Http Fields
Overview
The http fields describe properties of Hypertext Transfer Protocol (HTTP) requests and responses as observed in network and application telemetry. They represent logical components of HTTP transactions, including methods, paths, headers, versions, and payload characteristics. This entity provides a normalized view of client and server interactions that occur over HTTP or HTTPS.
Design and Usage
The http entity defines a structured representation of request and response data across diverse logging sources. It captures transactional attributes such as message size, content type, user agent details, and server response information in order to support consistent analysis across vendors and protocols. As a top-level entity, http is modeled independently of network session data but may be related to network or user entities through higher-level correlation when available.
Common Use Cases
- Analyzing web traffic patterns to support threat detection, anomaly identification, and categorization of browsing activity.
- Investigating client behavior through normalized user agent, URI, and request method information.
- Reviewing response codes and content metadata to identify service failures, redirects, or suspicious responses.
- Correlating HTTP activity with broader network telemetry to clarify event semantics and support incident investigations.
Implementation Notes
As a top-level entity, http represents a complete logical object describing an HTTP transaction. It should be modeled independently of vendor-specific field naming conventions while supporting hierarchical mappings to related entities such as network, file, or user when applicable. The entity may appear in conjunction with connection-level data to maintain relational integrity across normalized telemetry.
If a related entity is implied but not explicitly present, corresponding fields should be included to ensure consistent interpretation of HTTP request and response semantics.
| field | field_type | description | example_values |
|---|---|---|---|
|
http_application |
keyword |
Identifies the application-layer service or platform associated with the HTTP transaction. |
|
|
http_bytes |
long |
Total size of the request and response combined, measured in bytes. |
29347485 |
|
http_content_type |
keyword |
Mime type of http content. |
application/octet-stream |
|
http_headers |
keyword |
Full list of http headers. |
|
|
http_host |
keyword |
Value of the Host header provided in the HTTP request. |
Host: wwww.mycorp.local |
|
http_referrer |
keyword |
Value of the 'Referer' header supplied by the client. |
http://mycorp.local/ |
|
http_request_bytes |
long |
Size of the HTTP request payload, measured in bytes. |
239478 |
|
http_request_method |
keyword |
Method used in the HTTP request, such as GET or POST. |
GET, POST |
|
http_request_path |
keyword |
Path component of the HTTP request, which may include a query string depending on the source format. |
/path/to/resource?option=test |
|
http_response_bytes |
long |
Size of HTTP response, measured in bytes. |
498274 |
|
http_response |
keyword |
Textual description associated with the HTTP response status. |
OK, Moved Permanently |
|
http_response_code |
integer |
Numeric status code returned by the server in response to the HTTP request. |
200, 404, 500 |
|
http_uri |
keyword |
Full URI referenced in the HTTP request. |
https://www.graylog.org, https://www.graylog.org/blog, https://www.mycorp.local/workspaces/team#posts |
|
http_uri_category |
keyword |
Classification assigned to the destination URI based on content or reputation. |
Suspicious, Games |
|
http_uri_stem |
keyword |
The target of the request. For Example: http://www.test.com/test.jsp?hello=y the URI stem is /test.jsp. |
Default.htm |
|
http_uri_query |
keyword |
The query the client was trying to perform. Example http://www.test.com/test.jsp?hello=y the query is hello=y. |
hello=y |
|
http_user_agent |
keyword |
User Agent string. |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0) |
|
http_user_agent_name |
keyword |
Attempted identification of the browser client usually based on user agent analysis. |
Firefox |
|
http_user_agent_os |
keyword |
Operating System of User Agent. |
Windows 10 |
|
http_version |
keyword |
HTTP protocol version used in the request. |
1.0, 1.1, 2.0 |
|
http_xff |
keyword |
Value of the X-Forwarded-For header indicating one or more client IP addresses. |
X-Forwarded-For: 10.1.2.3 |
