diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index 867fbbf47c..aca767a2e7 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -17,12 +17,12 @@ The entity fields provide a standardized way to represent and categorize differe
| --- | --- | --- |
| $$$field-entity-attributes$$$ [entity.attributes](#field-entity-attributes) | _This field is beta and subject to change._ A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.
type: object | extended |
| $$$field-entity-behavior$$$ [entity.behavior](#field-entity-behavior) | _This field is beta and subject to change._ A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types.
type: object | extended |
-| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).
type: keyword
Multi-fields:
* entity.display_name.text (type: text) | extended |
+| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).
type: keyword
Multi-fields:
* entity.display_name.text (type: match_only_text) | extended |
| $$$field-entity-id$$$ [entity.id](#field-entity-id) | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.
type: keyword | core |
| $$$field-entity-last_seen_timestamp$$$ [entity.last_seen_timestamp](#field-entity-last_seen_timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.
type: date | extended |
| $$$field-entity-lifecycle$$$ [entity.lifecycle](#field-entity-lifecycle) | _This field is beta and subject to change._ A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.
type: object | extended |
| $$$field-entity-metrics$$$ [entity.metrics](#field-entity-metrics) | _This field is beta and subject to change._ Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping.
type: object | extended |
-| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.
type: keyword
Multi-fields:
* entity.name.text (type: text) | core |
+| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.
type: keyword
Multi-fields:
* entity.name.text (type: match_only_text) | core |
| $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.
type: object | extended |
| $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.
type: keyword | extended |
| $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).
type: keyword | core |
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index fc3f5d1f97..e9250f45d0 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -711,8 +711,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -756,8 +755,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -3943,8 +3941,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -3988,8 +3985,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -9211,8 +9207,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -9256,8 +9251,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -14170,8 +14164,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -14215,8 +14208,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 857bedea86..26d3362b7c 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -82,13 +82,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev+exp,true,cloud,cloud.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.3.0-dev+exp,true,cloud,cloud.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.3.0-dev+exp,true,cloud,cloud.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev+exp,true,cloud,cloud.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev+exp,true,cloud,cloud.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.3.0-dev+exp,true,cloud,cloud.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.3.0-dev+exp,true,cloud,cloud.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.3.0-dev+exp,true,cloud,cloud.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.3.0-dev+exp,true,cloud,cloud.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.3.0-dev+exp,true,cloud,cloud.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev+exp,true,cloud,cloud.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev+exp,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.3.0-dev+exp,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.3.0-dev+exp,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.3.0-dev+exp,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -483,13 +483,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev+exp,true,host,host.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.3.0-dev+exp,true,host,host.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.3.0-dev+exp,true,host,host.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev+exp,true,host,host.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev+exp,true,host,host.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.3.0-dev+exp,true,host,host.entity.id,keyword,core,,,Unique identifier for the entity.
9.3.0-dev+exp,true,host,host.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.3.0-dev+exp,true,host,host.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.3.0-dev+exp,true,host,host.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.3.0-dev+exp,true,host,host.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev+exp,true,host,host.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev+exp,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity.
