At the moment the default patterns coming from ecs-v1 use host.hostname (same is defined for elasticsearch ingest node)
ECS documentation for host list both host.name and host.hostname
However most integrations currently use host.name so Kibana visualizations/dashboard tend to use this field causing them not to be usable when host.hostname is used
Workaround solutions :
- add a second field
host.name on logstash pipeline (or elasticsearch ingest node pipeline) at ingestion time to have both fields and be able to use common visualizations
- add a runtime field to add
host.name to the indices (and index templates)
At the moment the default patterns coming from ecs-v1 use host.hostname (same is defined for elasticsearch ingest node)
ECS documentation for host list both
host.nameandhost.hostnameHowever most integrations currently use
host.nameso Kibana visualizations/dashboard tend to use this field causing them not to be usable whenhost.hostnameis usedWorkaround solutions :
host.nameon logstash pipeline (or elasticsearch ingest node pipeline) at ingestion time to have both fields and be able to use common visualizationshost.nameto the indices (and index templates)