elastic · mjwolf · Jan 20, 2025 · Jan 11, 2025 · Jan 11, 2025 · Jan 17, 2025
@@ -23,6 +23,7 @@ Thanks, you're awesome :-) -->
 * Define base encoding of `x509.serial_number`. #2383
 * Restrict the encoding of `x509.serial_number` to base 16. #2398
 * Set synthetic_source_keep = none on fields that represent sets. #2422
+* Increase ignore_above value for url.query. #2424
 
 #### Deprecated
 

@@ -2325,7 +2325,7 @@
     - name: url
       level: extended
       type: keyword
-      ignore_above: 1024
+      ignore_above: 2083
       description: 'URL linking to an external system to continue investigation of
         this event.
 
@@ -10372,7 +10372,7 @@
     - name: enrichments.indicator.url.query
       level: extended
       type: keyword
-      ignore_above: 1024
+      ignore_above: 2083
       description: 'The query field describes the query string of the request, such
         as "q=elasticsearch".
 
@@ -12005,7 +12005,7 @@
     - name: indicator.url.query
       level: extended
       type: keyword
-      ignore_above: 1024
+      ignore_above: 2083
       description: 'The query field describes the query string of the request, such
         as "q=elasticsearch".
 
@@ -13068,7 +13068,7 @@
     - name: query
       level: extended
       type: keyword
-      ignore_above: 1024
+      ignore_above: 2083
       description: 'The query field describes the query string of the request, such
         as "q=elasticsearch".
 

@@ -3931,7 +3931,7 @@ event.url:
     are a common use case for this field.'
   example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
   flat_name: event.url
-  ignore_above: 1024
+  ignore_above: 2083
   level: extended
   name: url
   normalize: []
@@ -17261,7 +17261,7 @@ threat.enrichments.indicator.url.query:
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
   flat_name: threat.enrichments.indicator.url.query
-  ignore_above: 1024
+  ignore_above: 2083
   level: extended
   name: query
   normalize: []
@@ -20015,7 +20015,7 @@ threat.indicator.url.query:
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
   flat_name: threat.indicator.url.query
-  ignore_above: 1024
+  ignore_above: 2083
   level: extended
   name: query
   normalize: []
@@ -21853,7 +21853,7 @@ url.query:
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
   flat_name: url.query
-  ignore_above: 1024
+  ignore_above: 2083
   level: extended
   name: query
   normalize: []

@@ -4964,7 +4964,7 @@ event:
         are a common use case for this field.'
       example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
       flat_name: event.url
-      ignore_above: 1024
+      ignore_above: 2083
       level: extended
       name: url
       normalize: []
@@ -20008,7 +20008,7 @@ threat:
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
       flat_name: threat.enrichments.indicator.url.query
-      ignore_above: 1024
+      ignore_above: 2083
       level: extended
       name: query
       normalize: []
@@ -22770,7 +22770,7 @@ threat:
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
       flat_name: threat.indicator.url.query
-      ignore_above: 1024
+      ignore_above: 2083
       level: extended
       name: query
       normalize: []
@@ -24735,7 +24735,7 @@ url:
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
       flat_name: url.query
-      ignore_above: 1024
+      ignore_above: 2083
       level: extended
       name: query
       normalize: []

@@ -103,7 +103,7 @@
               "type": "keyword"
             },
             "url": {
-              "ignore_above": 1024,
+              "ignore_above": 2083,
               "type": "keyword"
             }
           }

@@ -732,7 +732,7 @@
                           "type": "long"
                         },
                         "query": {
-                          "ignore_above": 1024,
+                          "ignore_above": 2083,
                           "type": "keyword"
                         },
                         "registered_domain": {
@@ -1668,7 +1668,7 @@
                       "type": "long"
                     },
                     "query": {
-                      "ignore_above": 1024,
+                      "ignore_above": 2083,
                       "type": "keyword"
                     },
                     "registered_domain": {

@@ -47,7 +47,7 @@
               "type": "long"
             },
             "query": {
-              "ignore_above": 1024,
+              "ignore_above": 2083,
               "type": "keyword"
             },
             "registered_domain": {

@@ -1330,7 +1330,7 @@
             "type": "keyword"
           },
           "url": {
-            "ignore_above": 1024,
+            "ignore_above": 2083,
             "type": "keyword"
           }
         }
@@ -6021,7 +6021,7 @@
                         "type": "long"
                       },
                       "query": {
-                        "ignore_above": 1024,
+                        "ignore_above": 2083,
                         "type": "keyword"
                       },
                       "registered_domain": {
@@ -6957,7 +6957,7 @@
                     "type": "long"
                   },
                   "query": {
-                    "ignore_above": 1024,
+                    "ignore_above": 2083,
                     "type": "keyword"
                   },
                   "registered_domain": {
@@ -7579,7 +7579,7 @@
             "type": "long"
           },
           "query": {
-            "ignore_above": 1024,
+            "ignore_above": 2083,
             "type": "keyword"
           },
           "registered_domain": {

@@ -2275,7 +2275,7 @@
     - name: url
       level: extended
       type: keyword
-      ignore_above: 1024
+      ignore_above: 2083
       description: 'URL linking to an external system to continue investigation of
         this event.
 
