From d76d6d8b084a0797294f1374be15c4ad369ef69b Mon Sep 17 00:00:00 2001
From: johnmschoonover <johnmschoonover@gmail.com>
Date: Thu, 5 Jun 2025 13:34:07 -0500
Subject: [PATCH 1/4] Clarify url.query usage to specify full query string
 format
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This update removes ambiguity around the url.query field by explicitly stating that it should contain the full query string, including compound parameters.

An example with multiple query parameters is added to reinforce this guidance. This helps prevent misinterpretation—such as splitting the query into an array of keywords—and promotes consistent, ECS-compliant implementations across ingestion pipelines and tools.
---
 schemas/url.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/schemas/url.yml b/schemas/url.yml
index 29941fed8a..93a4f2351c 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -166,6 +166,8 @@
       type: keyword
       short: Query string of the request.
       description: >
+        The field contains the entire query string excluding the leading `?`.
+        
         The query field describes the query string of the request,
         such as "q=elasticsearch".
 
@@ -174,6 +176,7 @@
         the query field exists with an empty string. The `exists`
         query can be used to differentiate between the two cases.
       ignore_above: 2083
+      example: q=elasticsearch&sort=desc
       otel:
         - relation: match
 

From 9a682bcb2ca6a508a44b173cd7d533272b1e86c1 Mon Sep 17 00:00:00 2001
From: johnmschoonover <johnmschoonover@gmail.com>
Date: Thu, 5 Jun 2025 14:27:50 -0500
Subject: [PATCH 2/4] Update CHANGELOG.next.md

---
 CHANGELOG.next.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index c922e49648..16f7020ea2 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -39,6 +39,7 @@ Thanks, you're awesome :-) -->
 
 * Allow Unicode characters in generated ECS yml files. #2478
 * Update semconv version used in file generation to v1.34.0 #2483
+* Added details for implementation of url.query to avoid ambiguity #2488
 
 #### Deprecated
 

From bc7dde55edca6cca903e06439cb4e9a79f3f2b35 Mon Sep 17 00:00:00 2001
From: johnmschoonover <johnmschoonover@gmail.com>
Date: Thu, 5 Jun 2025 14:29:08 -0500
Subject: [PATCH 3/4] generated files from changes

---
 docs/reference/ecs-url.md                   |  2 +-
 experimental/generated/beats/fields.ecs.yml | 21 +++++++++++++++------
 experimental/generated/csv/fields.csv       |  6 +++---
 experimental/generated/ecs/ecs_flat.yml     | 18 ++++++++++++------
 experimental/generated/ecs/ecs_nested.yml   | 21 +++++++++++++++------
 generated/beats/fields.ecs.yml              | 21 +++++++++++++++------
 generated/csv/fields.csv                    |  6 +++---
 generated/ecs/ecs_flat.yml                  | 18 ++++++++++++------
 generated/ecs/ecs_nested.yml                | 21 +++++++++++++++------
 9 files changed, 91 insertions(+), 43 deletions(-)

