diff --git a/Makefile b/Makefile
index 171a965611..41532bb296 100644
--- a/Makefile
+++ b/Makefile
@@ -40,6 +40,15 @@ check_license_headers:
.PHONY: clean
clean:
rm -rf build generated/elasticsearch/composable/component experimental/generated/elasticsearch/composable/component
+ # Clean generated documentation files
+ @echo "Removing generated documentation files..."
+ @rm -f docs/reference/index.md docs/reference/ecs-field-reference.md docs/reference/ecs-otel-alignment-details.md docs/reference/ecs-otel-alignment-overview.md
+ @for schema in $$(ls schemas/*.yml 2>/dev/null | sed 's/schemas\///' | sed 's/\.yml$$//'); do \
+ if [ -f "docs/reference/ecs-$$schema.md" ]; then \
+ echo "Removing docs/reference/ecs-$$schema.md"; \
+ rm -f "docs/reference/ecs-$$schema.md"; \
+ fi; \
+ done
# Build and serve the docs
.PHONY: docs
@@ -107,7 +116,7 @@ generate: generator
# Run the new generator
.PHONY: generator
generator: ve
- $(PYTHON) scripts/generator.py --strict --include "${INCLUDE}" --subset "${SUBSETS_DIR}" --semconv-version "${SEMCONV_VERSION}" --force-docs
+ $(PYTHON) scripts/generator.py --strict $(if $(INCLUDE),--include "$(INCLUDE)") --subset "${SUBSETS_DIR}" --semconv-version "${SEMCONV_VERSION}" --force-docs
# Check Makefile format.
.PHONY: makelint
diff --git a/docs/reference/ecs-container.md b/docs/reference/ecs-container.md
index e920fabc97..c7707df0e9 100644
--- a/docs/reference/ecs-container.md
+++ b/docs/reference/ecs-container.md
@@ -29,7 +29,7 @@ These fields help correlate data based containers from any runtime.
| $$$field-container-name$$$ [container.name](#field-container-name) | Container name.
type: keyword
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [container.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-name) | extended |
| $$$field-container-network-egress-bytes$$$ [container.network.egress.bytes](#field-container-network-egress-bytes) | The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.
type: long | extended |
| $$$field-container-network-ingress-bytes$$$ [container.network.ingress.bytes](#field-container-network-ingress-bytes) | The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.
type: long | extended |
-| $$$field-container-runtime$$$ [container.runtime](#field-container-runtime) | Runtime managing this container.
type: keyword
example: `docker`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [container.runtime](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-runtime) | extended |
+| $$$field-container-runtime$$$ [container.runtime](#field-container-runtime) | Runtime managing this container.
type: keyword
example: `docker`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [container.runtime.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-runtime-name) | extended |
| $$$field-container-security-context-privileged$$$ [container.security_context.privileged](#field-container-security-context-privileged) | Indicates whether the container is running in privileged mode.
type: boolean | extended |
diff --git a/docs/reference/ecs-dns.md b/docs/reference/ecs-dns.md
index f9beaf1725..75d55f3b1c 100644
--- a/docs/reference/ecs-dns.md
+++ b/docs/reference/ecs-dns.md
@@ -17,7 +17,7 @@ DNS events should either represent a single DNS query prior to getting answers (
| Field | Description | Level |
| --- | --- | --- |
-| $$$field-dns-answers$$$ [dns.answers](#field-dns-answers) | An array containing an object for each answer section returned by the server.
The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
type: object
Note: This field should contain an array of values. | extended |
+| $$$field-dns-answers$$$ [dns.answers](#field-dns-answers) | An array containing an object for each answer section returned by the server.
The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
type: object
Note: This field should contain an array of values.
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [dns.answers](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns/#dns-answers) | extended |
| $$$field-dns-answers-class$$$ [dns.answers.class](#field-dns-answers-class) | The class of DNS data contained in this resource record.
type: keyword
example: `IN` | extended |
| $$$field-dns-answers-data$$$ [dns.answers.data](#field-dns-answers-data) | The data describing the resource.
The meaning of this data depends on the type and class of the resource record.
type: keyword
example: `10.10.10.10` | extended |
| $$$field-dns-answers-name$$$ [dns.answers.name](#field-dns-answers-name) | The domain name to which this resource record pertains.
If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
type: keyword
example: `www.example.com` | extended |
diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index 867fbbf47c..4782b6b6a3 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -17,16 +17,17 @@ The entity fields provide a standardized way to represent and categorize differe
| --- | --- | --- |
| $$$field-entity-attributes$$$ [entity.attributes](#field-entity-attributes) | _This field is beta and subject to change._ A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.
type: object | extended |
| $$$field-entity-behavior$$$ [entity.behavior](#field-entity-behavior) | _This field is beta and subject to change._ A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types.
type: object | extended |
-| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).
type: keyword
Multi-fields:
* entity.display_name.text (type: text) | extended |
+| $$$field-entity-display-name$$$ [entity.display_name](#field-entity-display-name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).
type: keyword
Multi-fields:
* entity.display_name.text (type: match_only_text) | extended |
| $$$field-entity-id$$$ [entity.id](#field-entity-id) | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.
type: keyword | core |
-| $$$field-entity-last_seen_timestamp$$$ [entity.last_seen_timestamp](#field-entity-last_seen_timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.
type: date | extended |
+| $$$field-entity-last-seen-timestamp$$$ [entity.last_seen_timestamp](#field-entity-last-seen-timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.
type: date | extended |
| $$$field-entity-lifecycle$$$ [entity.lifecycle](#field-entity-lifecycle) | _This field is beta and subject to change._ A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.
type: object | extended |
| $$$field-entity-metrics$$$ [entity.metrics](#field-entity-metrics) | _This field is beta and subject to change._ Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping.
type: object | extended |
-| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.
type: keyword
Multi-fields:
* entity.name.text (type: text) | core |
+| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.
type: keyword
Multi-fields:
* entity.name.text (type: match_only_text) | core |
| $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.
type: object | extended |
| $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.
type: keyword | extended |
| $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).
type: keyword | core |
-| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.
type: keyword
example: `host` | core |
+| $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.
type: keyword
example: `aws_s3_bucket` | extended |
+| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.
type: keyword
Note: This field should contain an array of values.
