Make mentions of lowercasing refer to a general section of the docs. (e…

…lastic#332) The goal here is that the sentence makes sense no matter where it's seen (e.g. Kibana tooltip, as much as in the actual docs).
kgeller · Feb 22, 2019 · 825ee39 · 825ee39
1 parent 5bf9888
commit 825ee39
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 30 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,8 @@ All notable changes to this project will be documented in this file based on the
 * Added an optional short field description. #330
 
 ### Improvements
+
+* Make phrasing of lowercasing directive more relevant, no matter where it's shown. #332
 * Clarified the definition of the host fields #325
 * Specify the `object_type` for field `labels`. #331
 * Clarified the difference between `@timestamp` and `event.created`. #329

diff --git a/README.md b/README.md
@@ -322,7 +322,7 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the
 
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
-| <a name="http.request.method"></a>http.request.method | HTTP request method.<br/>The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS"  section. | extended | keyword | `get, post, put` |
+| <a name="http.request.method"></a>http.request.method | HTTP request method.<br/>The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | extended | keyword | `get, post, put` |
 | <a name="http.request.body.content"></a>http.request.body.content | The full HTTP request body. | extended | keyword | `Hello world` |
 | <a name="http.request.referrer"></a>http.request.referrer | Referrer for this HTTP request. | extended | keyword | `https://blog.example.com/` |
 | <a name="http.response.status_code"></a>http.response.status_code | HTTP response status code. | extended | long | `404` |
@@ -355,11 +355,11 @@ The network.* fields should be populated with details about the network activity
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
 | <a name="network.name"></a>network.name | Name given by operators to sections of their network. | extended | keyword | `Guest Wifi` |
-| <a name="network.type"></a>network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc<br/>The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section. | core | keyword | `ipv4` |
+| <a name="network.type"></a>network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc<br/>The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | core | keyword | `ipv4` |
 | <a name="network.iana_number"></a>network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | extended | keyword | `6` |
-| <a name="network.transport"></a>network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)<br/>The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS"  section. | core | keyword | `tcp` |
-| <a name="network.application"></a>network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.<br/>The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section. | extended | keyword | `aim` |
-| <a name="network.protocol"></a>network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol.<br/>The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section. | core | keyword | `http` |
+| <a name="network.transport"></a>network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)<br/>The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | core | keyword | `tcp` |
+| <a name="network.application"></a>network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.<br/>The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | extended | keyword | `aim` |
+| <a name="network.protocol"></a>network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol.<br/>The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | core | keyword | `http` |
 | <a name="network.direction"></a>network.direction | Direction of the network traffic.<br/>Recommended values are:<br/>  * inbound<br/>  * outbound<br/>  * internal<br/>  * external<br/>  * unknown<br/><br/>When mapping events from a host-based monitoring context, populate this field from the host's point of view.<br/>When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | core | keyword | `inbound` |
 | <a name="network.forwarded_ip"></a>network.forwarded_ip | Host IP address when the source IP address is the proxy. | core | ip | `192.1.1.2` |
 | <a name="network.community_id"></a>network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.<br/>Learn more at https://github.com/corelight/community-id-spec. | extended | keyword | `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=` |

diff --git a/code/go/ecs/http.go b/code/go/ecs/http.go
diff --git a/code/go/ecs/network.go b/code/go/ecs/network.go
diff --git a/fields.yml b/fields.yml
@@ -944,7 +944,7 @@
             HTTP request method.
     
             The field value must be normalized to lowercase for querying. See
-            "Lowercase Capitalization" in the "Implementing ECS"  section.
+            the documentation section "Implementing ECS".
           example: get, post, put
 
         - name: request.body.content
@@ -1074,7 +1074,7 @@
             In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
     
             The field value must be normalized to lowercase for querying. See
-            "Lowercase Capitalization" in the "Implementing ECS" section.
+            the documentation section "Implementing ECS".
           example: ipv4
 
         - name: iana_number
@@ -1096,7 +1096,7 @@
             transport layer (udp, tcp, ipv6-icmp, etc.)
     
             The field value must be normalized to lowercase for querying. See
-            "Lowercase Capitalization" in the "Implementing ECS"  section.
+            the documentation section "Implementing ECS".
           example: tcp
 
         - name: application
@@ -1112,7 +1112,7 @@
             ports, or wire format.
     
             The field value must be normalized to lowercase for querying. See
-            "Lowercase Capitalization" in the "Implementing ECS" section.
+            the documentation section "Implementing ECS".
           example: aim
 
         - name: protocol
@@ -1123,7 +1123,7 @@
             L7 Network protocol name. ex. http, lumberjack, transport protocol.
     
