Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

For boolean values, should we recommend using tags or a boolean field? #100

Closed
2 tasks
webmat opened this issue Aug 21, 2018 · 4 comments
Closed
2 tasks

Comments

@webmat
Copy link
Contributor

webmat commented Aug 21, 2018

Boolean fields are meant to represent a binary value, but the absence of the field can add a third state to consider, making the field actually ternary (true, false, absent).

Alternately we could represent this binary value by the presence or absence of a specific tag in tags.

Of course tags is largely meant to let people add free form tags to their event stream, without needing them to be documented formally. But that doesn't prevent us from documenting some commonly tags, just like we're documenting field names & types.

This idea came up in elastic/beats#7991, discussing whether we should have a boolean field log.truncated or a tag truncated.

If we think using tags as "true" binary booleans should be the preferred approach:

  • we could document this convention in the "ECS Conventions" of the readme
  • and add a list of "official" tags we suggest people consider using.

At the time of writing this issue, there are no boolean fields in ECS.

@webmat webmat added the discuss label Aug 21, 2018
@ruflin
Copy link
Contributor

ruflin commented Aug 22, 2018

I would delay this discussion until we have actual boolean values. In general I see the tags to be used by our users and should not be polluted by ECS to prevent any conflicts.

@webmat
Copy link
Contributor Author

webmat commented Aug 23, 2018

Agreed. I created the "deferred" label, and gave it a boring color so we stop noticing it :-)

@webmat webmat removed the discuss label Aug 23, 2018
@urso
Copy link

urso commented Aug 27, 2018

@ruflin @webmat We've got 2 PRs blocked. Let's not defer it for too long please.

The proposal for tags was not to use the tags field, but a custom field that acts like tags. In the use-case given we could introduce a log.status or log.flags fields, with type []string.

Assuming reader pipeline in beats uses fields we always have to generate this:

{
   ...
  "log": {
    "truncated": false,
    "multiline": false,
  },
}

Using tags the event would become:

{
   ...
  "log": {
    "status": [],
  },
}

The event does not exist yet in filebeat, as we're still processing the input.

Having tags we're somewhat flexible, as we only need to define/add tags locally + document the tag only.

Using fields we would have to pass a 'state'-struct, transform the struct the event fields, update fields.yml + documentation.

My impression is that using tags would be somewhat more flexible and require less places/files to be updated (less things to forget).

@ruflin
Copy link
Contributor

ruflin commented Aug 28, 2018

We have one similar example in ECS which is network.direction: https://github.com/elastic/ecs#-network-fields It sounds like we are more talking about an enum type then actually tags even though from the Elasticsearch perspective it's the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants