#10418. This pr does not yet remove the non-ecs modules. This will be a separate pr as these non-ecs modules may be useful for side-by-side comparisons. |
💚 Build Succeeded |
peteharverson
approved these changes
Jan 31, 2019
💔 Build Failed |
1 task
This was referenced Feb 5, 2019
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Updates the fields used in the NGINX and Apache web access data recognizer modules to the Elastic Common Schema (ECS) field names.
The ECS modules also differ from the non-ECS versions by replacing the two drilldown dashboards (URL Explorer and Count Explorer) with a single HTTP Access Explorer dashboard for drilldown.
Summary of changes from non ECS versions:
Renamed following fields:
Only use one set of kibana saved objects for all http web access logs
Rename files from apache2 to apache
Combined URL explorer into Count explorer dashboard as there was a lot of duplication
Rename custom urls to Investigate Source IP and Status Code
Added chart to show overall event rate split by event.module - can tell if multiple datasets are included
Increased limit for top source ips from 5 to 50
Add
created_byfield for jobsRename jobs and saved objects to include ecs tag
Checklist
For maintainers