Skip to content

[Docs] Discuss patterns for ECS vs vendor prefixed fields in the Integrations Developer Guide #11264

New issue
New issue
Open
Open
[Docs] Discuss patterns for ECS vs vendor prefixed fields in the Integrations Developer Guide#11264
Assignees
chrisberkhout
Labels
documentationImprovements or additions to documentation
@chrisberkhout

Description

@chrisberkhout
chrisberkhout
opened on Sep 27, 2024

When mapping fields in integrations, we use ECS fields whenever possible, but there are several approaches to handling additional data:

  • Put values without an ECS field under a vendor prefix.
  • Put everything under a vendor prefix and copy values to ECS fields when possible.
  • Put everything under a vendor prefix and copy values to ECS fields when possible, and have a policy option to drop vendor fields that have ECS equivalents.

A question that sometimes comes up is: should the vendor-prefixed fields follow the upstream data model as closely as possible, or should it follow the patterns used in ECS?

The best approach may depend on:

  • How much of the available data matches ECS
  • How valuable the non-ECS data is to users
  • How many field there are
  • The total volume of data

The Integrations Developer Guide could include a section that discusses these options and makes recommendations.

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentation

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions