Question about template usage for ecs

Hello,

As creator of the following project => https://github.com/OutsideIT/logstash_filter_f5

I’d prefer to follow ECS guidelines in the future and switch current fields if appropriate to ECS fields with dot notation. For now I always used underscores for all my fields, which makes this kind of new.

If I would create a template for some fields, eg.

        "f5_tmm_session_bytes_in": {
          "type": "long"
        },
        "f5_tmm_session_bytes_out": {
          "type": "long"
        },

And switch those to dot notated fields network.inbound.bytes and network.outbound.bytes, would this be the template that I would ideally use for those fields?

        "network": {
          "properties": {
            "inbound": {
              "properties": {
                "bytes": {
                  "type": "long"
                }
              }
            },
            "outbound": {
              "properties": {
                "bytes": {
                  "type": "long"
                }
              }
            },
          }
        }

I saw some examples which also have "type": "object" in the template, but I didn’t see that everywhere (not in the beat.* object template for example)

Thanks for confirming the correct or incorrect use of my f5 template.

Another small question, I tend to use the ignore_above parameter alot, which I don’t see anywhere in the ECS common field types. Are we ‘allowed’ to use the ignore_above on ECS fields and can we set them as we want or would this cause mapping conflicts if mixed with data from other indices which have different or no ignore_above parameter for the same field?

Grtz

Willem