URL Fields

url.domain

Domain of the url, such as "www.elastic.co".

In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field.

type: keyword

example: www.elastic.co

extended

url.fragment

Portion of the url after the #, such as "top".

The # is not part of the fragment.

type: keyword

extended

url.full

If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

type: keyword

example: https://www.elastic.co:443/search?q=elasticsearch#top

extended

url.original

Unmodified original url as seen in the event source.

Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.

This field is meant to represent the URL as it was observed, complete or not.

type: keyword

example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch

extended

url.password

Password of the request.

type: keyword

extended

url.path

Path of the request, such as "/search".

type: keyword

extended

url.port

Port of the request, such as 443.

type: long

example: 443

extended

url.query

The query field describes the query string of the request, such as "q=elasticsearch".

The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

type: keyword

extended

url.scheme

Scheme of the request, such as "https".

Note: The : is not part of the scheme.

type: keyword

example: https

extended

url.username

Username of the request.

type: keyword

extended