9.3.0-dev+exp,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.3.0-dev+exp,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.3.0-dev+exp,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1169,13 +1169,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev+exp,true,service,service.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.3.0-dev+exp,true,service,service.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.3.0-dev+exp,true,service,service.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev+exp,true,service,service.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev+exp,true,service,service.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.3.0-dev+exp,true,service,service.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.3.0-dev+exp,true,service,service.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.3.0-dev+exp,true,service,service.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.3.0-dev+exp,true,service,service.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.3.0-dev+exp,true,service,service.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev+exp,true,service,service.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev+exp,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.3.0-dev+exp,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.3.0-dev+exp,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.3.0-dev+exp,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1823,13 +1823,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev+exp,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.3.0-dev+exp,true,user,user.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.3.0-dev+exp,true,user,user.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev+exp,true,user,user.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev+exp,true,user,user.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.3.0-dev+exp,true,user,user.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.3.0-dev+exp,true,user,user.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.3.0-dev+exp,true,user,user.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.3.0-dev+exp,true,user,user.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.3.0-dev+exp,true,user,user.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev+exp,true,user,user.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev+exp,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.3.0-dev+exp,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.3.0-dev+exp,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.3.0-dev+exp,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 26ec63e227..827e92951b 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1033,8 +1033,7 @@ cloud.target.entity.display_name:
multi_fields:
- flat_name: cloud.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -1108,8 +1107,7 @@ cloud.target.entity.name:
multi_fields:
- flat_name: cloud.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -6813,8 +6811,7 @@ host.entity.display_name:
multi_fields:
- flat_name: host.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -6888,8 +6885,7 @@ host.entity.name:
multi_fields:
- flat_name: host.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -15463,8 +15459,7 @@ service.target.entity.display_name:
multi_fields:
- flat_name: service.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -15538,8 +15533,7 @@ service.target.entity.name:
multi_fields:
- flat_name: service.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -23904,8 +23898,7 @@ user.target.entity.display_name:
multi_fields:
- flat_name: user.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -23979,8 +23972,7 @@ user.target.entity.name:
multi_fields:
- flat_name: user.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index d691da32fe..c2793b1803 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1235,8 +1235,7 @@ cloud:
multi_fields:
- flat_name: cloud.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -1312,8 +1311,7 @@ cloud:
multi_fields:
- flat_name: cloud.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -8311,8 +8309,7 @@ host:
multi_fields:
- flat_name: host.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -8388,8 +8385,7 @@ host:
multi_fields:
- flat_name: host.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -18179,8 +18175,7 @@ service:
multi_fields:
- flat_name: service.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -18256,8 +18251,7 @@ service:
multi_fields:
- flat_name: service.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -26858,8 +26852,7 @@ user:
multi_fields:
- flat_name: user.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -26935,8 +26928,7 @@ user:
multi_fields:
- flat_name: user.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index 131c9d28d4..fed880d55e 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -169,8 +169,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -192,8 +191,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index b2a6de4fa2..c8ac1bab60 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -61,8 +61,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -84,8 +83,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index eea2399779..dbcd774197 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -119,8 +119,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -142,8 +141,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 954caa51a6..c259572fc8 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -226,8 +226,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -249,8 +248,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index dc8b55083f..85181b1c57 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -435,8 +435,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -458,8 +457,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -2261,8 +2259,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -2284,8 +2281,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -5374,8 +5370,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -5397,8 +5392,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -8224,8 +8218,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -8247,8 +8240,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4826341eee..2c78f34a24 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -661,8 +661,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -706,8 +705,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -3893,8 +3891,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -3938,8 +3935,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -9161,8 +9157,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -9206,8 +9201,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -14120,8 +14114,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: An optional field used when a pretty name is desired for entity-centric
operations. This field should not be used for correlation with `*.name` fields
for entities with dedicated field sets (e.g., `host`).
@@ -14165,8 +14158,7 @@
ignore_above: 1024
multi_fields:
- name: text
- type: text
- norms: false
+ type: match_only_text
description: The name of the entity. The keyword field enables exact matches
for filtering and aggregations, while the text field enables full-text search.
For entities with dedicated field sets (e.g., `host`), this field should mirrors
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 3871df200a..506ce1fb7f 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -75,13 +75,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev,true,cloud,cloud.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.3.0-dev,true,cloud,cloud.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.3.0-dev,true,cloud,cloud.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,cloud,cloud.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,cloud,cloud.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.3.0-dev,true,cloud,cloud.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.3.0-dev,true,cloud,cloud.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.3.0-dev,true,cloud,cloud.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.3.0-dev,true,cloud,cloud.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.3.0-dev,true,cloud,cloud.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,cloud,cloud.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.3.0-dev,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.3.0-dev,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.3.0-dev,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -476,13 +476,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev,true,host,host.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.3.0-dev,true,host,host.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.3.0-dev,true,host,host.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,host,host.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,host,host.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.3.0-dev,true,host,host.entity.id,keyword,core,,,Unique identifier for the entity.
9.3.0-dev,true,host,host.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.3.0-dev,true,host,host.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.3.0-dev,true,host,host.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.3.0-dev,true,host,host.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,host,host.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity.
