Re-introduce a simplified version of user_agent.

Author: Mathieu Martin

README.md

@@ -70,6 +70,7 @@ ECS defines these fields.
  * [Source fields](#source)
  * [URL fields](#url)
  * [User fields](#user)
+ * [User agent fields](#user_agent)
 
 ## <a name="base"></a> Base fields
 
@@ -438,6 +439,20 @@ Note also that the `user` fields may be used directly at the top level.
 | <a name="user.group"></a>user.group | Group the user is a part of. This field can contain a list of groups, if necessary. | extended | keyword |  |
 
 
+## <a name="user_agent"></a> User agent fields
+
+The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
+
+
+| Field  | Description  | Level  | Type  | Example  |
+|---|---|---|---|---|
+| <a name="user_agent.original"></a>user_agent.original | Unparsed version of the user_agent. | extended | keyword |  |
+| <a name="user_agent.name"></a>user_agent.name | Name of the user agent. | extended | keyword | `Chrome` |
+| <a name="user_agent.version"></a>user_agent.version | Version of the user agent. | extended | keyword |  |
+| <a name="user_agent.device.name"></a>user_agent.device.name | Name of the device. | extended | keyword | `Chrome` |
+| <a name="user_agent.device.version"></a>user_agent.device.version | Version of the device. | extended | keyword |  |
+
+
 
 
 

fields.yml

@@ -1335,3 +1335,42 @@
           description: >
             Group the user is a part of. This field can contain a list of groups, if
             necessary.
+    
+    - name: user_agent
+      title: User agent
+      group: 2
+      description: >
+        The user_agent fields normally come from a browser request. They often
+        show up in web service logs coming from the parsed user agent string.
+      type: group
+      fields:
+    
+        - name: original
+          level: extended
+          type: keyword
+          description: >
+            Unparsed version of the user_agent.
+    
+        - name: name
+          level: extended
+          type: keyword
+          example: Chrome
+          description: >
+            Name of the user agent.
+        - name: version
+          level: extended
+          type: keyword
+          description: >
+            Version of the user agent.
+    
+        - name: device.name
+          level: extended
+          type: keyword
+          example: Chrome
+          description: >
+            Name of the device.
+        - name: device.version
+          level: extended
+          type: keyword
+          description: >
+            Version of the device.

schema.csv

@@ -139,3 +139,8 @@ user.group,keyword,extended,
 user.hash,keyword,extended,
 user.id,keyword,core,
 user.name,keyword,core,
+user_agent.device.name,keyword,extended,Chrome
+user_agent.device.version,keyword,extended,
+user_agent.name,keyword,extended,Chrome
+user_agent.original,keyword,extended,
+user_agent.version,keyword,extended,

schemas/user_agent.yml

@@ -0,0 +1,39 @@
+---
+- name: user_agent
+  title: User agent
+  group: 2
+  description: >
+    The user_agent fields normally come from a browser request. They often
+    show up in web service logs coming from the parsed user agent string.
+  type: group
+  fields:
+
+    - name: original
+      level: extended
+      type: keyword
+      description: >
+        Unparsed version of the user_agent.
+
+    - name: name
+      level: extended
+      type: keyword
+      example: Chrome
+      description: >
+        Name of the user agent.
+    - name: version
+      level: extended
+      type: keyword
+      description: >
+        Version of the user agent.
+
+    - name: device.name
+      level: extended
+      type: keyword
+      example: Chrome
+      description: >
+        Name of the device.
+    - name: device.version
+      level: extended
+      type: keyword
+      description: >
+        Version of the device.

template.json

@@ -662,6 +662,34 @@
               "type": "keyword"
             }
           }
+        },
+        "user_agent": {
+          "properties": {
+            "device": {
+              "properties": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "original": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
         }
       }
     }

use-cases/filebeat-apache-access.md

@@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module.
 | <a name="http.response.body_sent.bytes"></a>*http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` |
 | <a name="http.referer"></a>*http.referer* | *Http referrer code, currently apache.access.referrer<br/>NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` |
 | <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *User agent fields as in schema. Currently under apache.access.user_agent.*<br/>* |  |  |  |
-| <a name="user_agent.original"></a>*user_agent.original* | *Original user agent. Currently apache.access.agent* | (use case) | keyword | `http://elastic.co/` |
+| [user_agent.original](../README.md#user_agent.original)  | Original user agent. Currently apache.access.agent | extended | keyword | `http://elastic.co/` |
 | <a name="geoip.&ast;"></a>*geoip.&ast;* | *User agent fields as in schema. Currently under apache.access.geoip.*<br/>These are extracted from source.ip<br/>Should they be under source.geoip?<br/>* |  |  |  |
 | <a name="geoip...."></a>*geoip....* | *All geoip fields.* | (use case) | keyword |  |
 

use-cases/web-logs.md

@@ -17,13 +17,13 @@ Using the fields as represented here is not expected to conflict with ECS, but m
 | <a name="http.response.body"></a>*http.response.body* | *The full http response body.* | (use case) | keyword | `Hello world` |
 | <a name="http.version"></a>*http.version* | *Http version.* | (use case) | keyword | `1.1` |
 | <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.<br/>* |  |  |  |
-| <a name="user_agent.original"></a>*user_agent.original* | *Unparsed version of the user_agent.* | (use case) | keyword |  |
+| [user_agent.original](../README.md#user_agent.original)  | Unparsed version of the user_agent. | extended | keyword |  |
 | <a name="user_agent.device"></a>*user_agent.device* | *Name of the physical device.* | (use case) | keyword |  |
-| <a name="user_agent.version"></a>*user_agent.version* | *Version of the physical device.* | (use case) | keyword |  |
+| [user_agent.version](../README.md#user_agent.version)  | Version of the physical device. | extended | keyword |  |
 | <a name="user_agent.major"></a>*user_agent.major* | *Major version of the user agent.* | (use case) | long |  |
 | <a name="user_agent.minor"></a>*user_agent.minor* | *Minor version of the user agent.* | (use case) | long |  |
 | <a name="user_agent.patch"></a>*user_agent.patch* | *Patch version of the user agent.* | (use case) | keyword |  |
-| <a name="user_agent.name"></a>*user_agent.name* | *Name of the user agent.* | (use case) | keyword | `Chrome` |
+| [user_agent.name](../README.md#user_agent.name)  | Name of the user agent. | extended | keyword | `Chrome` |