**Important:** The field value must be one of the following:
bucket, database, container, function, queue, host, user, application, service, session
To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core |
## Field reuse [_field_reuse]
diff --git a/docs/reference/ecs-field-reference.md b/docs/reference/ecs-field-reference.md
index 663bd625e7..ed7c7c9973 100644
--- a/docs/reference/ecs-field-reference.md
+++ b/docs/reference/ecs-field-reference.md
@@ -38,6 +38,7 @@ For a single page representation of all fields, please see the [generated CSV of
| [ECS](/reference/ecs-ecs.md) | Meta-information specific to ECS. |
| [ELF Header](/reference/ecs-elf.md) | These fields contain Linux Executable Linkable Format (ELF) metadata. |
| [Email](/reference/ecs-email.md) | Describes an email transaction. |
+| [Entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. |
| [Error](/reference/ecs-error.md) | Fields about errors of any kind. |
| [Event](/reference/ecs-event.md) | Fields breaking down the event details. |
| [FaaS](/reference/ecs-faas.md) | Fields describing functions as a service. |
diff --git a/docs/reference/ecs-gen_ai.md b/docs/reference/ecs-gen_ai.md
index ffe5605004..23300697b2 100644
--- a/docs/reference/ecs-gen_ai.md
+++ b/docs/reference/ecs-gen_ai.md
@@ -36,7 +36,7 @@ This field group definition is based on the Gen AI namespace of the OpenTelemetr
| $$$field-gen-ai-response-finish-reasons$$$ [gen_ai.response.finish_reasons](#field-gen-ai-response-finish-reasons) | _This field is beta and subject to change._ Array of reasons the model stopped generating tokens, corresponding to each generation received.
type: nested
example: `["stop", "length"]`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.response.finish_reasons](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-finish-reasons) | extended |
| $$$field-gen-ai-response-id$$$ [gen_ai.response.id](#field-gen-ai-response-id) | _This field is beta and subject to change._ The unique identifier for the completion.
type: keyword
example: `chatcmpl-123`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.response.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-id) | extended |
| $$$field-gen-ai-response-model$$$ [gen_ai.response.model](#field-gen-ai-response-model) | _This field is beta and subject to change._ The name of the model that generated the response.
type: keyword
example: `gpt-4-0613`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.response.model](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-model) | extended |
-| $$$field-gen-ai-system$$$ [gen_ai.system](#field-gen-ai-system) | _This field is beta and subject to change._ The Generative AI product as identified by the client or server instrumentation.
type: keyword
example: `openai`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.system](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-system) | extended |
+| $$$field-gen-ai-system$$$ [gen_ai.system](#field-gen-ai-system) | _This field is beta and subject to change._ The Generative AI product as identified by the client or server instrumentation.
type: keyword
example: `openai`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.provider.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-provider-name) | extended |
| $$$field-gen-ai-token-type$$$ [gen_ai.token.type](#field-gen-ai-token-type) | _This field is beta and subject to change._ The type of token being counted.
type: keyword
example: `input; output`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.token.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-token-type) | extended |
| $$$field-gen-ai-tool-call-id$$$ [gen_ai.tool.call.id](#field-gen-ai-tool-call-id) | _This field is beta and subject to change._ The tool call identifier.
type: keyword
example: `call_mszuSIzqtI65i1wAUOE8w5H4`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.tool.call.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-call-id) | extended |
| $$$field-gen-ai-tool-name$$$ [gen_ai.tool.name](#field-gen-ai-tool-name) | _This field is beta and subject to change._ Name of the tool utilized by the agent.
type: keyword
example: `Flights`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.tool.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-name) | extended |
diff --git a/docs/reference/ecs-host.md b/docs/reference/ecs-host.md
index 41b5e1c407..51705caaf2 100644
--- a/docs/reference/ecs-host.md
+++ b/docs/reference/ecs-host.md
@@ -19,7 +19,7 @@ ECS host.* fields should be populated with details about the host on which the e
| --- | --- | --- |
| $$$field-host-architecture$$$ [host.architecture](#field-host-architecture) | Operating system architecture.
type: keyword
example: `x86_64`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.arch](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-arch) | core |
| $$$field-host-boot-id$$$ [host.boot.id](#field-host-boot-id) | Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.
type: keyword
example: `88a1f0ed-5ae5-41ee-af6b-41921c311872` | extended |
-| $$$field-host-cpu-usage$$$ [host.cpu.usage](#field-host-cpu-usage) | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.
Scaling factor: 1000.
For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
type: scaled_float
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [cpu.utilization](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.cpu.utilization+--%3E%22&type=code) | extended |
+| $$$field-host-cpu-usage$$$ [host.cpu.usage](#field-host-cpu-usage) | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.
Scaling factor: 1000.
For example: For a two core host, this value should be the average of the two cores, between 0 and 1.
type: scaled_float
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.cpu.utilization](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.cpu.utilization+--%3E%22&type=code) | extended |
| $$$field-host-disk-read-bytes$$$ [host.disk.read.bytes](#field-host-disk-read-bytes) | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
type: long
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.disk.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.disk.io+--%3E%22&type=code) | extended |
| $$$field-host-disk-write-bytes$$$ [host.disk.write.bytes](#field-host-disk-write-bytes) | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
type: long
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.disk.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.disk.io+--%3E%22&type=code) | extended |
| $$$field-host-domain$$$ [host.domain](#field-host-domain) | Name of the domain of which the host is a member.
For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
type: keyword
example: `CONTOSO` | extended |
@@ -29,9 +29,9 @@ ECS host.* fields should be populated with details about the host on which the e
| $$$field-host-mac$$$ [host.mac](#field-host-mac) | Host MAC addresses.
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
type: keyword
Note: This field should contain an array of values.
example: `["00-00-5E-00-53-23", "00-00-5E-00-53-24"]`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.mac](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-mac) | core |
| $$$field-host-name$$$ [host.name](#field-host-name) | Name of the host.
It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
type: keyword
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-name) | core |
| $$$field-host-network-egress-bytes$$$ [host.network.egress.bytes](#field-host-network-egress-bytes) | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.
type: long
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.io+--%3E%22&type=code) | extended |
-| $$$field-host-network-egress-packets$$$ [host.network.egress.packets](#field-host-network-egress-packets) | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
type: long
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.packets](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packets+--%3E%22&type=code) | extended |
+| $$$field-host-network-egress-packets$$$ [host.network.egress.packets](#field-host-network-egress-packets) | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.
type: long
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.packet.count](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packet.count+--%3E%22&type=code) | extended |
| $$$field-host-network-ingress-bytes$$$ [host.network.ingress.bytes](#field-host-network-ingress-bytes) | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.
type: long
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.io+--%3E%22&type=code) | extended |
-| $$$field-host-network-ingress-packets$$$ [host.network.ingress.packets](#field-host-network-ingress-packets) | The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
type: long
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.packets](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packets+--%3E%22&type=code) | extended |
+| $$$field-host-network-ingress-packets$$$ [host.network.ingress.packets](#field-host-network-ingress-packets) | The number of packets (gauge) received on all network interfaces by the host since the last metric collection.
type: long
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.packet.count](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packet.count+--%3E%22&type=code) | extended |
| $$$field-host-pid-ns-ino$$$ [host.pid_ns_ino](#field-host-pid-ns-ino) | This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.
type: keyword
example: `256383` | extended |
| $$$field-host-type$$$ [host.type](#field-host-type) | Type of host.