diff --git a/docs/reference/ecs-url.md b/docs/reference/ecs-url.md
index 0ec666f4f6..853e054c3b 100644
--- a/docs/reference/ecs-url.md
+++ b/docs/reference/ecs-url.md
@@ -23,7 +23,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki
 | $$$field-url-password$$$ [url.password](#field-url-password) | Password of the request.<br><br>type: keyword | extended |
 | $$$field-url-path$$$ [url.path](#field-url-path) | Path of the request, such as "/search".<br><br>type: wildcard<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-path) | extended |
 | $$$field-url-port$$$ [url.port](#field-url-port) | Port of the request, such as 443.<br><br>type: long<br><br>example: `443`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.port](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-port) | extended |
-| $$$field-url-query$$$ [url.query](#field-url-query) | The query field describes the query string of the request, such as "q=elasticsearch".<br><br>The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.<br><br>type: keyword<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.query](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-query) | extended |
+| $$$field-url-query$$$ [url.query](#field-url-query) | The field contains the entire query string excluding the leading `?`.<br><br>The query field describes the query string of the request, such as "q=elasticsearch".<br><br>The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.<br><br>type: keyword<br><br>example: `q=elasticsearch&sort=desc`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.query](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-query) | extended |
 | $$$field-url-registered-domain$$$ [url.registered_domain](#field-url-registered-domain) | The highest registered url domain, stripped of the subdomain.<br><br>For example, the registered domain for "foo.example.com" is "example.com".<br><br>This value can be determined precisely with a list like the public suffix list (https://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".<br><br>type: keyword<br><br>example: `example.com`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.registered_domain](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-registered-domain) | extended |
 | $$$field-url-scheme$$$ [url.scheme](#field-url-scheme) | Scheme of the request, such as "https".<br><br>Note: The `:` is not part of the scheme.<br><br>type: keyword<br><br>example: `https`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.scheme](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-scheme) | extended |
 | $$$field-url-subdomain$$$ [url.subdomain](#field-url-subdomain) | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.<br><br>For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.<br><br>type: keyword<br><br>example: `east`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.subdomain](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-subdomain) | extended |
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 9c12e2132c..388b513c1d 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -10621,13 +10621,16 @@
       level: extended
       type: keyword
       ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       default_field: false
     - name: enrichments.indicator.url.registered_domain
       level: extended
@@ -12281,13 +12284,16 @@
       level: extended
       type: keyword
       ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       default_field: false
     - name: indicator.url.registered_domain
       level: extended
@@ -13350,13 +13356,16 @@
       level: extended
       type: keyword
       ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
     - name: registered_domain
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index d9693a0827..0372d48393 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -1361,7 +1361,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request.
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
@@ -1584,7 +1584,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
 9.1.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
 9.1.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-9.1.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+9.1.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request.
 9.1.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 9.1.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
 9.1.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
@@ -1720,7 +1720,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request.
 9.1.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
 9.1.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-9.1.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request.
+9.1.0-dev+exp,true,url,url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request.
 9.1.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 9.1.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
 9.1.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index edf0609918..2c22e58a8a 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -17747,13 +17747,15 @@ threat.enrichments.indicator.url.port:
   type: long
 threat.enrichments.indicator.url.query:
   dashed_name: threat-enrichments-indicator-url-query
-  description: 'The query field describes the query string of the request, such as
-    "q=elasticsearch".
+  description: 'The field contains the entire query string excluding the leading `?`.
+
+    The query field describes the query string of the request, such as "q=elasticsearch".
 
     The `?` is excluded from the query string. If a URL contains no `?`, there is
     no query field. If there is a `?` but no query, the query field exists with an
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
+  example: q=elasticsearch&sort=desc
   flat_name: threat.enrichments.indicator.url.query
   ignore_above: 2083
   level: extended
@@ -20546,13 +20548,15 @@ threat.indicator.url.port:
   type: long
 threat.indicator.url.query:
   dashed_name: threat-indicator-url-query
-  description: 'The query field describes the query string of the request, such as
-    "q=elasticsearch".
+  description: 'The field contains the entire query string excluding the leading `?`.
+
+    The query field describes the query string of the request, such as "q=elasticsearch".
 
     The `?` is excluded from the query string. If a URL contains no `?`, there is
     no query field. If there is a `?` but no query, the query field exists with an
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
+  example: q=elasticsearch&sort=desc
   flat_name: threat.indicator.url.query
   ignore_above: 2083
   level: extended
@@ -22389,13 +22393,15 @@ url.port:
   type: long
 url.query:
   dashed_name: url-query
-  description: 'The query field describes the query string of the request, such as
-    "q=elasticsearch".
+  description: 'The field contains the entire query string excluding the leading `?`.
+
+    The query field describes the query string of the request, such as "q=elasticsearch".
 
     The `?` is excluded from the query string. If a URL contains no `?`, there is
     no query field. If there is a `?` but no query, the query field exists with an
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
+  example: q=elasticsearch&sort=desc
   flat_name: url.query
   ignore_above: 2083
   level: extended
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 6f8a6d1307..4c4e1387bf 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -20515,13 +20515,16 @@ threat:
       type: long
     threat.enrichments.indicator.url.query:
       dashed_name: threat-enrichments-indicator-url-query
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       flat_name: threat.enrichments.indicator.url.query
       ignore_above: 2083
       level: extended
@@ -23322,13 +23325,16 @@ threat:
       type: long
     threat.indicator.url.query:
       dashed_name: threat-indicator-url-query
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       flat_name: threat.indicator.url.query
       ignore_above: 2083
       level: extended
@@ -25293,13 +25299,16 @@ url:
       type: long
     url.query:
       dashed_name: url-query
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       flat_name: url.query
       ignore_above: 2083
       level: extended
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 95a9ab77ea..3338bd4fcb 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -10571,13 +10571,16 @@
       level: extended
       type: keyword
       ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       default_field: false
     - name: enrichments.indicator.url.registered_domain
       level: extended
@@ -12231,13 +12234,16 @@
       level: extended
       type: keyword
       ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       default_field: false
     - name: indicator.url.registered_domain
       level: extended
@@ -13300,13 +13306,16 @@
       level: extended
       type: keyword
       ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
     - name: registered_domain
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 89b6e21ed0..3d0b05d4e0 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1354,7 +1354,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
 9.1.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
 9.1.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-9.1.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+9.1.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request.
 9.1.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 9.1.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
 9.1.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
@@ -1577,7 +1577,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
 9.1.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
 9.1.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-9.1.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+9.1.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request.
 9.1.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 9.1.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
 9.1.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
@@ -1713,7 +1713,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
 9.1.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
 9.1.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-9.1.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+9.1.0-dev,true,url,url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request.
 9.1.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
 9.1.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
 9.1.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index d697dd36fa..318b3785d3 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -17678,13 +17678,15 @@ threat.enrichments.indicator.url.port:
   type: long
 threat.enrichments.indicator.url.query:
   dashed_name: threat-enrichments-indicator-url-query
-  description: 'The query field describes the query string of the request, such as
-    "q=elasticsearch".
+  description: 'The field contains the entire query string excluding the leading `?`.
+
+    The query field describes the query string of the request, such as "q=elasticsearch".
 
