Description
Scenario
ecs.version is good information for compatibility, but because it's a string, it's actually non-trivial to write a query that validates semver. If we add major, minor and patch then we can match this much better.
Problem
For instance, let's say I want to search my data for semantic matches for 1.3.0, because that's the first version that has a field I'm looking for. I could write that in KQL a few different ways:
ecs.version:(1.3.0 or 1.4.0 or 1.5.0 or 1.6.0 or 1.7.0 or ...)ecs.version:1.* and ecs.version >= 1.3.0
But both have problems. The first requires you to know all of the versions. It also doesn't check for patch versions, but those could be done by replacing .0 with .*.
The second approach does a string comparison and not a semantic comparison. That would mean that we'd miss 1.10.0 when comparing >= 1.3.0, since >= is lexicographical.
Proposal
We should still keep ecs.version. It's super cheap anyway and contains the full string. But we can also add ecs.major, ecs.minor and ecs.patch. If they are stored as numbers then we can make semantic validation trivial: ecs.major: 1 and ecs.minor >= 3. Even if we're comparing to a hypothetically patched 1.3.2, we could do ecs.major:1 and (ecs.minor:3 and ecs.patch:2 or ecs.minor > 3).