[Rule Tuning] Tuning Host Name to Agent Name for Compatibility (#5849)

* [Rule Tuning] Tuning Host Name to Agent Name for Compatibility * ++
2026-03-19 14:43:34 +01:00
parent a4b614c681
commit 71bcbef8d0
6 changed files with 18 additions and 18 deletions
@@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
 min_stack_version = "9.2.0"
 min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"

 [rule]
 author = ["Elastic"]
@@ -141,7 +141,7 @@ from
    Esql.url_original_url_decoded_to_lower,
    source.ip,
    agent.id,
-    host.name,
+    agent.name,
    http.request.method,
    http.response.status_code,
    event.dataset,
@@ -150,7 +150,7 @@ from
 | stats
    Esql.event_count = count(),
    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
@@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
 min_stack_version = "9.2.0"
 min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"

 [rule]
 author = ["Elastic"]
@@ -94,7 +94,7 @@ from
    Esql.url_original_url_decoded_to_lower,
    source.ip,
    agent.id,
-    host.name,
+    agent.name,
    http.request.method,
    http.response.status_code,
    event.dataset,
@@ -103,7 +103,7 @@ from
 | stats
    Esql.event_count = count(),
    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"

 [rule]
 author = ["Elastic"]
@@ -115,7 +115,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    http.request.method,
    http.response.status_code,
    user_agent.original,
-    host.name,
+    agent.name,
    event.dataset,
    data_stream.namespace

@@ -125,7 +125,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log

    // General fields

-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
    Esql.agent_id_values = values(agent.id),
    Esql.url_path_values = values(Esql.url_original_to_lower),
    Esql.http.response.status_code_values = values(http.response.status_code),
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"

 [rule]
 author = ["Elastic"]
@@ -78,14 +78,14 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    http.response.status_code,
    source.ip,
    agent.id,
-    host.name,
+    agent.name,
    Esql.url_original_to_lower,
    data_stream.namespace

 | stats
    Esql.event_count = count(),
    Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"

 [rule]
 author = ["Elastic"]
@@ -84,7 +84,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    http.response.status_code,
    source.ip,
    agent.id,
-    host.name,
+    agent.name,
    Esql.url_original_to_lower,
    data_stream.namespace

@@ -92,7 +92,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    Esql.event_count = count(),
    Esql.http_response_status_code_count = count(http.response.status_code),
    Esql.http_response_status_code_values = values(http.response.status_code),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"

 [rule]
 author = ["Elastic"]
@@ -100,14 +100,14 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    user_agent.original,
    source.ip,
    agent.id,
-    host.name,
+    agent.name,
    Esql.url_original_to_lower,
    Esql.user_agent_original_to_lower,
    data_stream.namespace
 | stats
    Esql.event_count = count(),
    Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
    Esql.agent_id_values = values(agent.id),
    Esql.url_original_values = values(Esql.url_original_to_lower),
    Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),