diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 39dc9a5a05..9f8ac783ad 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,8 @@ Thanks, you're awesome :-) --> #### Improvements +* Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131 + #### Deprecated ### Tooling and Artifact Changes diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go index ec00f75914..d9a05e4a81 100644 --- a/code/go/ecs/url.go +++ b/code/go/ecs/url.go @@ -42,6 +42,9 @@ type Url struct { // In some cases a URL may refer to an IP and/or port directly, without a // domain name. In this case, the IP address would go to the `domain` // field. + // If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF + // RFC 2732), the `[` and `]` characters should also be captured in the + // `domain` field. Domain string `ecs:"domain"` // The highest registered url domain, stripped of the subdomain. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index eebf2524f2..87a98e4e21 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7276,6 +7276,8 @@ URL fields provide support for complete or partial URLs, and supports the breaki In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 0501a22725..16c38aefca 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -5253,7 +5253,11 @@ description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co - name: extension level: extended diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index a53975d700..255173741f 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -8027,7 +8027,10 @@ url.domain: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain level: extended diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 60deb5c23b..85be996c31 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -9295,7 +9295,11 @@ url: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co flat_name: url.domain level: extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 50f344720b..223cc8f130 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5341,7 +5341,11 @@ description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co - name: extension level: extended diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index cfee8c876f..8ddc706a5a 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8110,7 +8110,10 @@ url.domain: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index f1ee2ecde8..c00c9c5173 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -9383,7 +9383,11 @@ url: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 diff --git a/schemas/url.yml b/schemas/url.yml index 0253f316e8..88a0278891 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -58,6 +58,9 @@ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field. example: www.elastic.co - name: registered_domain