Description
According to the documentation mac addresses „notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.“ (example: 00-00-5E-00-53-23)
I only have a small sample but at least the winlogbeat uses lowercase hexadecimal digits seperated by a colon. Since ecs aims „to normalise their event data, so that they can better analyse, visualise, and correlate the data represented in their events“ the wording should be a bit less optional than a suggestion. Also if the lowercase/colon format is the defacto standard, maybe it should be made standard to avoid confusion. In my personal opinion I don't see why the delimiters whatever they maybe should be stored at all and not just added for cosmetics in kibana or any other viewer but at least it should be the same everywhere.