diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1ebfdf3c3b..8c9a5c9d29 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file based on the
### Breaking changes
+* Rename `network.total.bytes` to `network.bytes` and `network.total.packets`
+ to `network.packets`. #179
+* Remove `network.inbound.bytes`, `network.inbound.packets`,
+ `network.outbound.bytes` and `network.outbound.packets`. #179
+
### Bugfixes
* Fix obvious mistake in the definition of "source", where it said "destination"
@@ -36,6 +41,8 @@ All notable changes to this project will be documented in this file based on the
* Clarify the semantics of `network.direction`. #212
+* Add `source.bytes`, `source.packets`, `destination.bytes` and `destination.packets`. #179
+
### Deprecated
## [1.0.0-beta1](https://github.com/elastic/ecs/compare/v0.1.0...v1.0.0-beta1)
diff --git a/README.md b/README.md
index c8e1270ee2..097d567911 100644
--- a/README.md
+++ b/README.md
@@ -147,6 +147,8 @@ Destination fields describe details about the destination of a packet/event.
| destination.port | Port of the destination. | core | long | |
| destination.mac | MAC address of the destination. | core | keyword | |
| destination.domain | Destination domain. | core | keyword | |
+| destination.bytes | Bytes sent from the destination to the source. | core | long | `184` |
+| destination.packets | Packets sent from the destination to the source. | core | long | `12` |
## Device fields
@@ -322,12 +324,8 @@ The network is defined as the communication path over which a host or network ev
| network.direction | Direction of the network traffic.
Recommended values are:
* inbound
* outbound
* internal
* external
* unknown
When mapping events from a host-based monitoring context, populate this field from the host's point of view.
When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | core | keyword | `inbound` |
| network.forwarded_ip | Host IP address when the source IP address is the proxy. | core | ip | `192.1.1.2` |
| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
Learn more at https://github.com/corelight/community-id-spec. | extended | keyword | `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=` |
-| network.inbound.bytes | Network inbound bytes. | core | long | `184` |
-| network.inbound.packets | Network inbound packets. | core | long | `12` |
-| network.outbound.bytes | Network outbound bytes. | core | long | `184` |
-| network.outbound.packets | Network outbound packets. | core | long | `12` |
-| network.total.bytes | Network total bytes. The sum of inbound.bytes + outbound.bytes. | core | long | `368` |
-| network.total.packets | Network outbound packets. The sum of inbound.packets + outbound.packets | core | long | `24` |
+| network.bytes | Total bytes transferred in both directions.
If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | core | long | `368` |
+| network.packets | Total packets transferred in both directions.
If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | core | long | `24` |
## Organization fields
@@ -415,6 +413,8 @@ Source fields describe details about the source of a packet/event.
| source.port | Port of the source. | core | long | |
| source.mac | MAC address of the source. | core | keyword | |
| source.domain | Source domain. | core | keyword | |
+| source.bytes | Bytes sent from the source to the destination. | core | long | `184` |
+| source.packets | Packets sent from the source to the destination. | core | long | `12` |
## URL fields
diff --git a/fields.yml b/fields.yml
index 8df5459473..87704127c9 100644
--- a/fields.yml
+++ b/fields.yml
@@ -269,6 +269,21 @@
description: >
Destination domain.
+ # Metrics
+ - name: bytes
+ level: core
+ type: long
+ example: 184
+ description: >
+ Bytes sent from the destination to the source.
+
+ - name: packets
+ level: core
+ type: long
+ example: 12
+ description: >
+ Packets sent from the destination to the source.
+
- name: device
title: Device
group: 2
@@ -933,46 +948,22 @@
example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0='
# Metrics
- - name: inbound.bytes
- level: core
- type: long
- description: >
- Network inbound bytes.
- example: 184
-
- - name: inbound.packets
- level: core
- type: long
- description: >
- Network inbound packets.
- example: 12
-
- - name: outbound.bytes
+ - name: bytes
level: core
type: long
description: >
- Network outbound bytes.
- example: 184
-
- - name: outbound.packets
- level: core
- type: long
- description: >
- Network outbound packets.
- example: 12
+ Total bytes transferred in both directions.
- - name: total.bytes
- level: core
- type: long
- description: >
- Network total bytes. The sum of inbound.bytes + outbound.bytes.
+ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
example: 368
- - name: total.packets
+ - name: packets
level: core
type: long
description: >
- Network outbound packets. The sum of inbound.packets + outbound.packets
+ Total packets transferred in both directions.
+
+ If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
example: 24
- name: organization
@@ -1261,6 +1252,21 @@
description: >
Source domain.
+ # Metrics
+ - name: bytes
+ level: core
+ type: long
+ example: 184
+ description: >
+ Bytes sent from the source to the destination.
+
+ - name: packets
+ level: core
+ type: long
+ example: 12
+ description: >
+ Packets sent from the source to the destination.