For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
type: keyword
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-type) | core |
| $$$field-host-uptime$$$ [host.uptime](#field-host-uptime) | Seconds the host has been up.
type: long
example: `1325`
 [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.uptime+--%3E%22&type=code) | extended |
diff --git a/docs/reference/ecs-otel-alignment-details.md b/docs/reference/ecs-otel-alignment-details.md
index dda32899a4..84e2ba2a4c 100644
--- a/docs/reference/ecs-otel-alignment-details.md
+++ b/docs/reference/ecs-otel-alignment-details.md
@@ -6,7 +6,7 @@ mapped_pages:
# Field & Attributes Alignment [ecs-otel-alignment-details]
-The following table gives an overview of mappings between individual ECS fields (in ECS version `9.2.0`) and corresponding OTel semantic convention attributes (in SemConv version `1.34.0`).
+The following table gives an overview of mappings between individual ECS fields (in ECS version `9.2.0`) and corresponding OTel semantic convention attributes (in SemConv version `1.37.0`).
| ECS Field | Relation | OTel Semantic Conventions Attribute | Stability $$$otel-mapping-namespace-base$$$ |
| --- | --- | --- | --- |
@@ -35,7 +35,7 @@ The following table gives an overview of mappings between individual ECS fields
| $$$otel-mapping-for-container-labels$$$ [container.labels](/reference/ecs-container.md#field-container-labels) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.label](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-label) |  |
| $$$otel-mapping-for-container-memory-usage$$$ [container.memory.usage](/reference/ecs-container.md#field-container-memory-usage) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.memory.usage](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.container.memory.usage+--%3E%22&type=code) |  |
| $$$otel-mapping-for-container-name$$$ [container.name](/reference/ecs-container.md#field-container-name) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-name) |  |
-| $$$otel-mapping-for-container-runtime$$$ [container.runtime](/reference/ecs-container.md#field-container-runtime) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.runtime](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-runtime) |  |
+| $$$otel-mapping-for-container-runtime$$$ [container.runtime](/reference/ecs-container.md#field-container-runtime) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.runtime.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-runtime-name) |  |
| **Data Stream Fields** |
| $$$otel-mapping-for-data-stream-dataset$$$ [data_stream.dataset](/reference/ecs-data_stream.md#field-data-stream-dataset) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | Not applicable. | |
| $$$otel-mapping-for-data-stream-namespace$$$ [data_stream.namespace](/reference/ecs-data_stream.md#field-data-stream-namespace) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | Not applicable. | |
@@ -49,6 +49,7 @@ The following table gives an overview of mappings between individual ECS fields
| $$$otel-mapping-for-device-model-identifier$$$ [device.model.identifier](/reference/ecs-device.md#field-device-model-identifier) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [device.model.identifier](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device/#device-model-identifier) |  |
| $$$otel-mapping-for-device-model-name$$$ [device.model.name](/reference/ecs-device.md#field-device-model-name) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [device.model.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device/#device-model-name) |  |
| **DNS Fields** |
+| $$$otel-mapping-for-dns-answers$$$ [dns.answers](/reference/ecs-dns.md#field-dns-answers) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [dns.answers](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns/#dns-answers) |  |
| $$$otel-mapping-for-dns-question-name$$$ [dns.question.name](/reference/ecs-dns.md#field-dns-question-name) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [dns.question.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns/#dns-question-name) |  |
| **ECS Fields** |
| $$$otel-mapping-for-ecs-version$$$ [ecs.version](/reference/ecs-ecs.md#field-ecs-version) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | Not applicable. | |
@@ -101,7 +102,7 @@ The following table gives an overview of mappings between individual ECS fields
| $$$otel-mapping-for-gen-ai-response-finish-reasons$$$ [gen_ai.response.finish_reasons](/reference/ecs-gen_ai.md#field-gen-ai-response-finish-reasons) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.response.finish_reasons](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-finish-reasons) |  |
| $$$otel-mapping-for-gen-ai-response-id$$$ [gen_ai.response.id](/reference/ecs-gen_ai.md#field-gen-ai-response-id) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.response.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-id) |  |
| $$$otel-mapping-for-gen-ai-response-model$$$ [gen_ai.response.model](/reference/ecs-gen_ai.md#field-gen-ai-response-model) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.response.model](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-model) |  |
-| $$$otel-mapping-for-gen-ai-system$$$ [gen_ai.system](/reference/ecs-gen_ai.md#field-gen-ai-system) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.system](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-system) |  |
+| $$$otel-mapping-for-gen-ai-system$$$ [gen_ai.system](/reference/ecs-gen_ai.md#field-gen-ai-system) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.provider.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-provider-name) |  |
| $$$otel-mapping-for-gen-ai-token-type$$$ [gen_ai.token.type](/reference/ecs-gen_ai.md#field-gen-ai-token-type) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.token.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-token-type) |  |
| $$$otel-mapping-for-gen-ai-tool-call-id$$$ [gen_ai.tool.call.id](/reference/ecs-gen_ai.md#field-gen-ai-tool-call-id) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.tool.call.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-call-id) |  |
| $$$otel-mapping-for-gen-ai-tool-name$$$ [gen_ai.tool.name](/reference/ecs-gen_ai.md#field-gen-ai-tool-name) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.tool.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-name) |  |
@@ -118,7 +119,7 @@ The following table gives an overview of mappings between individual ECS fields
| $$$otel-mapping-for-geo-region-iso-code$$$ [geo.region_iso_code](/reference/ecs-geo.md#field-geo-region-iso-code) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [geo.region.iso_code](https://opentelemetry.io/docs/specs/semconv/attributes-registry/geo/#geo-region-iso-code) |  |
| **Host Fields** |
| $$$otel-mapping-for-host-architecture$$$ [host.architecture](/reference/ecs-host.md#field-host-architecture) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.arch](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-arch) |  |
-| $$$otel-mapping-for-host-cpu-usage$$$ [host.cpu.usage](/reference/ecs-host.md#field-host-cpu-usage) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [cpu.utilization](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.cpu.utilization+--%3E%22&type=code) |  |
+| $$$otel-mapping-for-host-cpu-usage$$$ [host.cpu.usage](/reference/ecs-host.md#field-host-cpu-usage) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.cpu.utilization](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.cpu.utilization+--%3E%22&type=code) |  |
| $$$otel-mapping-for-host-disk-read-bytes$$$ [host.disk.read.bytes](/reference/ecs-host.md#field-host-disk-read-bytes) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.disk.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.disk.io+--%3E%22&type=code) |  |
| $$$otel-mapping-for-host-disk-write-bytes$$$ [host.disk.write.bytes](/reference/ecs-host.md#field-host-disk-write-bytes) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.disk.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.disk.io+--%3E%22&type=code) |  |
| $$$otel-mapping-for-host-id$$$ [host.id](/reference/ecs-host.md#field-host-id) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-id) |  |
@@ -126,9 +127,9 @@ The following table gives an overview of mappings between individual ECS fields
| $$$otel-mapping-for-host-mac$$$ [host.mac](/reference/ecs-host.md#field-host-mac) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.mac](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-mac) |  |
| $$$otel-mapping-for-host-name$$$ [host.name](/reference/ecs-host.md#field-host-name) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-name) |  |
| $$$otel-mapping-for-host-network-egress-bytes$$$ [host.network.egress.bytes](/reference/ecs-host.md#field-host-network-egress-bytes) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.io+--%3E%22&type=code) |  |
-| $$$otel-mapping-for-host-network-egress-packets$$$ [host.network.egress.packets](/reference/ecs-host.md#field-host-network-egress-packets) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.packets](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packets+--%3E%22&type=code) |  |
+| $$$otel-mapping-for-host-network-egress-packets$$$ [host.network.egress.packets](/reference/ecs-host.md#field-host-network-egress-packets) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.packet.count](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packet.count+--%3E%22&type=code) |  |
| $$$otel-mapping-for-host-network-ingress-bytes$$$ [host.network.ingress.bytes](/reference/ecs-host.md#field-host-network-ingress-bytes) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.io+--%3E%22&type=code) |  |
-| $$$otel-mapping-for-host-network-ingress-packets$$$ [host.network.ingress.packets](/reference/ecs-host.md#field-host-network-ingress-packets) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.packets](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packets+--%3E%22&type=code) |  |
+| $$$otel-mapping-for-host-network-ingress-packets$$$ [host.network.ingress.packets](/reference/ecs-host.md#field-host-network-ingress-packets) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.packet.count](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packet.count+--%3E%22&type=code) |  |
| $$$otel-mapping-for-host-type$$$ [host.type](/reference/ecs-host.md#field-host-type) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-type) |  |
| $$$otel-mapping-for-host-uptime$$$ [host.uptime](/reference/ecs-host.md#field-host-uptime) | [](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.uptime+--%3E%22&type=code) |  |
| **HTTP Fields** |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index 840dcde1b9..36e2082ed4 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -6,7 +6,7 @@ mapped_pages:
# OTel Alignment Overview [ecs-otel-alignment-overview]
-The following table summarizes the alignment status by namespaces between ECS in version `9.2.0` and OpenTelemetry semantic conventions in version `1.34.0`.
+The following table summarizes the alignment status by namespaces between ECS in version `9.2.0` and OpenTelemetry semantic conventions in version `1.37.0`.
| | |
| --- | --- |
@@ -14,13 +14,12 @@ The following table summarizes the alignment status by namespaces between ECS in
| Namespace | ECS | OTel |  |  |  |  |  |  |  |
| Agent | [6](/reference/ecs-agent.md) | · | · | · | · | · | · | · | · |
| Android | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/android) | · | · | · | · | · | · | |
-| Application | · | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/app) | · | · | · | · | · | · | |
+| Application | · | [9](https://opentelemetry.io/docs/specs/semconv/attributes-registry/app) | · | · | · | · | · | · | |
| Artifact | · | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/artifact) | · | · | · | · | · | · | |
| Autonomous System | [2](/reference/ecs-as.md) | · | · | · | · | · | · | · | · |
-| ASP.NET Core | · | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/aspnetcore) | · | · | · | · | · | · | |
+| ASP.NET Core | · | [23](https://opentelemetry.io/docs/specs/semconv/attributes-registry/aspnetcore) | · | · | · | · | · | · | |
| General AWS | · | [52](https://opentelemetry.io/docs/specs/semconv/attributes-registry/aws) | · | · | · | · | · | · | |
-| Azure Client Library | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/az) | · | · | · | · | · | · | |
-| Azure Client Library | · | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/azure) | · | · | · | · | · | · | |
+| Azure Client Library | · | [9](https://opentelemetry.io/docs/specs/semconv/attributes-registry/azure) | · | · | · | · | · | · | |
| Base | [4](/reference/ecs-base.md) | · | · | · | 2 | · | · | 4 | · |
| Browser | · | [4](https://opentelemetry.io/docs/specs/semconv/attributes-registry/browser) | · | · | · | · | · | · | |
| Cassandra | · | [6](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cassandra) | · | · | · | · | · | · | |
@@ -31,7 +30,7 @@ The following table summarizes the alignment status by namespaces between ECS in
| CloudFoundry | · | [11](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cloudfoundry) | · | · | · | · | · | · | |
| Code | · | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/code) | · | · | · | · | · | · | |
| Code Signature | [11](/reference/ecs-code_signature.md) | · | · | · | · | · | · | · | · |
-| Container | [14](/reference/ecs-container.md) | [13](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container) | 4 | 2 | 1 | · | 2 | · | · |
+| Container | [14](/reference/ecs-container.md) | [15](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container) | 3 | 3 | 1 | · | 2 | · | · |
| CPU | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cpu) | · | · | · | · | · | · | |
| CPython attributes | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cpython) | · | · | · | · | · | · | |
| Data Stream | [3](/reference/ecs-data_stream.md) | · | · | · | · | · | · | · | 3 |
@@ -41,13 +40,14 @@ The following table summarizes the alignment status by namespaces between ECS in
| Device | [10](/reference/ecs-device.md) | [4](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device) | 4 | · | · | · | · | · | · |
| Disk | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/disk) | · | · | · | · | · | · | |
| DLL | [4](/reference/ecs-dll.md) | · | · | · | · | · | · | · | · |
-| DNS | [18](/reference/ecs-dns.md) | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns) | 1 | · | · | · | · | · | · |
+| DNS | [18](/reference/ecs-dns.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns) | 1 | · | 1 | · | · | · | · |
| .NET | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dotnet) | · | · | · | · | · | · | |
| ECS | [1](/reference/ecs-ecs.md) | · | · | · | · | · | · | · | 1 |
| Elasticsearch | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/elasticsearch) | · | · | · | · | · | · | |
| ELF Header | [38](/reference/ecs-elf.md) | · | · | · | · | · | · | · | · |
| Email | [19](/reference/ecs-email.md) | · | · | · | · | · | · | · | · |
| End User | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/enduser) | · | · | · | · | · | · | |
+| Entity | [13](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · |
| Error | [5](/reference/ecs-error.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/error) | 1 | 2 | · | · | · | · | · |
| Event | [26](/reference/ecs-event.md) | · | · | · | · | · | · | · | · |
| Exception | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/exception) | · | · | · | · | · | · | |
@@ -55,7 +55,7 @@ The following table summarizes the alignment status by namespaces between ECS in
| Feature Flag | · | [8](https://opentelemetry.io/docs/specs/semconv/attributes-registry/feature-flag) | · | · | · | · | · | · | |
| File | [24](/reference/ecs-file.md) | [18](https://opentelemetry.io/docs/specs/semconv/attributes-registry/file) | 11 | 7 | · | · | · | · | · |
| GCP Client | · | [14](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gcp) | · | · | · | · | · | · | |
-| Gen AI | [26](/reference/ecs-gen_ai.md) | [32](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai) | 26 | · | · | · | · | · | · |
+| Gen AI | [26](/reference/ecs-gen_ai.md) | [32](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai) | 25 | 1 | · | · | · | · | · |
| Geo | [11](/reference/ecs-geo.md) | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/geo) | 1 | 4 | 2 | · | · | · | · |
| Go | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/go) | · | · | · | · | · | · | |
| GraphQL | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/graphql) | · | · | · | · | · | · | |
@@ -64,24 +64,26 @@ The following table summarizes the alignment status by namespaces between ECS in
| Heroku | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/heroku) | · | · | · | · | · | · | |
| Host | [18](/reference/ecs-host.md) | [15](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host) | 5 | 1 | · | · | 8 | · | · |
| HTTP | [13](/reference/ecs-http.md) | [12](https://opentelemetry.io/docs/specs/semconv/attributes-registry/http) | 1 | 5 | 2 | 1 | · | · | · |
-| Hardware | · | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/hw) | · | · | · | · | · | · | |
+| Hardware | · | [27](https://opentelemetry.io/docs/specs/semconv/attributes-registry/hw) | · | · | · | · | · | · | |
| Interface | [3](/reference/ecs-interface.md) | · | · | · | · | · | · | · | · |
| iOS | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/ios) | · | · | · | · | · | · | |
| Java Virtual Machine (JVM) | · | [8](https://opentelemetry.io/docs/specs/semconv/attributes-registry/jvm) | · | · | · | · | · | · | |
-| Kubernetes | · | [49](https://opentelemetry.io/docs/specs/semconv/attributes-registry/k8s) | · | · | · | · | · | · | |
+| Kubernetes | · | [60](https://opentelemetry.io/docs/specs/semconv/attributes-registry/k8s) | · | · | · | · | · | · | |
| Linux Memory | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/linux) | · | · | · | · | · | · | |
| Log | [18](/reference/ecs-log.md) | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/log) | 1 | · | · | · | · | 1 | · |
| Mach-O Header | [16](/reference/ecs-macho.md) | · | · | · | · | · | · | · | · |
+| Mainframe LPAR attributes | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/mainframe) | · | · | · | · | · | · | |
| General Messaging | · | [37](https://opentelemetry.io/docs/specs/semconv/attributes-registry/messaging) | · | · | · | · | · | · | |
| Network | [12](/reference/ecs-network.md) | [17](https://opentelemetry.io/docs/specs/semconv/attributes-registry/network) | 2 | 1 | · | · | · | · | · |
| Node.js | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/nodejs) | · | · | · | · | · | · | |
| Observer | [13](/reference/ecs-observer.md) | · | · | · | · | · | · | · | · |
| Open Container Initiative (OCI) | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/oci) | · | · | · | · | · | · | |
+| OpenAI | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/openai) | · | · | · | · | · | · | |
| OpenTracing | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/opentracing) | · | · | · | · | · | · | |
| Orchestrator | [15](/reference/ecs-orchestrator.md) | · | · | · | · | · | · | · | · |
| Organization | [2](/reference/ecs-organization.md) | · | · | · | · | · | · | · | · |
| Operating System | [7](/reference/ecs-os.md) | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/os) | 2 | 1 | · | 1 | · | · | · |