9.3.0-dev,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.3.0-dev,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.3.0-dev,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1162,13 +1162,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev,true,service,service.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.3.0-dev,true,service,service.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.3.0-dev,true,service,service.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,service,service.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,service,service.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.3.0-dev,true,service,service.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.3.0-dev,true,service,service.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.3.0-dev,true,service,service.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.3.0-dev,true,service,service.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.3.0-dev,true,service,service.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,service,service.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.3.0-dev,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.3.0-dev,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.3.0-dev,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1816,13 +1816,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.3.0-dev,true,user,user.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
9.3.0-dev,true,user,user.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
9.3.0-dev,true,user,user.target.entity.id,keyword,core,,,Unique identifier for the entity.
9.3.0-dev,true,user,user.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
9.3.0-dev,true,user,user.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
9.3.0-dev,true,user,user.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
9.3.0-dev,true,user,user.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,user,user.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.3.0-dev,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.3.0-dev,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
9.3.0-dev,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 68c3dd6471..bde05e89b4 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -964,8 +964,7 @@ cloud.target.entity.display_name:
multi_fields:
- flat_name: cloud.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -1039,8 +1038,7 @@ cloud.target.entity.name:
multi_fields:
- flat_name: cloud.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -6744,8 +6742,7 @@ host.entity.display_name:
multi_fields:
- flat_name: host.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -6819,8 +6816,7 @@ host.entity.name:
multi_fields:
- flat_name: host.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -15394,8 +15390,7 @@ service.target.entity.display_name:
multi_fields:
- flat_name: service.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -15469,8 +15464,7 @@ service.target.entity.name:
multi_fields:
- flat_name: service.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -23835,8 +23829,7 @@ user.target.entity.display_name:
multi_fields:
- flat_name: user.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -23910,8 +23903,7 @@ user.target.entity.name:
multi_fields:
- flat_name: user.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 749922c0a1..f305cd5fd2 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1155,8 +1155,7 @@ cloud:
multi_fields:
- flat_name: cloud.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -1232,8 +1231,7 @@ cloud:
multi_fields:
- flat_name: cloud.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -8231,8 +8229,7 @@ host:
multi_fields:
- flat_name: host.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -8308,8 +8305,7 @@ host:
multi_fields:
- flat_name: host.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -18099,8 +18095,7 @@ service:
multi_fields:
- flat_name: service.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -18176,8 +18171,7 @@ service:
multi_fields:
- flat_name: service.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
@@ -26778,8 +26772,7 @@ user:
multi_fields:
- flat_name: user.target.entity.display_name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: display_name
normalize: []
original_fieldset: entity
@@ -26855,8 +26848,7 @@ user:
multi_fields:
- flat_name: user.target.entity.name.text
name: text
- norms: false
- type: text
+ type: match_only_text
name: name
normalize: []
original_fieldset: entity
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 0c7f16bc49..7f1e7205ba 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -169,8 +169,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -192,8 +191,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index 5e75bedd24..7f71a40890 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -61,8 +61,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -84,8 +83,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 1aa2d9117c..133b780e12 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -119,8 +119,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -142,8 +141,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index affa8f0284..0da16502af 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -226,8 +226,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -249,8 +248,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index cb2dbd54ed..ec1fad3300 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -393,8 +393,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -416,8 +415,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -2219,8 +2217,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -2242,8 +2239,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -5332,8 +5328,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -5355,8 +5350,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -8182,8 +8176,7 @@
"display_name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -8205,8 +8198,7 @@
"name": {
"fields": {
"text": {
- "norms": false,
- "type": "text"
+ "type": "match_only_text"
}
},
"ignore_above": 1024,
diff --git a/schemas/entity.yml b/schemas/entity.yml
index bec8b47aa9..9d7326c85e 100644
--- a/schemas/entity.yml
+++ b/schemas/entity.yml
@@ -36,7 +36,7 @@
type: keyword
multi_fields:
- name: text
- type: text
+ type: match_only_text
short: The name of the entity.
description: >
The name of the entity. The keyword field enables exact matches for filtering
@@ -122,7 +122,7 @@
type: keyword
multi_fields:
- name: text
- type: text
+ type: match_only_text
short: An optional field used when a pretty name is desired for entity-centric operations.
description: >
An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).