Add .caseless subfield to process.name & process.executable

elastic · May 22, 2024 · d3b869b · d3b869b
1 parent 247d128
commit d3b869b
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -24,6 +24,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Added `.caseless` subfield to `process.name` and `process.executable`. #2341
+
 #### Deprecated
 
 ### Tooling and Artifact Changes

diff --git a/schemas/process.yml b/schemas/process.yml
@@ -112,6 +112,10 @@
         Sometimes called program name or similar.
       example: ssh
       multi_fields:
+        - name: caseless
+          ignore_above: 1024
+          normalizer: lowercase
+          type: keyword
         - type: match_only_text
           name: text
 
@@ -171,6 +175,10 @@
         Absolute path to the process executable.
       example: /usr/bin/ssh
       multi_fields:
+        - name: caseless
+          ignore_above: 1024
+          normalizer: lowercase
+          type: keyword
         - type: match_only_text
           name: text