elastic · agithomas · Jun 8, 2023 · Jun 8, 2023 · Jun 9, 2023
@@ -1,7 +1,7 @@
 # 0039: TSDB Dimensions
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Stage: **1 (Draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
 - Date: **2023-04-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
@@ -177,16 +177,18 @@ Changes to cloud mapping
         short_override: Provides the cloud information of the target entity in case of an outgoing request or event.
   type: group
   fields:
-    - name: project.id
+    - name: account.id
       level: extended
       type: keyword
+      example: 666777888999
+      short: The cloud account or organization id.
       dimension: true
-      example: my-project
-      short: The cloud project id.
       description: >
-        The cloud project identifier.
-        Examples: Google Cloud Project id, Azure Project id.
+        The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
 
+        Examples: AWS account id, Google Cloud ORG Id, or other unique
+        identifier.
 
     - name: instance.id
       level: extended
@@ -205,6 +207,22 @@ Changes to cloud mapping
       description: >
         Name of the cloud provider. Example values are aws, azure, gcp, or
         digitalocean.
+
+    - name: region
+      level: extended
+      type: keyword
+      example: us-east-1
+      dimension: true
+      description: >
+        Region in which this host, resource, or service is located.
+
+    - name: availability_zone
+      level: extended
+      example: us-east-1c
+      type: keyword
+      dimension: true
+      description: >
+        Availability zone in which this host, resource, or service is located.
 ```
 
 Changes to container mapping
@@ -259,7 +277,11 @@ The source of this data comes from monitoring a host like a Linux machine, lapto
 <!--
 Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
 -->
-
+* Bare metal
+* VMs
+* AWS EC2 instances
+* GCP compute engines
+* Azure compute VMs
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
 -->
@@ -284,7 +306,7 @@ No concerns are known as of now. Presence of the `dimension:true` does not impac
 <!--
 Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
 -->
-
+No concerns are known as of now. Presence of the `dimension:true` does not impact functionality when TSDB mode is disabled (`index.mode` : null or `index.mode` : `standard`). When TSDB mode is enabled (`index.mode`: `time_series`), there exist no known impacts.
 <!--
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
 -->
@@ -326,7 +348,7 @@ e.g.:
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/2172
-
+* Stage 1: https://github.com/elastic/ecs/pull/2217
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
 ...

@@ -0,0 +1,42 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: agent
+  title: Agent
+  group: 2
+  short: Fields about the monitoring agent.
+  description: >
+    The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
+
+    Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+  footnote: >
+    Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the
+    agent running in the app/service. The agent information does not change if
+    data is sent through queuing systems like Kafka, Redis, or processing systems
+    such as Logstash or APM Server.
+  type: group
+  fields:
+      - name: id
+        level: core
+        type: keyword
+        dimension: true
+        short: Unique identifier of this agent.
+        description: >
+          Unique identifier of this agent (if one exists).
+
+          Example: For Beats this would be beat.id.
+        example: 8a4f500d
@@ -0,0 +1,102 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: cloud
+  title: Cloud
+  group: 2
+  short: Fields about the cloud resource.
+  description: >
+    Fields related to the cloud or infrastructure the events
+    are coming from.
+  footnote: >
+    Examples: If Metricbeat is running on an EC2 host and fetches data from its
+    host, the cloud info contains the data about this machine. If Metricbeat
+    runs on a remote machine outside the cloud and fetches data from a service
+    running in the cloud, the field contains cloud data from the machine the
+    service is running on.
+
+    The cloud fields may be self-nested under cloud.origin.* and cloud.target.*
+    to describe origin or target service's cloud information in the context of
+    incoming or outgoing requests, respectively. However, the fieldsets
+    cloud.origin.* and cloud.target.* must not be confused with the root cloud
+    fieldset that is used to describe the cloud context of the actual service
+    under observation. The fieldset cloud.origin.* may only be used in the
+    context of incoming requests or events to provide the originating service's
+    cloud information. The fieldset cloud.target.* may only be used in the
+    context of outgoing requests or events to describe the target service's
+    cloud information.