             The field value must be normalized to lowercase for querying. See
-            "Lowercase Capitalization" in the "Implementing ECS" section.
+            the documentation section "Implementing ECS".
           example: http
 
         - name: direction

diff --git a/schema.json b/schema.json
@@ -1040,7 +1040,7 @@
         "type": "long"
       }, 
       "http.request.method": {
-        "description": "HTTP request method.\nThe field value must be normalized to lowercase for querying. See \"Lowercase Capitalization\" in the \"Implementing ECS\"  section.", 
+        "description": "HTTP request method.\nThe field value must be normalized to lowercase for querying. See the documentation section \"Implementing ECS\".", 
         "example": "get, post, put", 
         "footnote": "", 
         "group": 2, 
@@ -1148,7 +1148,7 @@
     "description": "The network is defined as the communication path over which a host or network event happens.\nThe network.* fields should be populated with details about the network activity associated with an event.\n", 
     "fields": {
       "network.application": {
-        "description": "A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.\nThe field value must be normalized to lowercase for querying. See \"Lowercase Capitalization\" in the \"Implementing ECS\" section.", 
+        "description": "A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.\nThe field value must be normalized to lowercase for querying. See the documentation section \"Implementing ECS\".", 
         "example": "aim", 
         "footnote": "", 
         "group": 2, 
@@ -1228,7 +1228,7 @@
         "type": "long"
       }, 
       "network.protocol": {
-        "description": "L7 Network protocol name. ex. http, lumberjack, transport protocol.\nThe field value must be normalized to lowercase for querying. See \"Lowercase Capitalization\" in the \"Implementing ECS\" section.", 
+        "description": "L7 Network protocol name. ex. http, lumberjack, transport protocol.\nThe field value must be normalized to lowercase for querying. See the documentation section \"Implementing ECS\".", 
         "example": "http", 
         "footnote": "", 
         "group": 2, 
@@ -1238,7 +1238,7 @@
         "type": "keyword"
       }, 
       "network.transport": {
-        "description": "Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)\nThe field value must be normalized to lowercase for querying. See \"Lowercase Capitalization\" in the \"Implementing ECS\"  section.", 
+        "description": "Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)\nThe field value must be normalized to lowercase for querying. See the documentation section \"Implementing ECS\".", 
         "example": "tcp", 
         "footnote": "", 
         "group": 2, 
@@ -1248,7 +1248,7 @@
         "type": "keyword"
       }, 
       "network.type": {
-        "description": "In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc\nThe field value must be normalized to lowercase for querying. See \"Lowercase Capitalization\" in the \"Implementing ECS\" section.", 
+        "description": "In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc\nThe field value must be normalized to lowercase for querying. See the documentation section \"Implementing ECS\".", 
         "example": "ipv4", 
         "footnote": "", 
         "group": 2, 

diff --git a/schemas/http.yml b/schemas/http.yml
@@ -16,7 +16,7 @@
         HTTP request method.
 
         The field value must be normalized to lowercase for querying. See
-        "Lowercase Capitalization" in the "Implementing ECS"  section.
+        the documentation section "Implementing ECS".
       example: get, post, put
 
     - name: request.body.content

diff --git a/schemas/network.yml b/schemas/network.yml
@@ -25,7 +25,7 @@
         In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
 
         The field value must be normalized to lowercase for querying. See
-        "Lowercase Capitalization" in the "Implementing ECS" section.
+        the documentation section "Implementing ECS".
       example: ipv4
 
     - name: iana_number
@@ -47,7 +47,7 @@
         transport layer (udp, tcp, ipv6-icmp, etc.)
 
         The field value must be normalized to lowercase for querying. See
-        "Lowercase Capitalization" in the "Implementing ECS"  section.
+        the documentation section "Implementing ECS".
       example: tcp
 
     - name: application
@@ -63,7 +63,7 @@
         ports, or wire format.
 
         The field value must be normalized to lowercase for querying. See
-        "Lowercase Capitalization" in the "Implementing ECS" section.
+        the documentation section "Implementing ECS".
       example: aim
 
     - name: protocol
@@ -74,7 +74,7 @@
         L7 Network protocol name. ex. http, lumberjack, transport protocol.
 
         The field value must be normalized to lowercase for querying. See
-        "Lowercase Capitalization" in the "Implementing ECS" section.
+        the documentation section "Implementing ECS".
       example: http
 
     - name: direction