search

elastic / ecs

Elastic Common Schema
https://www.elastic.co/what-is/ecs
Apache License 2.0
987 stars 410 forks source link

Add a multi-field user.id.text to the user.id field. #2336

Open leandrojmp opened 2 months ago

leandrojmp commented 2 months ago

Summary

Make the user.id field a multi-field in the same way that user.name is a multi-field to allow to have better performance when making queries using wildcards or text searchs.

Motivation:

Currently the user.id is mapped as a keyword field, and keyword fields are not optimized to be queried using wildcards, specially leading asterisks.

There may be some uses cases where the user.id value can have a common prefix or sufix and the user may want to query all the documents where the user.id has the same prefix or sufix, like *sufix or prefix*.

One example is the user.id for AWS Cloudtrail logs which can have this format AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName and the user may wan to query for *:AssumedRoleSessionName or *:CustomRulePattern*

Doing this on a keyword field is not optimal, can take some time and impact the cluster performance.

The user.name field has a multi-field named user.name.text, this issue proposes to have the same approach on the user.id, creating the user.id.text

Detailed Design:

Create user.id.text as a multi-field for user.id, the data type would be text.