Variations to the ECS

See ECS Categorization fields for more detail on ECS fields. CPS compliant parsers deviate from ECS in the following ways:

Fields which parsers use as tags have their names prefixed with # during ingestion.
The field event.original is only present if ingested bulk events are being split into multiple events.
The field event.ingested is not present, since LogScale uses @ingesttimestamp instead.
The field @timestamp contains a Unix timestamp, rather than a human readable timestamp.
The following fields have their values lowercased by the en-us locale.
- *.address
- *.domain
- email.*.address
- event.module
- event.dataset
- Vendor
- *.email
- host.hostname
- *.hash.*