+  reusable:
+    top_level: true
+    expected:
+      - at: cloud
+        as: origin
+        beta: Reusing the `cloud` fields in this location is currently considered beta.
+        short_override: Provides the cloud information of the origin entity in case of an incoming request or event.
+      - at: cloud
+        as: target
+        beta: Reusing the `cloud` fields in this location is currently considered beta.
+        short_override: Provides the cloud information of the target entity in case of an outgoing request or event.
+  type: group
+  fields:
+    - name: provider
+      level: extended
+      example: aws
+      type: keyword
+      dimension: true
+      short: Name of the cloud provider.
+      description: >
+        Name of the cloud provider. Example values are aws, azure, gcp, or
+        digitalocean.
+
+    - name: availability_zone
+      level: extended
+      example: us-east-1c
+      type: keyword
+      dimension: true
+      description: >
+        Availability zone in which this host, resource, or service is located.
+
+    - name: region
+      level: extended
+      type: keyword
+      dimension: true
+      example: us-east-1
+      description: >
+        Region in which this host, resource, or service is located.
+
+    - name: instance.id
+      level: extended
+      type: keyword
+      example: i-1234567890abcdef0
+      dimension: true
+      description: >
+        Instance ID of the host machine.
+
+    - name: account.id
+      level: extended
+      type: keyword
+      example: 666777888999
+      dimension: true
+      short: The cloud account or organization id.
+      description: >
+        The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique
+        identifier.
+
+
@@ -0,0 +1,35 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: container
+  title: Container
+  group: 2
+  short: Fields describing the container that generated this event.
+  description: >
+    Container fields are used for meta information about the specific container
+    that is the source of information.
+
+    These fields help correlate data based containers from any runtime.
+  type: group
+  fields:
+
+    - name: id
+      level: core
+      type: keyword
+      dimension: true
+      description: >
+        Unique container id.
@@ -0,0 +1,40 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: host
+  title: Host
+  group: 2
+  short: Fields describing the relevant computing instance.
+  description: >
+    A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which
+    the event happened, or from which the measurement was taken.
+    Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
+  type: group
+  fields:
+    - name: name
+      level: core
+      type: keyword
+      short: Name of the host.
+      dimension: true
+      description: >
+        Name of the host.
+
+        It can contain what hostname returns on Unix systems, the fully
+        qualified domain name (FQDN), or a name specified by the user.
+        The recommended value is the lowercase FQDN of the host.
@@ -0,0 +1,59 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: service
+  title: Service
+  group: 2
+  short: Fields describing the service for or from which the data was collected.
+  description: >
+    The service fields describe the service for or from which the data was collected.
+
+    These fields help you find and correlate logs for a specific
+    service and version.
+  footnote: >
+    The service fields may be self-nested under service.origin.* and service.target.*
+    to describe origin or target services in the context of incoming or outgoing requests,
+    respectively.
+    However, the fieldsets service.origin.* and service.target.* must not be confused with
+    the root service fieldset that is used to describe the actual service under observation.
+    The fieldset service.origin.* may only be used in the context of incoming requests or
+    events to describe the originating service of the request. The fieldset service.target.*
+    may only be used in the context of outgoing requests or events to describe the target
+    service of the request.
+  reusable:
+    top_level: true
+    expected:
+      - at: service
+        as: origin
+        beta: Reusing the `service` fields in this location is currently considered beta.
+        short_override: Describes the origin service in case of an incoming request or event.
+      - at: service
+        as: target
+        beta: Reusing the `service` fields in this location is currently considered beta.
+        short_override: Describes the target service in case of an outgoing request or event.
+  type: group
+  fields:
+    - name: address
+      level: extended
+      type: keyword
+      short: Address of this service.
+      dimension: true
+      description: >
+        Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+      example: 172.26.0.2:5432