-| OTel | · | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/otel) | · | · | · | · | · | · | |
+| OTel | · | [9](https://opentelemetry.io/docs/specs/semconv/attributes-registry/otel) | · | · | · | · | · | · | |
| Package | [13](/reference/ecs-package.md) | · | · | · | · | · | · | · | · |
| PE Header | [23](/reference/ecs-pe.md) | · | · | · | · | · | · | · | · |
| Peer | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/peer) | · | · | · | · | · | · | |
@@ -115,3 +117,4 @@ The following table summarizes the alignment status by namespaces between ECS in
| Vulnerability | [13](/reference/ecs-vulnerability.md) | · | · | · | · | · | · | · | · |
| Web Engine | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/webengine) | · | · | · | · | · | · | |
| x509 Certificate | [24](/reference/ecs-x509.md) | · | · | · | · | · | · | · | · |
+| z/OS attributes | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/zos) | · | · | · | · | · | · | |
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 850dee4b22..1e68f9585a 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -711,8 +711,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -756,8 +755,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -2188,6 +2186,135 @@
original email message.
example: Spambot v2.5
default_field: false
+ - name: entity
+ title: Entity
+ group: 2
+ description: The entity fields provide a standardized way to represent and categorize
+ different types of components within an IT environment, including those that
+ don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
+ component that can be described by a set of attributes and maintains its identity
+ over time.
+ type: group
+ default_field: true
+ fields:
+ - name: attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: error
title: Error
group: 2
@@ -3943,8 +4070,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -3988,8 +4114,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -9211,8 +9336,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -9256,8 +9380,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -14170,8 +14293,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -14215,8 +14337,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 1b8b36ca20..078c592f4b 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -82,13 +82,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,cloud,cloud.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.2.0+exp,true,cloud,cloud.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.2.0+exp,true,cloud,cloud.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,cloud,cloud.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,cloud,cloud.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.2.0+exp,true,cloud,cloud.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.2.0+exp,true,cloud,cloud.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.2.0+exp,true,cloud,cloud.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.2.0+exp,true,cloud,cloud.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.2.0+exp,true,cloud,cloud.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,cloud,cloud.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0+exp,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.2.0+exp,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.2.0+exp,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.2.0+exp,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -260,6 +260,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
9.2.0+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
9.2.0+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.2.0+exp,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,entity,entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,error,error.code,keyword,core,,,Error code describing the error.
9.2.0+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
9.2.0+exp,true,error,error.message,match_only_text,core,,,Error message.
@@ -483,13 +498,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,host,host.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.2.0+exp,true,host,host.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.2.0+exp,true,host,host.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,host,host.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,host,host.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.2.0+exp,true,host,host.entity.id,keyword,core,,,Unique identifier for the entity.
9.2.0+exp,true,host,host.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.2.0+exp,true,host,host.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.2.0+exp,true,host,host.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.2.0+exp,true,host,host.entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,host,host.entity.name.text,text,core,,,The name of the entity.
+9.2.0+exp,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity.
9.2.0+exp,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.2.0+exp,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.2.0+exp,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1169,13 +1184,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,service,service.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.2.0+exp,true,service,service.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.2.0+exp,true,service,service.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,service,service.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,service,service.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.2.0+exp,true,service,service.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.2.0+exp,true,service,service.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.2.0+exp,true,service,service.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.2.0+exp,true,service,service.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.2.0+exp,true,service,service.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,service,service.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0+exp,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.2.0+exp,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.2.0+exp,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.2.0+exp,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1823,13 +1838,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.2.0+exp,true,user,user.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.2.0+exp,true,user,user.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,user,user.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,user,user.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.2.0+exp,true,user,user.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.2.0+exp,true,user,user.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.2.0+exp,true,user,user.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.2.0+exp,true,user,user.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.2.0+exp,true,user,user.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,user,user.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0+exp,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.2.0+exp,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.2.0+exp,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.2.0+exp,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 26ec63e227..82935b7df5 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1033,8 +1033,7 @@ cloud.target.entity.display_name:
multi_fields:
- flat_name: cloud.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -1108,8 +1107,7 @@ cloud.target.entity.name:
multi_fields:
- flat_name: cloud.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -1512,7 +1510,8 @@ container.runtime:
name: runtime
normalize: []
otel:
- - relation: match
+ - attribute: container.runtime.name
+ relation: equivalent
stability: development
short: Runtime managing this container.
type: keyword
@@ -2816,6 +2815,10 @@ dns.answers:
name: answers
normalize:
- array
+ otel:
+ - attribute: dns.answers
+ relation: related
+ stability: development
short: Array of DNS answers.
type: object
dns.answers.class:
@@ -3403,6 +3406,241 @@ email.x_mailer:
normalize: []
short: Application that drafted email.
type: keyword
+entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+entity.id:
+ dashed_name: entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ short: Unique identifier for the entity.
