Skip to content

Commit

Permalink
Increase url.query ignore_above value to 2083 (#2424)
Browse files Browse the repository at this point in the history 
Increasing the url.query ignore_above value will allow indexing longer query values which have been observed.

2083 is used because it will cover the maximum url length for Chrome (2048) and Internet Explorer (2083).

Other browsers and web servers support longer URLs, and there is no absolute URL limit defined in any RFC. So higher values could be possible, supporting Chrome's maximum length will allow compatibility with the most common browser, while not increasing the index size too much.
  • Loading branch information
@mjwolf
mjwolf authored Jan 20, 2025
1 parent 442a1c6 commit 7cf862e
Show file tree
Hide file tree
Showing 17 changed files with 43 additions and 40 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Thanks, you're awesome :-) -->
* Define base encoding of `x509.serial_number`. #2383
* Restrict the encoding of `x509.serial_number` to base 16. #2398
* Set synthetic_source_keep = none on fields that represent sets. #2422
* Increase ignore_above value for url.query. #2424

#### Deprecated

Expand Down
8 changes: 4 additions & 4 deletions experimental/generated/beats/fields.ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2325,7 +2325,7 @@
- name: url
level: extended
type: keyword
ignore_above: 1024
ignore_above: 2083
description: 'URL linking to an external system to continue investigation of
this event.
Expand Down Expand Up @@ -10372,7 +10372,7 @@
- name: enrichments.indicator.url.query
level: extended
type: keyword
ignore_above: 1024
ignore_above: 2083
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".
Expand Down Expand Up @@ -12005,7 +12005,7 @@
- name: indicator.url.query
level: extended
type: keyword
ignore_above: 1024
ignore_above: 2083
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".
Expand Down Expand Up @@ -13068,7 +13068,7 @@
- name: query
level: extended
type: keyword
ignore_above: 1024
ignore_above: 2083
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".
Expand Down
8 changes: 4 additions & 4 deletions experimental/generated/ecs/ecs_flat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3931,7 +3931,7 @@ event.url:
are a common use case for this field.'
example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
flat_name: event.url
ignore_above: 1024
ignore_above: 2083
level: extended
name: url
normalize: []
Expand Down Expand Up @@ -17261,7 +17261,7 @@ threat.enrichments.indicator.url.query:
empty string. The `exists` query can be used to differentiate between the two
cases.'
flat_name: threat.enrichments.indicator.url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down Expand Up @@ -20015,7 +20015,7 @@ threat.indicator.url.query:
empty string. The `exists` query can be used to differentiate between the two
cases.'
flat_name: threat.indicator.url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down Expand Up @@ -21853,7 +21853,7 @@ url.query:
empty string. The `exists` query can be used to differentiate between the two
cases.'
flat_name: url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down
8 changes: 4 additions & 4 deletions experimental/generated/ecs/ecs_nested.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4964,7 +4964,7 @@ event:
are a common use case for this field.'
example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
flat_name: event.url
ignore_above: 1024
ignore_above: 2083
level: extended
name: url
normalize: []
Expand Down Expand Up @@ -20008,7 +20008,7 @@ threat:
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
flat_name: threat.enrichments.indicator.url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down Expand Up @@ -22770,7 +22770,7 @@ threat:
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
flat_name: threat.indicator.url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down Expand Up @@ -24735,7 +24735,7 @@ url:
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
flat_name: url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down
2 changes: 1 addition & 1 deletion experimental/generated/elasticsearch/composable/component/event.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
}
}
Expand Down
4 changes: 2 additions & 2 deletions experimental/generated/elasticsearch/composable/component/threat.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -732,7 +732,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down Expand Up @@ -1668,7 +1668,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down
2 changes: 1 addition & 1 deletion experimental/generated/elasticsearch/composable/component/url.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down
8 changes: 4 additions & 4 deletions experimental/generated/elasticsearch/legacy/template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1330,7 +1330,7 @@
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
}
}
Expand Down Expand Up @@ -6021,7 +6021,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down Expand Up @@ -6957,7 +6957,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down Expand Up @@ -7579,7 +7579,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down
8 changes: 4 additions & 4 deletions generated/beats/fields.ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2275,7 +2275,7 @@
- name: url
level: extended
type: keyword
ignore_above: 1024
ignore_above: 2083
description: 'URL linking to an external system to continue investigation of
this event.

