URL Fields

edit

URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.

URL Field Details

edit
Field Description Level

url.domain

Domain of the url, such as "www.elastic.co".

In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field.

type: keyword

example: www.elastic.co

extended

url.extension

The field contains the file extension from the original request url.

The file extension is only set if it exists, as not every url has a file extension.

The leading period must not be included. For example, the value must be "png", not ".png".

type: keyword

example: png

extended

url.fragment

Portion of the url after the #, such as "top".

The # is not part of the fragment.

type: keyword

extended

url.full

If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

type: keyword

example: https://www.elastic.co:443/search?q=elasticsearch#top

extended

url.original

Unmodified original url as seen in the event source.

Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.

This field is meant to represent the URL as it was observed, complete or not.

type: keyword

example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch

extended

url.password

Password of the request.

type: keyword

extended

url.path

Path of the request, such as "/search".

type: keyword

extended

url.port

Port of the request, such as 443.

type: long

example: 443

extended

url.query

The query field describes the query string of the request, such as "q=elasticsearch".

The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

type: keyword

extended

url.registered_domain

The highest registered url domain, stripped of the subdomain.

For example, the registered domain for "foo.google.com" is "google.com".

This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: google.com

extended

url.scheme

Scheme of the request, such as "https".

Note: The : is not part of the scheme.

type: keyword

example: https

extended

url.top_level_domain

The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com".

This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

example: co.uk

extended

url.username

Username of the request.

type: keyword

extended