host.name vs hostname, host.ip vs ip inconsistencies

[vbohata]

There are inconsistencies about host.name vs hostname, ip. vs host.ip naming. For example device.hostname, device.ip, host.name, url.host.name. Is there any reason for that?

[ruflin]

Mainly for historical reason but I agree it's something we should cleanup up. Also ties into the discussion we have here #40 and here #51

[ruflin]

I opened #74 to address the host.name issue. For ip I'm starting to think we should make it a top level field like message and device or host are just using it, so it could be in both objects.

[webmat]

Not sure if the question around IPs is still relevant here.

If not, then #141 finally addresses the host.name vs hostname question. We've decided to go with the industry convention of using hostname, even if there is repetition in one case (host.hostname). This will ensure it's consistent with all other places where we have hostname.

[vbohata]

Industry convention usually allows hostname to contain IP if host name is unknown ... so it could mix with ip ...

[webmat]

Ah yeah if you don't have a hostname set for a device or host, you can totally cram an IP in there.

[webmat]

Note that to get the full use of indexing IP addresses properly, you would still want to save the host's IP(s) in the field host.ip, which is indexed with type ip.

Given the variety of possible values in a hostname, this field is indexed as keyword.

[webmat]

@vbohata Did this clarify things enough? Do you feel the documentation for host.hostname and device.hostname should be amended to mention this?

[jamiehynds]

@ebeahan are we still planning on deprecating host.hostname in 8.0? If so can we close this issue?

[ebeahan]

@jamiehynds No, we're not deprecating host.hostname in 8.0.