Expand Down Expand Up @@ -10322,7 +10322,7 @@
- name: enrichments.indicator.url.query
level: extended
type: keyword
ignore_above: 1024
ignore_above: 2083
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".

Expand Down Expand Up @@ -11955,7 +11955,7 @@
- name: indicator.url.query
level: extended
type: keyword
ignore_above: 1024
ignore_above: 2083
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".

Expand Down Expand Up @@ -13018,7 +13018,7 @@
- name: query
level: extended
type: keyword
ignore_above: 1024
ignore_above: 2083
description: 'The query field describes the query string of the request, such
as "q=elasticsearch".

Expand Down
8 changes: 4 additions & 4 deletions generated/ecs/ecs_flat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3862,7 +3862,7 @@ event.url:
are a common use case for this field.'
example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
flat_name: event.url
ignore_above: 1024
ignore_above: 2083
level: extended
name: url
normalize: []
Expand Down Expand Up @@ -17192,7 +17192,7 @@ threat.enrichments.indicator.url.query:
empty string. The `exists` query can be used to differentiate between the two
cases.'
flat_name: threat.enrichments.indicator.url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down Expand Up @@ -19946,7 +19946,7 @@ threat.indicator.url.query:
empty string. The `exists` query can be used to differentiate between the two
cases.'
flat_name: threat.indicator.url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down Expand Up @@ -21784,7 +21784,7 @@ url.query:
empty string. The `exists` query can be used to differentiate between the two
cases.'
flat_name: url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down
8 changes: 4 additions & 4 deletions generated/ecs/ecs_nested.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4884,7 +4884,7 @@ event:
are a common use case for this field.'
example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
flat_name: event.url
ignore_above: 1024
ignore_above: 2083
level: extended
name: url
normalize: []
Expand Down Expand Up @@ -19928,7 +19928,7 @@ threat:
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
flat_name: threat.enrichments.indicator.url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down Expand Up @@ -22690,7 +22690,7 @@ threat:
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
flat_name: threat.indicator.url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down Expand Up @@ -24655,7 +24655,7 @@ url:
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
flat_name: url.query
ignore_above: 1024
ignore_above: 2083
level: extended
name: query
normalize: []
Expand Down
2 changes: 1 addition & 1 deletion generated/elasticsearch/composable/component/event.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
}
}
Expand Down
4 changes: 2 additions & 2 deletions generated/elasticsearch/composable/component/threat.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -732,7 +732,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down Expand Up @@ -1668,7 +1668,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down
2 changes: 1 addition & 1 deletion generated/elasticsearch/composable/component/url.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down
8 changes: 4 additions & 4 deletions generated/elasticsearch/legacy/template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1288,7 +1288,7 @@
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
}
}
Expand Down Expand Up @@ -5979,7 +5979,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down Expand Up @@ -6915,7 +6915,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down Expand Up @@ -7537,7 +7537,7 @@
"type": "long"
},
"query": {
"ignore_above": 1024,
"ignore_above": 2083,
"type": "keyword"
},
"registered_domain": {
Expand Down
1 change: 1 addition & 0 deletions schemas/event.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -821,6 +821,7 @@
- name: url
level: extended
type: keyword
ignore_above: 2083
short: Event investigation URL
description: >
URL linking to an external system to continue investigation of this event.
Expand Down
1 change: 1 addition & 0 deletions schemas/url.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@
no `?`, there is no query field. If there is a `?` but no query,
the query field exists with an empty string. The `exists`
query can be used to differentiate between the two cases.
ignore_above: 2083
otel:
- relation: match

Expand Down

0 comments on commit 7cf862e

Please sign in to comment.