diff --git a/.gitignore b/.gitignore index de533dca39..f2e20920fc 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ env build .idea +*.iml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index f7d7b1083c..c8397cf4bc 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -12,6 +12,7 @@ Thanks, you're awesome :-) --> ### Added * Added `error.stack_trace` field. #562 * Added `log.origin.file.name`, `log.origin.function` and `log.origin.file.line` fields. #563 +* Added `service.node.name` to allow distinction between different nodes of the same service running on the same host. #565 * Added `error.type` field. #566 ### Improvements diff --git a/code/go/ecs/service.go b/code/go/ecs/service.go index df93fb1df6..7ccbda2151 100644 --- a/code/go/ecs/service.go +++ b/code/go/ecs/service.go @@ -34,16 +34,27 @@ type Service struct { ID string `ecs:"id"` // Name of the service data is collected from. - // The name of the service is normally user given. This allows if two - // instances of the same service are running on the same machine they can - // be differentiated by the `service.name`. - // Also it allows for distributed services that run on multiple hosts to - // correlate the related instances based on the name. - // In the case of Elasticsearch the service.name could contain the cluster - // name. For Beats the service.name is by default a copy of the + // The name of the service is normally user given. This allows for + // distributed services that run on multiple hosts to correlate the related + // instances based on the name. + // In the case of Elasticsearch the `service.name` could contain the + // cluster name. For Beats the `service.name` is by default a copy of the // `service.type` field if no name is specified. Name string `ecs:"name"` + // Name of a service node. + // This allows for two nodes of the same service running on the same host + // to be differentiated. Therefore, `service.node.name` should typically be + // unique across nodes of a given service. + // In the case of Elasticsearch, the `service.node.name` could contain the + // unique node name within the Elasticsearch cluster. In cases where the + // service doesn't have the concept of a node name, the host name or + // container name can be used to distinguish running instances that make up + // this service. If those do not provide uniqueness (e.g. multiple + // instances of the service running on the same host) - the node name can + // be manually set. + NodeName string `ecs:"node.name"` + // The type of the service data is collected from. // The type can be used to group and correlate logs and metrics from one // service type. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 50a11111a6..f5bac8596f 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3024,11 +3024,9 @@ example: `d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6` | service.name | Name of the service data is collected from. -The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - -In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. type: keyword @@ -3038,6 +3036,21 @@ example: `elasticsearch-metrics` // =============================================================== +| service.node.name +| Name of a service node. + +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + +type: keyword + +example: `instance-0000000016` + +| extended + +// =============================================================== + | service.state | Current state of the service. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 5be182dffa..42877c4759 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2288,17 +2288,31 @@ ignore_above: 1024 description: 'Name of the service data is collected from. - The name of the service is normally user given. This allows if two instances - of the same service are running on the same machine they can be differentiated - by the `service.name`. + The name of the service is normally user given. This allows for distributed + services that run on multiple hosts to correlate the related instances based + on the name. - Also it allows for distributed services that run on multiple hosts to correlate - the related instances based on the name. - - In the case of Elasticsearch the service.name could contain the cluster name. - For Beats the service.name is by default a copy of the `service.type` field - if no name is specified.' + In the case of Elasticsearch the `service.name` could contain the cluster + name. For Beats the `service.name` is by default a copy of the `service.type` + field if no name is specified.' example: elasticsearch-metrics + - name: node.name + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of a service node. + + This allows for two nodes of the same service running on the same host to + be differentiated. Therefore, `service.node.name` should typically be unique + across nodes of a given service. + + In the case of Elasticsearch, the `service.node.name` could contain the unique + node name within the Elasticsearch cluster. In cases where the service doesn''t + have the concept of a node name, the host