Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Clarify the difference between @timestamp and event.created #329

Merged
merged 7 commits into from
Feb 22, 2019
Merged

Clarify the difference between @timestamp and event.created #329

merged 7 commits into from
Feb 22, 2019

Conversation

webmat
Copy link
Contributor

@webmat webmat commented Feb 18, 2019

Closes #326

@webmat webmat self-assigned this Feb 18, 2019
@MikePaquette MikePaquette self-requested a review February 21, 2019 19:05
MikePaquette
MikePaquette requested changes Feb 21, 2019
View reviewed changes
schemas/base.yml Outdated
@@ -14,8 +14,11 @@
description: >
Date/time when the event originated.

For log events this is the date/time when the event was generated, and
not when it was read.
This is the date/time extracted from the event, representing when the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should probably say "This is the date/time extracted from the event, typically representing when the"

schemas/base.yml Outdated
This is the date/time extracted from the event, representing when the
event was generated by the source.

If the event source has no original timestamp, this value must be
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"this value must be" seems too restrictive. We've previously defined must and should semantics to indicate whether ECS will break or will cause unexpected results. I suggest changing this to "this value is typically"

schemas/event.yml Outdated
The same could apply to package capturing where @timestamp contains the
timestamp extracted from the network package and event.created when the
event was created.
event.created contains the time when the event was first read by an
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"event.created contains the time when the event was first read by an" should be
"event.created typically contains the date/time when the event was first read by an"

schemas/event.yml Outdated
event.created contains the time when the event was first read by an
agent, or by your pipeline.

This field is distinct from @timestamp in that @timestamp should contain
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"This field is distinct from @timestamp in that @timestamp should contain" should be
"This field is distinct from @timestamp in that @timestamp typically contains"

schemas/event.yml Outdated
the time extracted from the original event.

In most situations, these two timestamps will be slightly different.
The difference will represent the delay between your source
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"The difference will represent the delay between your source" could be
"The difference can be used to calculate the delay between your source"

schemas/event.yml Outdated

In most situations, these two timestamps will be slightly different.
The difference will represent the delay between your source
generating it, when your agent first processed it. This can be used to
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"generating it, when your agent first processed it. This can be used to" should be
"generating an event, and the time when your agent first processed it. This can be used to"

schemas/event.yml Outdated
In most situations, these two timestamps will be slightly different.
The difference will represent the delay between your source
generating it, when your agent first processed it. This can be used to
monitor your agent's ability to keep up with your event source.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"monitor your agent's ability to keep up with your event source." should be
"monitor your agent's or pipeline's ability to keep up with your event source."

@webmat webmat force-pushed the clarify-event-created branch from f8634b5 to f2b66cd Compare February 22, 2019 14:07
@webmat webmat force-pushed the clarify-event-created branch from a204120 to 7de764b Compare February 22, 2019 20:53
@webmat webmat force-pushed the clarify-event-created branch from 76bf9ed to 812280c Compare February 22, 2019 20:57
Remove dupe and move changelog entry.
360db5f 
Latter to try to avoid further conflicts with other PRs
@webmat webmat merged commit 5bf9888 into elastic:master Feb 22, 2019
@webmat webmat deleted the clarify-event-created branch February 22, 2019 21:08
webmat added a commit to webmat/ecs that referenced this pull request Mar 5, 2019
@webmat
Clarify the difference between @timestamp and event.created (elastic#329
3373749 
)
@webmat webmat mentioned this pull request Mar 5, 2019
Merged
webmat added a commit that referenced this pull request Mar 5, 2019
@webmat
Backport #329 to 1.0: Clarify the difference between @timestamp and e…
2b842a8 
…vent.created (#329) (#360)

Backport #329 to 1.0
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@MikePaquette MikePaquette MikePaquette approved these changes

@andrew-goldstein andrew-goldstein Awaiting requested review from andrew-goldstein

Assignees

@webmat webmat

Labels
1.0.0-ga
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@webmat @MikePaquette