- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Destination Fields
- DLL Fields
- DNS Fields
- ECS Fields
- Error Fields
- Event Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
HTTP Fields
editHTTP Fields
editFields related to HTTP activity. Use the url
field set to store the url of the request.
HTTP Field Details
editField | Description | Level |
---|---|---|
Size in bytes of the request body. type: long example: |
extended |
|
The full HTTP request body. type: keyword Multi-fields: * http.request.body.content.text (type: text) example: |
extended |
|
Total size in bytes of the request (body and headers). type: long example: |
extended |
|
HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword example: |
extended |
|
Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the type: keyword example: |
extended |
|
Referrer for this HTTP request. type: keyword example: |
extended |
|
Size in bytes of the response body. type: long example: |
extended |
|
The full HTTP response body. type: keyword Multi-fields: * http.response.body.content.text (type: text) example: |
extended |
|
Total size in bytes of the response (body and headers). type: long example: |
extended |
|
Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the type: keyword example: |
extended |
|
HTTP response status code. type: long example: |
extended |
|
HTTP version. type: keyword example: |
extended |
On this page