are there any best practices, guidelines, etc. on how to name things? as we all know, naming things is hard
namely i’m looking for advise on how to name indices and fields therein as well as security-related things (roles, etc.), but also anything else you’ll have to give a name to in elasticsearch/opensearch.
do you use snake_case? camelCase? WeirdCamelCase? dot.notation? minus-notation? alllowercasenoseparation, SCREAMING, ASuper_weird.Combination-Of_ITALL (hey, it’s already monday, but i didn’t have my fun on friday, ok? )?
do you use singular or plural (e.g. do you call an index containing countries country or countries)?
do you prefix global things (indices, roles, etc.) since there’s no tenant-functionality in opensearch (not talking about kibana / opensearch dashboards)? e.g. acme-someindex instead of just someindex?
We find that ECS has a ton of holes, even for the datasets that it supposedly supports. However I would agree most of the field naming conventions. The exception is abbreviations. ECS suggests avoiding them. However this results in unnecessarily long names with little added clarity. For example, there probably aren’t many people confused by src.ip and dst.ip, yet in ECS they are source.ip and (worse) destination.ip. It isn’t just the extra typing. It also wastes screen space in the UI.