+
- name: url
title: URL
description: >
diff --git a/schema.csv b/schema.csv
index 0dbf56413e..eeab67f1a5 100644
--- a/schema.csv
+++ b/schema.csv
@@ -21,9 +21,11 @@ container.image.tag,keyword,extended,
container.labels,object,extended,
container.name,keyword,extended,
container.runtime,keyword,extended,docker
+destination.bytes,long,core,184
destination.domain,keyword,core,
destination.ip,ip,core,
destination.mac,keyword,core,
+destination.packets,long,core,12
destination.port,long,core,
device.hostname,keyword,core,
device.ip,ip,core,
@@ -89,18 +91,14 @@ http.version,keyword,extended,1.1
log.level,keyword,core,ERR
log.original,keyword,core,Sep 19 08:26:10 localhost My log
network.application,keyword,extended,AIM
+network.bytes,long,core,368
network.community_id,keyword,extended,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
network.direction,keyword,core,inbound
network.forwarded_ip,ip,core,192.1.1.2
network.iana_number,keyword,extended,6
-network.inbound.bytes,long,core,184
-network.inbound.packets,long,core,12
network.name,keyword,extended,Guest Wifi
-network.outbound.bytes,long,core,184
-network.outbound.packets,long,core,12
+network.packets,long,core,24
network.protocol,keyword,core,http
-network.total.bytes,long,core,368
-network.total.packets,long,core,24
network.transport,keyword,core,TCP
network.type,keyword,core,IPv4
organization.id,keyword,extended,
@@ -126,9 +124,11 @@ service.name,keyword,core,elasticsearch-metrics
service.state,keyword,core,
service.type,keyword,core,elasticsearch
service.version,keyword,core,3.2.4
+source.bytes,long,core,184
source.domain,keyword,core,
source.ip,ip,core,
source.mac,keyword,core,
+source.packets,long,core,12
source.port,long,core,
url.domain,keyword,extended,www.elastic.co
url.fragment,keyword,extended,
diff --git a/schemas/destination.yml b/schemas/destination.yml
index cde74dc6c3..e9f5ed2049 100644
--- a/schemas/destination.yml
+++ b/schemas/destination.yml
@@ -33,3 +33,18 @@
type: keyword
description: >
Destination domain.
+
+ # Metrics
+ - name: bytes
+ level: core
+ type: long
+ example: 184
+ description: >
+ Bytes sent from the destination to the source.
+
+ - name: packets
+ level: core
+ type: long
+ example: 12
+ description: >
+ Packets sent from the destination to the source.
diff --git a/schemas/network.yml b/schemas/network.yml
index 51e4c1f8f2..ee38ee973e 100644
--- a/schemas/network.yml
+++ b/schemas/network.yml
@@ -95,44 +95,20 @@
example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0='
# Metrics
- - name: inbound.bytes
+ - name: bytes
level: core
type: long
description: >
- Network inbound bytes.
- example: 184
+ Total bytes transferred in both directions.
- - name: inbound.packets
- level: core
- type: long
- description: >
- Network inbound packets.
- example: 12
-
- - name: outbound.bytes
- level: core
- type: long
- description: >
- Network outbound bytes.
- example: 184
-
- - name: outbound.packets
- level: core
- type: long
- description: >
- Network outbound packets.
- example: 12
-
- - name: total.bytes
- level: core
- type: long
- description: >
- Network total bytes. The sum of inbound.bytes + outbound.bytes.
+ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
example: 368
- - name: total.packets
+ - name: packets
level: core
type: long
description: >
- Network outbound packets. The sum of inbound.packets + outbound.packets
+ Total packets transferred in both directions.
+
+ If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
example: 24
diff --git a/schemas/source.yml b/schemas/source.yml
index 068ff7fd4a..098df51ddc 100644
--- a/schemas/source.yml
+++ b/schemas/source.yml
@@ -33,3 +33,18 @@
type: keyword
description: >
Source domain.
+
+ # Metrics
+ - name: bytes
+ level: core
+ type: long
+ example: 184
+ description: >
+ Bytes sent from the source to the destination.
+
+ - name: packets
+ level: core
+ type: long
+ example: 12
+ description: >
+ Packets sent from the source to the destination.
diff --git a/template.json b/template.json
index ed0bef8337..0032368193 100644
--- a/template.json
+++ b/template.json
@@ -124,6 +124,9 @@
},
"destination": {
"properties": {
+ "bytes": {
+ "type": "long"
+ },
"domain": {
"ignore_above": 1024,
"type": "keyword"
@@ -135,6 +138,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "packets": {
+ "type": "long"
+ },
"port": {
"type": "long"
}
@@ -443,6 +449,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "bytes": {
+ "type": "long"
+ },
"community_id": {
"ignore_above": 1024,
"type": "keyword"
@@ -458,44 +467,17 @@
"ignore_above": 1024,
"type": "keyword"
},
- "inbound": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "packets": {
- "type": "long"
- }
- }
- },
"name": {
"ignore_above": 1024,
"type": "keyword"
},
- "outbound": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "packets": {
- "type": "long"
- }
- }
+ "packets": {
+ "type": "long"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
- "total": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "packets": {
- "type": "long"
- }
- }
- },
"transport": {
"ignore_above": 1024,
"type": "keyword"
@@ -619,6 +601,9 @@
},
"source": {
"properties": {
+ "bytes": {
+ "type": "long"
+ },
"domain": {
"ignore_above": 1024,
"type": "keyword"
@@ -630,6 +615,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "packets": {
+ "type": "long"
+ },
"port": {
"type": "long"
}