diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6d50b4f4ea..f4e34051e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file based on the
## [Unreleased](https://github.com/elastic/ecs/compare/0.1.0...master)
### Breaking changes
+- Replaced network.inbound/outbound with less ambigious network.transfer.
### Bugfixes
diff --git a/README.md b/README.md
index 54f7c87d9d..8d30acad2e 100644
--- a/README.md
+++ b/README.md
@@ -271,12 +271,9 @@ All fields related to network data.
| Field | Description | Type | Multi Field | Example |
|---|---|---|---|---|
| `network.protocol` | Network protocol name. | keyword | | `http` |
-| `network.direction` | Direction of the network traffic.
The recommended values are:
* inbound
* outbound
* unknown | keyword | | `inbound` |
| `network.forwarded_ip` | forwarded_ip indicates the host IP address when the source IP address is the proxy. | ip | | `192.1.1.2` |
-| `network.inbound.bytes` | Network inbound bytes. | long | | `184` |
-| `network.inbound.packets` | Network inbound packets. | long | | `12` |
-| `network.outbound.bytes` | Network outbound bytes. | long | | `184` |
-| `network.outbound.packets` | Network outbound packets. | long | | `12` |
+| `network.transfer.bytes` | Network bytes transferred.
Typically used with netflow, sflow, or cloud provider flow logs | long | | `184` |
+| `network.transfer.packets` | Network packets transferred.
Typically used with netflow, sflow, or cloud provider flow logs | long | | `12` |
## Organization fields
diff --git a/schema.csv b/schema.csv
index 4e74119163..99b15af124 100644
--- a/schema.csv
+++ b/schema.csv
@@ -86,13 +86,10 @@ kubernetes.pod.name,keyword,0,
log.level,keyword,0,ERR
log.line,long,0,18
log.offset,long,0,12
-network.direction,keyword,0,inbound
network.forwarded_ip,ip,0,192.1.1.2
-network.inbound.bytes,long,0,184
-network.inbound.packets,long,0,12
-network.outbound.bytes,long,0,184
-network.outbound.packets,long,0,12
network.protocol,keyword,0,http
+network.transfer.bytes,long,0,184
+network.transfer.packets,long,0,12
organization.id,keyword,0,
organization.name,text,0,
process.args,keyword,0,"['-l', 'user', '10.0.0.16']"
diff --git a/schemas/network.yml b/schemas/network.yml
index afc422d2a0..6505561932 100644
--- a/schemas/network.yml
+++ b/schemas/network.yml
@@ -10,16 +10,6 @@
description: >
Network protocol name.
example: http
- - name: direction
- type: keyword
- description: >
- Direction of the network traffic.
-
- The recommended values are:
- * inbound
- * outbound
- * unknown
- example: inbound
- name: forwarded_ip
type: ip
@@ -29,23 +19,17 @@
example: 192.1.1.2
# Metrics
- - name: inbound.bytes
- type: long
- description: >
- Network inbound bytes.
- example: 184
- - name: inbound.packets
- type: long
- description: >
- Network inbound packets.
- example: 12
- - name: outbound.bytes
+ - name: transfer.bytes
type: long
description: >
- Network outbound bytes.
+ Network bytes transferred.
+
+ Typically used with netflow, sflow, or cloud provider flow logs
example: 184
- - name: outbound.packets
+ - name: transfer.packets
type: long
description: >
- Network outbound packets.
+ Network packets transferred.
+
+ Typically used with netflow, sflow, or cloud provider flow logs
example: 12
diff --git a/template.json b/template.json
index 2934113513..989856e93a 100644
--- a/template.json
+++ b/template.json
@@ -445,24 +445,14 @@
},
"network": {
"properties": {
- "direction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
"forwarded_ip": {
"type": "ip"
},
- "inbound": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "packets": {
- "type": "long"
- }
- }
+ "protocol": {
+ "ignore_above": 1024,
+ "type": "keyword"
},
- "outbound": {
+ "transfer": {
"properties": {
"bytes": {
"type": "long"
@@ -471,10 +461,6 @@
"type": "long"
}
}
- },
- "protocol": {
- "ignore_above": 1024,
- "type": "keyword"
}
}
},