Merge branch 'main' into add-entity-fields

.github/workflows/docs-build.yml

@@ -0,0 +1,19 @@
+name: docs-build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target: ~
+  merge_group: ~
+
+jobs:
+  docs-preview:
+    uses: elastic/docs-builder/.github/workflows/preview-build.yml@main
+    with:
+      path-pattern: docs/**
+    permissions:
+      deployments: write
+      id-token: write
+      contents: read
+      pull-requests: read

.github/workflows/docs-cleanup.yml

@@ -0,0 +1,14 @@
+name: docs-cleanup
+
+on:
+  pull_request_target:
+    types:
+      - closed
+
+jobs:
+  docs-preview:
+    uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main
+    permissions:
+      contents: none
+      id-token: write
+      deployments: write

.github/workflows/test.yml

@@ -4,11 +4,11 @@ on: [push, pull_request]
 
 jobs:
   tests:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     name: Unit Tests
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: '3.x'
       - run: git fetch --prune --unshallow --tags

CHANGELOG.md

@@ -3,6 +3,19 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.17.0](https://github.com/elastic/ecs/compare/v8.16.0...v8.17.0)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Fix link rendering issues and usage of http in links. #2423
+
+#### Improvements
+
+* Increase ignore_above value for url.query. #2424
+* Set synthetic_source_keep = none on fields that represent sets. #2422
+
 ## [8.16.0](https://github.com/elastic/ecs/compare/v8.11.0...v8.16.0)
 
 ### Schema Changes

CHANGELOG.next.md

@@ -12,14 +12,18 @@ Thanks, you're awesome :-) -->
 
 #### Breaking changes
 
+* Remove deprecated fields from previous major release; `process.pgid`, `service.node.role`, and inherited users. #2410
+
 #### Bugfixes
 
 * Fix link rendering issues and usage of http in links. #2423
 
 #### Added
+* Add `origin_referrer_url` and `origin_url` fields, which indicate the origin information to the file, process and dll schemas #2441
 
 #### Improvements
 
+* Promote beta fields to GA. #2411
 * Define base encoding of `x509.serial_number`. #2383
 * Restrict the encoding of `x509.serial_number` to base 16. #2398
 * Set synthetic_source_keep = none on fields that represent sets. #2422

docs/fields/field-details.asciidoc

@@ -821,17 +821,15 @@ Note also that the `cloud` fields may be used directly at the root of the events
 
 
 | `cloud.origin.*`
-| <<ecs-cloud,cloud>>| beta:[ Reusing the `cloud` fields in this location is currently considered beta.]
-
-Provides the cloud information of the origin entity in case of an incoming request or event.
+| <<ecs-cloud,cloud>>
+| Provides the cloud information of the origin entity in case of an incoming request or event.
 
 // ===============================================================
 
 
 | `cloud.target.*`
-| <<ecs-cloud,cloud>>| beta:[ Reusing the `cloud` fields in this location is currently considered beta.]
-
-Provides the cloud information of the target entity in case of an outgoing request or event.
+| <<ecs-cloud,cloud>>
+| Provides the cloud information of the target entity in case of an outgoing request or event.
 
 // ===============================================================
 
@@ -1841,6 +1839,42 @@ example: `kernel32.dll`
 
 // ===============================================================
 
+|
+[[field-dll-origin-referrer-url]]
+<<field-dll-origin-referrer-url, dll.origin_referrer_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL of the webpage that linked to the dll file.
+
+type: keyword
+
+
+
+example: `http://example.com/article1.html`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-dll-origin-url]]
+<<field-dll-origin-url, dll.origin_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL where the dll file is hosted.
+
+type: keyword
+
+
+
+example: `http://example.com/files/example.dll`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-dll-path]]
 <<field-dll-path, dll.path>>
@@ -2291,8 +2325,6 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 
 These fields contain Linux Executable Linkable Format (ELF) metadata.
 
-beta::[ These fields are in beta and are subject to change.]
-
 [discrete]
 ==== ELF Header Field Details
 
@@ -3984,8 +4016,6 @@ example: `https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38f
 
 The user fields describe information about the function as a service (FaaS) that is relevant to the event.
 