+ type: keyword
+entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ short: A set of temporal characteristics of the entity.
+ type: object
+entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ short: The name of the entity.
+ type: keyword
+entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ short: Original, unmodified fields from the source system.
+ type: object
+entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ short: Source module or integration that provided the entity data.
+ type: keyword
+entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ short: Standardized high-level classification of the entity.
+ type: keyword
error.code:
dashed_name: error-code
description: Error code describing the error.
@@ -6556,7 +6794,8 @@ gen_ai.system:
name: system
normalize: []
otel:
- - relation: match
+ - attribute: gen_ai.provider.name
+ relation: equivalent
stability: development
short: The Generative AI product as identified by the client or server instrumentation.
type: keyword
@@ -6723,7 +6962,7 @@ host.cpu.usage:
name: cpu.usage
normalize: []
otel:
- - metric: cpu.utilization
+ - metric: system.cpu.utilization
relation: metric
stability: development
scaling_factor: 1000
@@ -6813,8 +7052,7 @@ host.entity.display_name:
multi_fields:
- flat_name: host.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -6888,8 +7126,7 @@ host.entity.name:
multi_fields:
- flat_name: host.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -7265,7 +7502,7 @@ host.network.egress.packets:
name: network.egress.packets
normalize: []
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
stability: development
short: The number of packets sent on all network interfaces.
@@ -7293,7 +7530,7 @@ host.network.ingress.packets:
name: network.ingress.packets
normalize: []
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
stability: development
short: The number of packets received on all network interfaces.
@@ -15463,8 +15700,7 @@ service.target.entity.display_name:
multi_fields:
- flat_name: service.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -15538,8 +15774,7 @@ service.target.entity.name:
multi_fields:
- flat_name: service.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -23904,8 +24139,7 @@ user.target.entity.display_name:
multi_fields:
- flat_name: user.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -23979,8 +24213,7 @@ user.target.entity.name:
multi_fields:
- flat_name: user.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index d691da32fe..e9f9f1a261 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1235,8 +1235,7 @@ cloud:
multi_fields:
- flat_name: cloud.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -1312,8 +1311,7 @@ cloud:
multi_fields:
- flat_name: cloud.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -1935,7 +1933,8 @@ container:
name: runtime
normalize: []
otel:
- - relation: match
+ - attribute: container.runtime.name
+ relation: equivalent
stability: development
short: Runtime managing this container.
type: keyword
@@ -3363,6 +3362,10 @@ dns:
name: answers
normalize:
- array
+ otel:
+ - attribute: dns.answers
+ relation: related
+ stability: development
short: Array of DNS answers.
type: object
dns.answers.class:
@@ -4411,6 +4414,277 @@ email:
short: Describes an email transaction.
title: Email
type: group
+entity:
+ description: The entity fields provide a standardized way to represent and categorize
+ different types of components within an IT environment, including those that don't
+ have dedicated field sets in ECS. An entity represents a discrete, identifiable
+ component that can be described by a set of attributes and maintains its identity
+ over time.
+ fields:
+ entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ entity.id:
+ dashed_name: entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ short: Unique identifier for the entity.
+ type: keyword
+ entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ short: A set of temporal characteristics of the entity.
+ type: object
+ entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ short: The name of the entity.
+ type: keyword
+ entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ short: Original, unmodified fields from the source system.
+ type: object
+ entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ group: 2
+ name: entity
+ prefix: entity.
+ reusable:
+ expected:
+ - as: entity
+ at: host
+ full: host.entity
+ - as: entity
+ at: user
+ full: user.target.entity
+ short_override: Entity information for the targeted user.
+ - as: entity
+ at: cloud
+ full: cloud.target.entity
+ short_override: Entity information for the target cloud entity.
+ - as: entity
+ at: service
+ full: service.target.entity
+ short_override: Entity information for the target service.
+ top_level: true
+ short: Fields to describe various types of entities across IT environments.
+ title: Entity
+ type: group
error:
description: 'These fields can represent errors of any kind.
@@ -7685,7 +7959,8 @@ gen_ai:
name: system
normalize: []
otel:
- - relation: match
+ - attribute: gen_ai.provider.name
+ relation: equivalent
stability: development
short: The Generative AI product as identified by the client or server instrumentation.
type: keyword
@@ -8219,7 +8494,7 @@ host:
name: cpu.usage
normalize: []
otel:
- - metric: cpu.utilization
+ - metric: system.cpu.utilization
relation: metric
stability: development
scaling_factor: 1000
@@ -8311,8 +8586,7 @@ host:
multi_fields:
- flat_name: host.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -8388,8 +8662,7 @@ host:
multi_fields:
- flat_name: host.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -8768,7 +9041,7 @@ host:
name: network.egress.packets
normalize: []
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
stability: development
short: The number of packets sent on all network interfaces.
@@ -8796,7 +9069,7 @@ host:
name: network.ingress.packets
normalize: []
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
stability: development
short: The number of packets received on all network interfaces.
@@ -18179,8 +18452,7 @@ service:
multi_fields:
- flat_name: service.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -18256,8 +18528,7 @@ service:
multi_fields:
- flat_name: service.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -26858,8 +27129,7 @@ user:
multi_fields:
- flat_name: user.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -26935,8 +27205,7 @@ user:
multi_fields:
- flat_name: user.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index 4e62ad39c6..e4aa87ecda 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -169,8 +169,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -192,8 +191,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/entity.json b/experimental/generated/elasticsearch/composable/component/entity.json
new file mode 100644
index 0000000000..3b164f8d05
--- /dev/null
+++ b/experimental/generated/elasticsearch/composable/component/entity.json
@@ -0,0 +1,72 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
+ "ecs_version": "9.2.0+exp"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index cc0632b020..e3df6a4a1e 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -61,8 +61,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -84,8 +83,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 7d62ae4d18..d8e0981798 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -119,8 +119,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -142,8 +141,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 9ab70585a5..df004c6410 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -226,8 +226,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -249,8 +248,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index 391cdac37f..f52b6efecf 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -17,6 +17,7 @@
"ecs_9.2.0-exp_dns",
"ecs_9.2.0-exp_ecs",
"ecs_9.2.0-exp_email",
+ "ecs_9.2.0-exp_entity",
"ecs_9.2.0-exp_error",
"ecs_9.2.0-exp_event",
"ecs_9.2.0-exp_faas",
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index f6b90cf0f8..aef0ebd12d 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -435,8 +435,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -458,8 +457,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -1308,6 +1306,66 @@
}
}
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"error": {
"properties": {
"code": {
@@ -2261,8 +2319,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -2284,8 +2341,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -5374,8 +5430,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -5397,8 +5452,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -8224,8 +8278,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -8247,8 +8300,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index eea904bd5d..6f80bcbf8b 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -661,8 +661,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -706,8 +705,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -2138,6 +2136,135 @@
original email message.
example: Spambot v2.5
default_field: false
+ - name: entity
+ title: Entity
+ group: 2
+ description: The entity fields provide a standardized way to represent and categorize
+ different types of components within an IT environment, including those that
+ don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
+ component that can be described by a set of attributes and maintains its identity
+ over time.
