Clarify url.query usage to specify full query string format

johnmschoonover · web-flow · commit d76d6d8b084a · 2025-06-05T13:34:07.000-05:00
This update removes ambiguity around the url.query field by explicitly stating that it should contain the full query string, including compound parameters.

An example with multiple query parameters is added to reinforce this guidance. This helps prevent misinterpretation—such as splitting the query into an array of keywords—and promotes consistent, ECS-compliant implementations across ingestion pipelines and tools.
diff --git a/schemas/url.yml b/schemas/url.yml
@@ -166,6 +166,8 @@
       type: keyword
       short: Query string of the request.
       description: >
+        The field contains the entire query string excluding the leading `?`.
+        
         The query field describes the query string of the request,
         such as "q=elasticsearch".
 
@@ -174,6 +176,7 @@
         the query field exists with an empty string. The `exists`
         query can be used to differentiate between the two cases.
       ignore_above: 2083
+      example: q=elasticsearch&sort=desc
       otel:
         - relation: match
 