name or container name can be used + to distinguish running instances that make up this service. If those do not + provide uniqueness (e.g. multiple instances of the service running on the + same host) - the node name can be manually set.' + example: instance-0000000016 - name: state level: core type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index ae4cd733b5..1cb9ec073a 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -292,6 +292,7 @@ server.user.name,keyword,core,albert,1.2.0-dev service.ephemeral_id,keyword,extended,8a4f500f,1.2.0-dev service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,1.2.0-dev service.name,keyword,core,elasticsearch-metrics,1.2.0-dev +service.node.name,keyword,extended,instance-0000000016,1.2.0-dev service.state,keyword,core,,1.2.0-dev service.type,keyword,core,elasticsearch,1.2.0-dev service.version,keyword,core,3.2.4,1.2.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index dc8c13b1b1..aba3a74e74 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3244,7 +3244,7 @@ service.ephemeral_id: ignore_above: 1024 level: extended name: ephemeral_id - order: 5 + order: 6 short: Ephemeral identifier of this service. type: keyword service.id: @@ -3268,16 +3268,12 @@ service.id: service.name: description: 'Name of the service data is collected from. - The name of the service is normally user given. This allows if two instances of - the same service are running on the same machine they can be differentiated by - the `service.name`. + The name of the service is normally user given. This allows for distributed services + that run on multiple hosts to correlate the related instances based on the name. - Also it allows for distributed services that run on multiple hosts to correlate - the related instances based on the name. - - In the case of Elasticsearch the service.name could contain the cluster name. - For Beats the service.name is by default a copy of the `service.type` field if - no name is specified.' + In the case of Elasticsearch the `service.name` could contain the cluster name. + For Beats the `service.name` is by default a copy of the `service.type` field + if no name is specified.' example: elasticsearch-metrics flat_name: service.name ignore_above: 1024 @@ -3286,13 +3282,34 @@ service.name: order: 1 short: Name of the service. type: keyword +service.node.name: + description: 'Name of a service node. + + This allows for two nodes of the same service running on the same host to be differentiated. + Therefore, `service.node.name` should typically be unique across nodes of a given + service. + + In the case of Elasticsearch, the `service.node.name` could contain the unique + node name within the Elasticsearch cluster. In cases where the service doesn''t + have the concept of a node name, the host name or container name can be used to + distinguish running instances that make up this service. If those do not provide + uniqueness (e.g. multiple instances of the service running on the same host) - + the node name can be manually set.' + example: instance-0000000016 + flat_name: service.node.name + ignore_above: 1024 + level: extended + name: node.name + order: 2 + short: Name of the service node. + type: keyword service.state: description: Current state of the service. flat_name: service.state ignore_above: 1024 level: core name: state - order: 3 + order: 4 short: Current state of the service. type: keyword service.type: @@ -3308,7 +3325,7 @@ service.type: ignore_above: 1024 level: core name: type - order: 2 + order: 3 short: The type of the service. type: keyword service.version: @@ -3320,7 +3337,7 @@ service.version: ignore_above: 1024 level: core name: version - order: 4 + order: 5 short: Version of the service. type: keyword source.address: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a6e03cfd90..6279330648 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3672,7 +3672,7 @@ service: ignore_above: 1024 level: extended name: ephemeral_id - order: 5 + order: 6 short: Ephemeral identifier of this service. type: keyword id: @@ -3696,16 +3696,13 @@ service: name: description: 'Name of the service data is collected from. - The name of the service is normally user given. This allows if two instances - of the same service are running on the same machine they can be differentiated - by the `service.name`. + The name of the service is normally user given. This allows for distributed + services that run on multiple hosts to correlate the related instances based + on the name. - Also it allows for distributed services that run on multiple hosts to correlate - the related instances based on the name. - - In the case of Elasticsearch the service.name could contain the cluster name. - For Beats the service.name is by default a copy of the `service.type` field - if no name is specified.' + In the case of Elasticsearch the `service.name` could contain the cluster + name. For Beats the `service.name` is by default a copy of the `service.type` + field if no name is specified.' example: elasticsearch-metrics flat_name: service.name ignore_above: 1024 @@ -3714,13 +3711,34 @@ service: order: 1 short: Name of the service. type: keyword + node.name: + description: 'Name of a service node. + + This allows for two nodes of the same service running on the same host to + be differentiated. Therefore, `service.node.name` should typically be unique + across nodes of a given service. + + In the case of Elasticsearch, the `service.node.name` could contain the unique + node name within the Elasticsearch cluster. In cases where the service doesn''t + have the concept of a node name, the host name or container name can be used + to distinguish running instances that make up this service. If those do not + provide uniqueness (e.g. multiple instances of the service running on the + same host) - the node name can be manually set.' + example: instance-0000000016 + flat_name: service.node.name + ignore_above: 1024 + level: extended + name: node.name + order: 2 + short: Name of the service node. + type: keyword state: description: Current state of the service. flat_name: service.state ignore_above: 1024 level: core name: state - order: 3 + order: 4 short: Current state of the service. type: keyword type: @@ -3736,7 +3754,7 @@ service: ignore_above: 1024 level: core name: type - order: 2 + order: 3 short: The type of the service. type: keyword version: @@ -3748,7 +3766,7 @@ service: ignore_above: 1024 level: core name: version - order: 4 + order: 5 short: Version of the service. type: keyword group: 2 diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 88506c40a1..ace82117b2 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1383,6 +1383,14 @@ "ignore_above": 1024, "type": "keyword" }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "state": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index b8216aeca2..cb89e75b69 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1382,6 +1382,14 @@ "ignore_above": 1024, "type": "keyword" }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "state": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/legacy/template.json b/generated/legacy/template.json index 5ab3023e5f..d6bc328d97 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -907,6 +907,14 @@ "ignore_above": 1024, "type": "keyword" }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "state": { "ignore_above": 1024, "type": "keyword" diff --git a/schema.json b/schema.json index b289c02b93..f75148565f 100644 --- a/schema.json +++ b/schema.json @@ -2168,7 +2168,7 @@ "type": "keyword" }, "service.name": { - "description": "Name of the service data is collected from.\nThe name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`.\nAlso it allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified.", + "description": "Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.", "example": "elasticsearch-metrics", "footnote": "", "group": 2, @@ -2177,6 +2177,16 @@ "required": false, "type": "keyword" }, + "service.node.name": { + "description": "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + "example": "instance-0000000016", + "footnote": "", + "group": 2, + "level": "extended", + "name": "service.node.name", + "required": false, + "type": "keyword" + }, "service.state": { "description": "Current state of the service.", "example": "", diff --git a/schemas/service.yml b/schemas/service.yml index f539301586..f0bafa55da 100644 --- a/schemas/service.yml +++ b/schemas/service.yml @@ -36,17 +36,35 @@ description: > Name of the service data is collected from. - The name of the service is normally user given. This allows if two - instances of the same service are running on the same machine - they can be differentiated by the `service.name`. + The name of the service is normally user given. This allows for + distributed services that run on multiple hosts to correlate the + related instances based on the name. - Also it allows for distributed services that run on multiple hosts to - correlate the related instances based on the name. - - In the case of Elasticsearch the service.name could contain the cluster - name. For Beats the service.name is by default a copy of the `service.type` + In the case of Elasticsearch the `service.name` could contain the cluster + name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + - name: node.name + level: extended + type: keyword + example: "instance-0000000016" + short: Name of the service node. + description: > + Name of a service node. + + This allows for two nodes of the same service running on the same + host to be differentiated. Therefore, `service.node.name` should + typically be unique across nodes of a given service. + + In the case of Elasticsearch, the `service.node.name` could contain + the unique node name within the Elasticsearch cluster. + In cases where the service doesn't have the concept of a node name, + the host name or container name can be used to distinguish running + instances that make up this service. If those do not provide uniqueness + (e.g. multiple instances of the service running on the same host) - the + node name can be manually set. + + - name: type level: core type: keyword