-beta::[ These fields are in beta and are subject to change.]
-
 [discrete]
 ==== FaaS Field Details
 
@@ -4447,6 +4477,42 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 
 // ===============================================================
 
+|
+[[field-file-origin-referrer-url]]
+<<field-file-origin-referrer-url, file.origin_referrer_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL of the webpage that linked to the file.
+
+type: keyword
+
+
+
+example: `http://example.com/article1.html`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-file-origin-url]]
+<<field-file-origin-url, file.origin_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL where the file is hosted.
+
+type: keyword
+
+
+
+example: `http://example.com/imgs/article1_img1.jpg`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-file-owner]]
 <<field-file-owner, file.owner>>
@@ -4601,9 +4667,8 @@ Note also that the `file` fields may be used directly at the root of the events.
 
 
 | `file.elf.*`
-| <<ecs-elf,elf>>| beta:[ This field reuse is beta and subject to change.]
-
-These fields contain Linux Executable Linkable Format (ELF) metadata.
+| <<ecs-elf,elf>>
+| These fields contain Linux Executable Linkable Format (ELF) metadata.
 
 // ===============================================================
 
@@ -5170,9 +5235,7 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 [[field-host-boot-id]]
 <<field-host-boot-id, host.boot.id>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.
+a| Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.
 
 type: keyword
 
@@ -5440,9 +5503,7 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 [[field-host-pid-ns-ino]]
 <<field-host-pid-ns-ino, host.pid_ns_ino>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.
+a| This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.
 
 type: keyword
 
@@ -8624,24 +8685,6 @@ Multi-fields:
 
 example: `ssh`
 
-| extended
-
-// ===============================================================
-
-|
-[[field-process-pgid]]
-<<field-process-pgid, process.pgid>>
-
-a| Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`.
-
-Identifier of the group of processes the process belongs to.
-
-type: long
-
-
-
-
-
 | extended
 
 // ===============================================================
@@ -9016,9 +9059,8 @@ The externally attested user based on an external source such as the Kube API.
 
 
 | `process.elf.*`
-| <<ecs-elf,elf>>| beta:[ This field reuse is beta and subject to change.]
-
-These fields contain Linux Executable Linkable Format (ELF) metadata.
+| <<ecs-elf,elf>>
+| These fields contain Linux Executable Linkable Format (ELF) metadata.
 
 // ===============================================================
 
@@ -13353,8 +13395,6 @@ Note also that the `vlan` fields are not expected to be used directly at the roo
 
 Fields related to storage volume details.
 
-beta::[ These fields are beta and are subject to change.]
-
 [discrete]
 ==== Volume Field Details
 

docs/fields/field-values.asciidoc

@@ -64,8 +64,6 @@ This value is not used by Elastic solutions for alert documents that are created
 [[ecs-event-kind-asset]]
 ==== asset
 
-beta:[ This event categorization value is beta and subject to change. ]
-
 This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system.
 
 Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs.

docs/fields/fields.asciidoc

@@ -1,7 +1,7 @@
 [[ecs-field-reference]]
 == {ecs} Field Reference
 
-This is the documentation of ECS version 9.0.0-dev.
+This is the documentation of ECS version 9.1.0-dev.
 
 ECS defines multiple groups of related fields. They are called "field sets".
 The <<ecs-base,Base>> field set is the only one whose fields are defined

docs/index.asciidoc

@@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 [[ecs-reference]]
 == Overview
 
-This is the documentation of ECS version 9.0.0-dev.
+This is the documentation of ECS version 9.1.0-dev.
 
 [float]
 === What is ECS?

docs/opentelemetry/otel-fields-mapping.asciidoc

@@ -1,7 +1,7 @@
 ////
 This file is automatically generated. Don't edit it manually!
 ////
-The following table gives an overview of mappings between individual ECS fields (in ECS version `9.0.0-dev`)
+The following table gives an overview of mappings between individual ECS fields (in ECS version `9.1.0-dev`)
 and corresponding OTel semantic convention attributes (in SemConv version `1.29.0`).
 
 [%header]
@@ -540,7 +540,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 
 .1+|
 [[otel-mapping-for-faas-coldstart]]
-<<field-faas-coldstart, faas.coldstart>> [beta]
+<<field-faas-coldstart, faas.coldstart>> 
 
 
 
@@ -554,7 +554,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 // ===============================================================
 .1+|
 [[otel-mapping-for-faas-execution]]
-<<field-faas-execution, faas.execution>> [beta]
+<<field-faas-execution, faas.execution>> 
 
 
 
@@ -568,7 +568,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 // ===============================================================
 .1+|
 [[otel-mapping-for-faas-name]]
-<<field-faas-name, faas.name>> [beta]
+<<field-faas-name, faas.name>> 
 
 
 
@@ -582,7 +582,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 // ===============================================================
 .1+|
 [[otel-mapping-for-faas-trigger-type]]
-<<field-faas-trigger-type, faas.trigger.type>> [beta]
+<<field-faas-trigger-type, faas.trigger.type>> 
 
 
 
@@ -596,7 +596,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 // ===============================================================
 .1+|
 [[otel-mapping-for-faas-version]]
-<<field-faas-version, faas.version>> [beta]
+<<field-faas-version, faas.version>>