+ type: group
+ default_field: true
+ fields:
+ - name: attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: error
title: Error
group: 2
@@ -3893,8 +4020,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -3938,8 +4064,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -9161,8 +9286,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -9206,8 +9330,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -14120,8 +14243,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -14165,8 +14287,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index eacbbd541b..fe8916f4a8 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -75,13 +75,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,cloud,cloud.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.2.0,true,cloud,cloud.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.2.0,true,cloud,cloud.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,cloud,cloud.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,cloud,cloud.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.2.0,true,cloud,cloud.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.2.0,true,cloud,cloud.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.2.0,true,cloud,cloud.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.2.0,true,cloud,cloud.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.2.0,true,cloud,cloud.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,cloud,cloud.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.2.0,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.2.0,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.2.0,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -253,6 +253,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
9.2.0,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
9.2.0,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.2.0,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,entity,entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,error,error.code,keyword,core,,,Error code describing the error.
9.2.0,true,error,error.id,keyword,core,,,Unique identifier for the error.
9.2.0,true,error,error.message,match_only_text,core,,,Error message.
@@ -476,13 +491,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,host,host.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.2.0,true,host,host.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.2.0,true,host,host.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,host,host.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,host,host.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.2.0,true,host,host.entity.id,keyword,core,,,Unique identifier for the entity.
9.2.0,true,host,host.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.2.0,true,host,host.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.2.0,true,host,host.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.2.0,true,host,host.entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,host,host.entity.name.text,text,core,,,The name of the entity.
+9.2.0,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity.
9.2.0,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.2.0,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.2.0,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1162,13 +1177,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,service,service.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.2.0,true,service,service.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.2.0,true,service,service.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,service,service.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,service,service.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.2.0,true,service,service.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.2.0,true,service,service.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.2.0,true,service,service.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.2.0,true,service,service.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.2.0,true,service,service.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,service,service.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.2.0,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.2.0,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.2.0,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1816,13 +1831,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.2.0,true,user,user.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.2.0,true,user,user.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,user,user.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,user,user.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.2.0,true,user,user.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.2.0,true,user,user.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.2.0,true,user,user.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.2.0,true,user,user.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.2.0,true,user,user.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,user,user.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.2.0,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.2.0,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.2.0,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 68c3dd6471..8336eaac97 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -964,8 +964,7 @@ cloud.target.entity.display_name:
multi_fields:
- flat_name: cloud.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -1039,8 +1038,7 @@ cloud.target.entity.name:
multi_fields:
- flat_name: cloud.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -1443,7 +1441,8 @@ container.runtime:
name: runtime
normalize: []
otel:
- - relation: match
+ - attribute: container.runtime.name
+ relation: equivalent
stability: development
short: Runtime managing this container.
type: keyword
@@ -2747,6 +2746,10 @@ dns.answers:
name: answers
normalize:
- array
+ otel:
+ - attribute: dns.answers
+ relation: related
+ stability: development
short: Array of DNS answers.
type: object
dns.answers.class:
@@ -3334,6 +3337,241 @@ email.x_mailer:
normalize: []
short: Application that drafted email.
type: keyword
+entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+entity.id:
+ dashed_name: entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ short: Unique identifier for the entity.
+ type: keyword
+entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ short: A set of temporal characteristics of the entity.
+ type: object
+entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ short: The name of the entity.
+ type: keyword
+entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ short: Original, unmodified fields from the source system.
+ type: object
+entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ short: Source module or integration that provided the entity data.
+ type: keyword
+entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ short: Standardized high-level classification of the entity.
+ type: keyword
error.code:
dashed_name: error-code
description: Error code describing the error.
@@ -6487,7 +6725,8 @@ gen_ai.system:
name: system
normalize: []
otel:
- - relation: match
+ - attribute: gen_ai.provider.name
+ relation: equivalent
stability: development
short: The Generative AI product as identified by the client or server instrumentation.
type: keyword
@@ -6654,7 +6893,7 @@ host.cpu.usage:
name: cpu.usage
normalize: []
otel:
- - metric: cpu.utilization
+ - metric: system.cpu.utilization
relation: metric
stability: development
scaling_factor: 1000
@@ -6744,8 +6983,7 @@ host.entity.display_name:
multi_fields:
- flat_name: host.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -6819,8 +7057,7 @@ host.entity.name:
multi_fields:
- flat_name: host.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -7196,7 +7433,7 @@ host.network.egress.packets:
name: network.egress.packets
normalize: []
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
stability: development
short: The number of packets sent on all network interfaces.
@@ -7224,7 +7461,7 @@ host.network.ingress.packets:
name: network.ingress.packets
normalize: []
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
stability: development
short: The number of packets received on all network interfaces.
@@ -15394,8 +15631,7 @@ service.target.entity.display_name:
multi_fields:
- flat_name: service.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -15469,8 +15705,7 @@ service.target.entity.name:
multi_fields:
- flat_name: service.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -23835,8 +24070,7 @@ user.target.entity.display_name:
multi_fields:
- flat_name: user.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -23910,8 +24144,7 @@ user.target.entity.name:
multi_fields:
- flat_name: user.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 749922c0a1..af8b28777f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1155,8 +1155,7 @@ cloud:
multi_fields:
- flat_name: cloud.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -1232,8 +1231,7 @@ cloud:
multi_fields:
- flat_name: cloud.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -1855,7 +1853,8 @@ container:
name: runtime
normalize: []
otel:
- - relation: match
+ - attribute: container.runtime.name
+ relation: equivalent
stability: development
short: Runtime managing this container.
type: keyword
@@ -3283,6 +3282,10 @@ dns:
name: answers
normalize:
- array
+ otel:
+ - attribute: dns.answers
+ relation: related
+ stability: development
short: Array of DNS answers.
type: object
dns.answers.class:
@@ -4331,6 +4334,277 @@ email:
short: Describes an email transaction.
title: Email
type: group
+entity:
+ description: The entity fields provide a standardized way to represent and categorize
+ different types of components within an IT environment, including those that don't
+ have dedicated field sets in ECS. An entity represents a discrete, identifiable
+ component that can be described by a set of attributes and maintains its identity
+ over time.