     The `?` is excluded from the query string. If a URL contains no `?`, there is
     no query field. If there is a `?` but no query, the query field exists with an
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
+  example: q=elasticsearch&sort=desc
   flat_name: threat.enrichments.indicator.url.query
   ignore_above: 2083
   level: extended
@@ -20477,13 +20479,15 @@ threat.indicator.url.port:
   type: long
 threat.indicator.url.query:
   dashed_name: threat-indicator-url-query
-  description: 'The query field describes the query string of the request, such as
-    "q=elasticsearch".
+  description: 'The field contains the entire query string excluding the leading `?`.
+
+    The query field describes the query string of the request, such as "q=elasticsearch".
 
     The `?` is excluded from the query string. If a URL contains no `?`, there is
     no query field. If there is a `?` but no query, the query field exists with an
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
+  example: q=elasticsearch&sort=desc
   flat_name: threat.indicator.url.query
   ignore_above: 2083
   level: extended
@@ -22320,13 +22324,15 @@ url.port:
   type: long
 url.query:
   dashed_name: url-query
-  description: 'The query field describes the query string of the request, such as
-    "q=elasticsearch".
+  description: 'The field contains the entire query string excluding the leading `?`.
+
+    The query field describes the query string of the request, such as "q=elasticsearch".
 
     The `?` is excluded from the query string. If a URL contains no `?`, there is
     no query field. If there is a `?` but no query, the query field exists with an
     empty string. The `exists` query can be used to differentiate between the two
     cases.'
+  example: q=elasticsearch&sort=desc
   flat_name: url.query
   ignore_above: 2083
   level: extended
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 50c61c1803..4d2a33ec5e 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -20435,13 +20435,16 @@ threat:
       type: long
     threat.enrichments.indicator.url.query:
       dashed_name: threat-enrichments-indicator-url-query
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       flat_name: threat.enrichments.indicator.url.query
       ignore_above: 2083
       level: extended
@@ -23242,13 +23245,16 @@ threat:
       type: long
     threat.indicator.url.query:
       dashed_name: threat-indicator-url-query
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       flat_name: threat.indicator.url.query
       ignore_above: 2083
       level: extended
@@ -25213,13 +25219,16 @@ url:
       type: long
     url.query:
       dashed_name: url-query
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      description: 'The field contains the entire query string excluding the leading
+        `?`.
+
+        The query field describes the query string of the request, such as "q=elasticsearch".
 
         The `?` is excluded from the query string. If a URL contains no `?`, there
         is no query field. If there is a `?` but no query, the query field exists
         with an empty string. The `exists` query can be used to differentiate between
         the two cases.'
+      example: q=elasticsearch&sort=desc
       flat_name: url.query
       ignore_above: 2083
       level: extended

From 08c7c64bc7b89dcfd45d8fa8c06af17a15412067 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Mon, 23 Jun 2025 09:54:46 -0700
Subject: [PATCH 4/4] Trim trailing whitespace

---
 schemas/url.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/schemas/url.yml b/schemas/url.yml
index 93a4f2351c..458940fd5c 100644
--- a/schemas/url.yml
+++ b/schemas/url.yml
@@ -167,7 +167,7 @@
       short: Query string of the request.
       description: >
         The field contains the entire query string excluding the leading `?`.
-        
+
         The query field describes the query string of the request,
         such as "q=elasticsearch".