elastic · graphaelli · Nov 8, 2018 · Nov 12, 2018
diff --git a/_meta/ecs-migration.yml b/_meta/ecs-migration.yml
@@ -0,0 +1,115 @@
+# The ECS migration file contains the information about all the fields which are migrated to ECS in 7.0.
+# The goal of the file is to potentially have scripts on top of this information to convert visualisations and templates
+# based on this information in an automated way and to keep track of all changes which were applied.
+#
+# The format of the file is as following:
+#
+# - from: source-field-in-6.x
+#   to: target-filed-in-ECS
+#   # Alias field is useful for fields where there is a 1-1 mapping from old to new
+#   alias: true-if-alias-is-required-in-6x (default is true)
+#   # Copy to is useful for fields where multiple fields map to the same ECS field
+#   copy_to: true-if-field-should-be-copied-to-target-in-6x (default is false)
+
+- from: context.service.agent.name
+  to: agent.name
+
+- from: context.service.agent.version
+  to: agent.version
+
+- from: context.system.architecture
+  to: host.architecture
+
+- from: context.system.ip
+  to: host.ip
+
+- from: context.system.hostname
+  to: host.name
+
+- from: context.system.platform
+  to: host.os.platform
+
+- from: context.request.method
+  to: http.method
+
+- from: context.request.http_version
+  to: http.version
+
+- from: context.tags
+  to: labels
+  alias: false
+  copy_to: true
+
+- from: context.process.pid
+  to: process.pid
+
+- from: context.process.ppid
+  to: process.ppid
+
+- from: context.process.title
+  to: process.title
+
+  # not in ECS
+- from: context.service.environment
+  to: service.environment
+
+  # not in ECS
+- from: context.service.framework.name
+  to: service.framework.name
+
+  # not in ECS
+- from: context.service.framework.version
+  to: service.framework.version
+
+  # not in ECS
+- from: context.service.language.name
+  to: service.language.name
+
+  # not in ECS
+- from: context.service.language.version
+  to: service.language.version
+
+- from: context.service.name
+  to: service.name
+
+  # not in ECS
+- from: context.service.runtime.name
+  to: service.runtime.name
+
+  # not in ECS
+- from: context.service.runtime.version
+  to: service.runtime.version
+
+- from: context.request.url.full
+  to: url.original
+
+- from: context.request.url.hash
+  to: url.fragment
+
+- from: context.request.url.hostname
+  to: url.domain
+
+- from: context.request.url.pathname
+  to: url.path
+
+- from: context.request.url.port
+  to: url.port
+  alias: false
+  copy_to: true
+
+- from: context.request.url.search
+  to: url.query
+
+- from: context.request.url.protocol
+  to: url.scheme
+  alias: false
+  copy_to: true
+
+- from: context.user.email
+  to: user.email
+
+- from: context.user.id
+  to: user.id
+
+- from: context.user.username
+  to: user.name
diff --git a/_meta/fields.common.yml b/_meta/fields.common.yml
@@ -316,3 +316,181 @@
           type: keyword
           description: >
              The ID of the parent event.
+
+    # ECS
+    - name: agent
+      type: group
+      dynamic: false
+      fields:
+        - name: name
+          type: alias
+          path: context.service.agent.name
+
+        - name: version
+          type: alias
+          path: context.service.agent.version
+
+    - name: host
+      type: group
+      dynamic: false
+      fields:
+        - name: architecture
+          type: alias
+          path: context.system.architecture
+
+        - name: ip
+          type: alias
+          path: context.system.ip
+
+        - name: name
+          type: alias
+          path: context.system.hostname
+
+        - name: os
+          type: group
+          fields:
+            - name: platform
+              type: alias
+              path: context.system.platform
+
+    - name: http
+      type: group
+      dynamic: false
+      fields:
+        - name: method
+          type: alias
+          path: context.request.method
+
+        - name: version
+          type: alias
+          path: context.request.http_version
+
+    # context.tags copied here (can't alias objects)
+    - name: labels
+      type: object
+      object_type: keyword
+      dynamic: true
+      description: >
+        A flat mapping of user-defined labels with string values.
+
+    - name: process
+      type: group
+      dynamic: false
+      fields:
+        - name: pid
+          type: alias
+          path: context.process.pid
+
+        - name: ppid
+          type: alias
+          path: context.process.ppid
+
+        - name: title
+          type: alias
+          path: context.process.title
+
+    - name: service
+      type: group
+      dynamic: false
+      fields:
+        # not in ECS
+        - name: environment
+          type: alias
+          path: context.service.environment
+
+        # not in ECS
+        - name: framework
+          type: group
+          fields:
+            - name: name
+              type: alias
+              path: context.service.framework.name
+
+            - name: version
+              type: alias
+              path: context.service.framework.version
+
+        # not in ECS
+        - name: language
+          type: group
+          fields:
+            - name: name
+              type: alias
+              path: context.service.language.name
+
+            - name: version
+              type: alias
+              path: context.service.language.version
+
+        - name: name
+          type: alias
+          path: context.service.name
+
+        # not in ECS
+        - name: runtime
+          type: group
+          fields:
+            - name: name
+              type: alias
+              path: context.service.runtime.name
+
+            - name: version
+              type: alias
+              path: context.service.runtime.version
+
+        - name: version
+          type: alias
+          path: context.service.version
+
+    - name: url
+      type: group
+      dynamic: false
+      fields:
+        - name: domain
+          type: alias
+          path: context.request.url.hostname
+
+        - name: fragment
+          type: alias
+          path: context.request.url.hash
+
+        - name: original
+          type: alias
+          path: context.request.url.full
+
+        - name: path
+          type: alias
+          path: context.request.url.pathname
+
+        # context.request.url.port keyword -> long
+        - name: port
+          type: long
+          description: >
+            The port of the request, e.g. 443.
+
+        - name: query
+          type: alias
+          path: context.request.url.search
+          # TODO: multifield original.text
+
+        # context.request.url.protocol minus the ":"
+        - name: scheme
+          type: keyword
+          description: >
+            The scheme of the request, e.g. "https".
+
+    - name: user
+      type: group
+      dynamic: false
+      fields:
+        - name: email
+          type: alias
+          path: context.user.email
+
+        - name: id
+          type: alias
+          path: context.user.id
+
+        - name: name
+          type: alias
+          path: context.user.username