@@ -10322,7 +10322,7 @@
     - name: enrichments.indicator.url.query
       level: extended
       type: keyword
-      ignore_above: 1024
+      ignore_above: 2083
       description: 'The query field describes the query string of the request, such
         as "q=elasticsearch".
 
@@ -11955,7 +11955,7 @@
     - name: indicator.url.query
       level: extended
       type: keyword
-      ignore_above: 1024
+      ignore_above: 2083
       description: 'The query field describes the query string of the request, such
         as "q=elasticsearch".
 
@@ -13018,7 +13018,7 @@
     - name: query
       level: extended
       type: keyword
-      ignore_above: 1024
+      ignore_above: 2083
       description: 'The query field describes the query string of the request, such
         as "q=elasticsearch".
 

@@ -3862,7 +3862,7 @@ event.url:
     are a common use case for this field.'
   example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
   flat_name: event.url
-  ignore_above: 1024
+  ignore_above: 2083
   level: extended
   name: url
   normalize: []
@@ -17192,7 +17192,7 @@ threat.enrichments.indicator.url.query:
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
   flat_name: threat.enrichments.indicator.url.query
-  ignore_above: 1024
+  ignore_above: 2083
   level: extended
   name: query
   normalize: []
@@ -19946,7 +19946,7 @@ threat.indicator.url.query:
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
   flat_name: threat.indicator.url.query
-  ignore_above: 1024
+  ignore_above: 2083
   level: extended
   name: query
   normalize: []
@@ -21784,7 +21784,7 @@ url.query:
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
   flat_name: url.query
-  ignore_above: 1024
+  ignore_above: 2083
   level: extended
   name: query
   normalize: []

@@ -4884,7 +4884,7 @@ event:
         are a common use case for this field.'
       example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
       flat_name: event.url
-      ignore_above: 1024
+      ignore_above: 2083
       level: extended
       name: url
       normalize: []
@@ -19928,7 +19928,7 @@ threat:
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
       flat_name: threat.enrichments.indicator.url.query
-      ignore_above: 1024
+      ignore_above: 2083
       level: extended
       name: query
       normalize: []
@@ -22690,7 +22690,7 @@ threat:
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
       flat_name: threat.indicator.url.query
-      ignore_above: 1024
+      ignore_above: 2083
       level: extended
       name: query
       normalize: []
@@ -24655,7 +24655,7 @@ url:
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
       flat_name: url.query
-      ignore_above: 1024
+      ignore_above: 2083
       level: extended
       name: query
       normalize: []

@@ -103,7 +103,7 @@
               "type": "keyword"
             },
             "url": {
-              "ignore_above": 1024,
+              "ignore_above": 2083,
               "type": "keyword"
             }
           }

@@ -732,7 +732,7 @@
                           "type": "long"
                         },
                         "query": {
-                          "ignore_above": 1024,
+                          "ignore_above": 2083,
                           "type": "keyword"
                         },
                         "registered_domain": {
@@ -1668,7 +1668,7 @@
                       "type": "long"
                     },
                     "query": {
-                      "ignore_above": 1024,
+                      "ignore_above": 2083,
                       "type": "keyword"
                     },
                     "registered_domain": {

@@ -47,7 +47,7 @@
               "type": "long"
             },
             "query": {
-              "ignore_above": 1024,
+              "ignore_above": 2083,
               "type": "keyword"
             },
             "registered_domain": {

@@ -1288,7 +1288,7 @@
             "type": "keyword"
           },
           "url": {
-            "ignore_above": 1024,
+            "ignore_above": 2083,
             "type": "keyword"
           }
         }
@@ -5979,7 +5979,7 @@
                         "type": "long"
                       },
                       "query": {
-                        "ignore_above": 1024,
+                        "ignore_above": 2083,
                         "type": "keyword"
                       },
                       "registered_domain": {
@@ -6915,7 +6915,7 @@
                     "type": "long"
                   },
                   "query": {
-                    "ignore_above": 1024,
+                    "ignore_above": 2083,
                     "type": "keyword"
                   },
                   "registered_domain": {
@@ -7537,7 +7537,7 @@
             "type": "long"
           },
           "query": {
-            "ignore_above": 1024,
+            "ignore_above": 2083,
             "type": "keyword"
           },
           "registered_domain": {

@@ -821,6 +821,7 @@
     - name: url
       level: extended
       type: keyword
+      ignore_above: 2083
       short: Event investigation URL
       description: >
         URL linking to an external system to continue investigation of this event.

@@ -173,6 +173,7 @@
         no `?`, there is no query field. If there is a `?` but no query,
         the query field exists with an empty string. The `exists`
         query can be used to differentiate between the two cases.
+      ignore_above: 2083
       otel:
         - relation: match