+ fields:
+ entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ entity.id:
+ dashed_name: entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ short: Unique identifier for the entity.
+ type: keyword
+ entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ short: A set of temporal characteristics of the entity.
+ type: object
+ entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ short: The name of the entity.
+ type: keyword
+ entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ short: Original, unmodified fields from the source system.
+ type: object
+ entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ group: 2
+ name: entity
+ prefix: entity.
+ reusable:
+ expected:
+ - as: entity
+ at: host
+ full: host.entity
+ - as: entity
+ at: user
+ full: user.target.entity
+ short_override: Entity information for the targeted user.
+ - as: entity
+ at: cloud
+ full: cloud.target.entity
+ short_override: Entity information for the target cloud entity.
+ - as: entity
+ at: service
+ full: service.target.entity
+ short_override: Entity information for the target service.
+ top_level: true
+ short: Fields to describe various types of entities across IT environments.
+ title: Entity
+ type: group
error:
description: 'These fields can represent errors of any kind.
@@ -7605,7 +7879,8 @@ gen_ai:
name: system
normalize: []
otel:
- - relation: match
+ - attribute: gen_ai.provider.name
+ relation: equivalent
stability: development
short: The Generative AI product as identified by the client or server instrumentation.
type: keyword
@@ -8139,7 +8414,7 @@ host:
name: cpu.usage
normalize: []
otel:
- - metric: cpu.utilization
+ - metric: system.cpu.utilization
relation: metric
stability: development
scaling_factor: 1000
@@ -8231,8 +8506,7 @@ host:
multi_fields:
- flat_name: host.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -8308,8 +8582,7 @@ host:
multi_fields:
- flat_name: host.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -8688,7 +8961,7 @@ host:
name: network.egress.packets
normalize: []
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
stability: development
short: The number of packets sent on all network interfaces.
@@ -8716,7 +8989,7 @@ host:
name: network.ingress.packets
normalize: []
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
stability: development
short: The number of packets received on all network interfaces.
@@ -18099,8 +18372,7 @@ service:
multi_fields:
- flat_name: service.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -18176,8 +18448,7 @@ service:
multi_fields:
- flat_name: service.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -26778,8 +27049,7 @@ user:
multi_fields:
- flat_name: user.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -26855,8 +27125,7 @@ user:
multi_fields:
- flat_name: user.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 488968e702..dddd1c8f7a 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -169,8 +169,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -192,8 +191,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json
index e1ff7943b9..be001bdc19 100644
--- a/generated/elasticsearch/composable/component/entity.json
+++ b/generated/elasticsearch/composable/component/entity.json
@@ -1,7 +1,7 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
- "ecs_version": "9.3.0-dev"
+ "ecs_version": "9.2.0"
},
"template": {
"mappings": {
@@ -17,8 +17,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -40,8 +39,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index ef3dfcb66f..45057bc60d 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -61,8 +61,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -84,8 +83,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index a25eabd531..5c37290bc3 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -119,8 +119,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -142,8 +141,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 9ec52e2ef7..d6c66ec1fd 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -226,8 +226,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -249,8 +248,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index f78d3a4a69..ea900ffd6f 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -16,6 +16,7 @@
"ecs_9.2.0_dns",
"ecs_9.2.0_ecs",
"ecs_9.2.0_email",
+ "ecs_9.2.0_entity",
"ecs_9.2.0_error",
"ecs_9.2.0_event",
"ecs_9.2.0_faas",
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 8d7954cb03..b8ed11959c 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -393,8 +393,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -416,8 +415,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -1266,6 +1264,66 @@
}
}
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"error": {
"properties": {
"code": {
@@ -2219,8 +2277,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -2242,8 +2299,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -5332,8 +5388,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -5355,8 +5410,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -8182,8 +8236,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -8205,8 +8258,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/otel-semconv-version b/otel-semconv-version
index 995ab8e3fc..b909b32cd5 100644
--- a/otel-semconv-version
+++ b/otel-semconv-version
@@ -1 +1 @@
-v1.34.0
+v1.37.0
diff --git a/schemas/container.yml b/schemas/container.yml
index 576000e7b9..445527ebe5 100644
--- a/schemas/container.yml
+++ b/schemas/container.yml
@@ -157,4 +157,5 @@
Runtime managing this container.
example: docker
otel:
- - relation: match
+ - relation: equivalent
+ attribute: container.runtime.name
diff --git a/schemas/dns.yml b/schemas/dns.yml
index 7475ce9829..1eb3c023f9 100644
--- a/schemas/dns.yml
+++ b/schemas/dns.yml
@@ -171,6 +171,9 @@
and add any additional fields to the answer objects as custom fields.
normalize:
- array
+ otel:
+ - relation: related
+ attribute: dns.answers
- name: answers.name
level: extended
diff --git a/schemas/entity.yml b/schemas/entity.yml
index bec8b47aa9..9d7326c85e 100644
--- a/schemas/entity.yml
+++ b/schemas/entity.yml
@@ -36,7 +36,7 @@
type: keyword
multi_fields:
- name: text
- type: text
+ type: match_only_text
short: The name of the entity.
description: >
The name of the entity. The keyword field enables exact matches for filtering
@@ -122,7 +122,7 @@
type: keyword
multi_fields:
- name: text
- type: text
+ type: match_only_text
short: An optional field used when a pretty name is desired for entity-centric operations.
description: >
An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).
diff --git a/schemas/gen_ai.yml b/schemas/gen_ai.yml
index 95a567a641..c7dd9d5df3 100644
--- a/schemas/gen_ai.yml
+++ b/schemas/gen_ai.yml
@@ -186,7 +186,8 @@
level: extended
beta: This field is beta and subject to change.
otel:
- - relation: match
+ - relation: equivalent
+ attribute: gen_ai.provider.name
- name: token.type
type: keyword
description: The type of token being counted.
diff --git a/schemas/host.yml b/schemas/host.yml
index 21b7dbb1d7..2782b569c7 100644
--- a/schemas/host.yml
+++ b/schemas/host.yml
@@ -151,7 +151,7 @@
For example: For a two core host, this value should be the average of
the two cores, between 0 and 1.
otel:
- - metric: cpu.utilization
+ - metric: system.cpu.utilization
relation: metric
- name: disk.read.bytes
@@ -195,7 +195,7 @@
The number of packets (gauge) received on all network interfaces by the
host since the last metric collection.
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
- name: network.egress.bytes
@@ -217,7 +217,7 @@
The number of packets (gauge) sent out on all network interfaces by the
host since the last metric collection.
otel:
- - metric: system.network.packets
+ - metric: system.network.packet.count
relation: metric
- name: boot.id
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index b28783c4be..951c896c81 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -135,6 +135,8 @@ fields:
fields: "*"
email:
fields: "*"
+ entity:
+ fields: "*"
error:
fields: "*"
event: