diff --git a/calico-cloud/observability/elastic/flow/datatypes.mdx b/calico-cloud/observability/elastic/flow/datatypes.mdx
index 93522a1408..6df5a659c9 100644
--- a/calico-cloud/observability/elastic/flow/datatypes.mdx
+++ b/calico-cloud/observability/elastic/flow/datatypes.mdx
@@ -26,7 +26,7 @@ The following table details the key/value pairs in the JSON blob, including thei
| `dest_service_name` | keyword | Name of the destination service. A `-` means the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP). |
| `dest_service_namespace` | keyword | Namespace of the destination service. A `-` means the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP). |
| `dest_service_port` | keyword | Port name of the destination service.
A `-` means :
- the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP), or
- the destination port is aggregated.
A `*` means there are multiple service port names matching the destination port number. |
-| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, CIDR matches outrank domain matches and longest-prefix wins between competing CIDR matches. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_labels` | array of keywords | Labels applied to the destination pod. A hyphen indicates aggregation. |
| `dest_domains` | array of keywords | Find all the destination domain names for use in a DNS policy by examining `dest_domains`. The field displays information on the top-level domains linked to the destination IP. Applies to flows reported from the source to destinations outside the cluster. If `flowLogsDestDomainsByClient` is disabled, having `dest_domains`: ["A"] doesn't guarantee that the flow corresponds to a connection with domain name A. The destination IP may also be linked to other domain names not yet captured by Calico. |
| `reporter` | keyword | - `src`: flow came from the pod that initiated the connection.
- `dst`: flow came from the pod that received the initial connection.
- `fwd`: flow was forwarded through the node without being the source or destination. |
@@ -49,7 +49,7 @@ The following table details the key/value pairs in the JSON blob, including thei
| `source_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the source pod.
- `pvt`: Endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: the endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `source_namespace` | keyword | Namespace of the source endpoint. A `-` means the endpoint is not namespaced. |
| `source_port` | long | Source port. A null value indicates aggregation. |
-| `source_type` | keyword | The type of source endpoint. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `source_type` | keyword | The type of source endpoint. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, the one with the longest-prefix match is chosen. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `source_labels` | array of keywords | Labels applied to the source pod. A hyphen indicates aggregation. |
| `original_source_ips` | array of ips | List of external IP addresses collected from requests made to the cluster through an ingress resource. This field is only available if capturing external IP addresses is configured. |
| `num_original_source_ips` | long | Number of unique external IP addresses collected from requests made to the cluster through an ingress resource. This count includes the IP addresses included in the `original_source_ips` field. This field is only available if capturing external IP addresses is configured. |
diff --git a/calico-cloud/observability/elastic/l7/datatypes.mdx b/calico-cloud/observability/elastic/l7/datatypes.mdx
index 6da4c437b9..b2a43d1ac4 100644
--- a/calico-cloud/observability/elastic/l7/datatypes.mdx
+++ b/calico-cloud/observability/elastic/l7/datatypes.mdx
@@ -22,10 +22,10 @@ The following table details the key/value pairs in the JSON blob, including thei
| `count` | long | Number of requests that match this combination of L7 data. |
| `src_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the source pod.
- `pvt`: endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `src_namespace` | keyword | Namespace of the source endpoint. |
-| `src_type` | keyword | Source endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `src_type` | keyword | Source endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, the one with the longest-prefix match is chosen. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the destination pod.
- `pvt`: endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `dest_namespace` | keyword | Namespace of the destination endpoint. |
-| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, CIDR matches outrank domain matches and longest-prefix wins between competing CIDR matches. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_service_name` | keyword | Name of the destination service. This may be empty if the request was not made against a service. |
| `dest_service_namespace` | keyword | Namespace of the destination service. This may be empty if the request was not made against a service. |
| `dest_service_port` | long | Destination service port. |
diff --git a/calico-enterprise/observability/elastic/flow/datatypes.mdx b/calico-enterprise/observability/elastic/flow/datatypes.mdx
index be3ea64603..9f981d5b47 100644
--- a/calico-enterprise/observability/elastic/flow/datatypes.mdx
+++ b/calico-enterprise/observability/elastic/flow/datatypes.mdx
@@ -26,7 +26,7 @@ The following table details the key/value pairs in the JSON blob, including thei
| `dest_service_name` | keyword | Name of the destination service. A `-` means the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP). |
| `dest_service_namespace` | keyword | Namespace of the destination service. A `-` means the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP). |
| `dest_service_port` | keyword | Port name of the destination service.
A `-` means :
- the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP), or
- the destination port is aggregated.
A `*` means there are multiple service port names matching the destination port number. |
-| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, CIDR matches outrank domain matches and longest-prefix wins between competing CIDR matches. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_labels` | array of keywords | Labels applied to the destination pod. A hyphen indicates aggregation. |
| `dest_domains` | array of keywords | Find all the destination domain names for use in a DNS policy by examining `dest_domains`. The field displays information on the top-level domains linked to the destination IP. Applies to flows reported from the source to destinations outside the cluster. If `flowLogsDestDomainsByClient` is disabled, having `dest_domains`: ["A"] doesn't guarantee that the flow corresponds to a connection with domain name A. The destination IP may also be linked to other domain names not yet captured by Calico. |
| `reporter` | keyword | - `src`: flow came from the pod that initiated the connection.
- `dst`: flow came from the pod that received the initial connection.
- `fwd`: flow was forwarded through the node without being the source or destination. |
@@ -49,7 +49,7 @@ The following table details the key/value pairs in the JSON blob, including thei
| `source_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the source pod.
- `pvt`: Endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: the endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `source_namespace` | keyword | Namespace of the source endpoint. A `-` means the endpoint is not namespaced. |
| `source_port` | long | Source port. A null value indicates aggregation. |
-| `source_type` | keyword | The type of source endpoint. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `source_type` | keyword | The type of source endpoint. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, the one with the longest-prefix match is chosen. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `source_labels` | array of keywords | Labels applied to the source pod. A hyphen indicates aggregation. |
| `original_source_ips` | array of ips | List of external IP addresses collected from requests made to the cluster through an ingress resource. This field is only available if capturing external IP addresses is configured. |
| `num_original_source_ips` | long | Number of unique external IP addresses collected from requests made to the cluster through an ingress resource. This count includes the IP addresses included in the `original_source_ips` field. This field is only available if capturing external IP addresses is configured. |
diff --git a/calico-enterprise/observability/elastic/l7/datatypes.mdx b/calico-enterprise/observability/elastic/l7/datatypes.mdx
index d9ded32541..4f6166f73d 100644
--- a/calico-enterprise/observability/elastic/l7/datatypes.mdx
+++ b/calico-enterprise/observability/elastic/l7/datatypes.mdx
@@ -22,10 +22,10 @@ The following table details the key/value pairs in the JSON blob, including thei
| `count` | long | Number of requests that match this combination of L7 data. |
| `src_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the source pod.
- `pvt`: endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `src_namespace` | keyword | Namespace of the source endpoint. |
-| `src_type` | keyword | Source endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `src_type` | keyword | Source endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, the one with the longest-prefix match is chosen. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the destination pod.
- `pvt`: endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `dest_namespace` | keyword | Namespace of the destination endpoint. |
-| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, CIDR matches outrank domain matches and longest-prefix wins between competing CIDR matches. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_service_name` | keyword | Name of the destination service. This may be empty if the request was not made against a service. |
| `dest_service_namespace` | keyword | Namespace of the destination service. This may be empty if the request was not made against a service. |
| `dest_service_port` | long | Destination service port. |
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/flow/datatypes.mdx b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/flow/datatypes.mdx
index be3ea64603..9f981d5b47 100644
--- a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/flow/datatypes.mdx
+++ b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/flow/datatypes.mdx
@@ -26,7 +26,7 @@ The following table details the key/value pairs in the JSON blob, including thei
| `dest_service_name` | keyword | Name of the destination service. A `-` means the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP). |
| `dest_service_namespace` | keyword | Namespace of the destination service. A `-` means the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP). |
| `dest_service_port` | keyword | Port name of the destination service.
A `-` means :
- the original destination did not correspond to a known Kubernetes service (e.g. a services ClusterIP), or
- the destination port is aggregated.
A `*` means there are multiple service port names matching the destination port number. |
-| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, CIDR matches outrank domain matches and longest-prefix wins between competing CIDR matches. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_labels` | array of keywords | Labels applied to the destination pod. A hyphen indicates aggregation. |
| `dest_domains` | array of keywords | Find all the destination domain names for use in a DNS policy by examining `dest_domains`. The field displays information on the top-level domains linked to the destination IP. Applies to flows reported from the source to destinations outside the cluster. If `flowLogsDestDomainsByClient` is disabled, having `dest_domains`: ["A"] doesn't guarantee that the flow corresponds to a connection with domain name A. The destination IP may also be linked to other domain names not yet captured by Calico. |
| `reporter` | keyword | - `src`: flow came from the pod that initiated the connection.
- `dst`: flow came from the pod that received the initial connection.
- `fwd`: flow was forwarded through the node without being the source or destination. |
@@ -49,7 +49,7 @@ The following table details the key/value pairs in the JSON blob, including thei
| `source_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the source pod.
- `pvt`: Endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: the endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `source_namespace` | keyword | Namespace of the source endpoint. A `-` means the endpoint is not namespaced. |
| `source_port` | long | Source port. A null value indicates aggregation. |
-| `source_type` | keyword | The type of source endpoint. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `source_type` | keyword | The type of source endpoint. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, the one with the longest-prefix match is chosen. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `source_labels` | array of keywords | Labels applied to the source pod. A hyphen indicates aggregation. |
| `original_source_ips` | array of ips | List of external IP addresses collected from requests made to the cluster through an ingress resource. This field is only available if capturing external IP addresses is configured. |
| `num_original_source_ips` | long | Number of unique external IP addresses collected from requests made to the cluster through an ingress resource. This count includes the IP addresses included in the `original_source_ips` field. This field is only available if capturing external IP addresses is configured. |
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/l7/datatypes.mdx b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/l7/datatypes.mdx
index d9ded32541..4f6166f73d 100644
--- a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/l7/datatypes.mdx
+++ b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/l7/datatypes.mdx
@@ -22,10 +22,10 @@ The following table details the key/value pairs in the JSON blob, including thei
| `count` | long | Number of requests that match this combination of L7 data. |
| `src_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the source pod.
- `pvt`: endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `src_namespace` | keyword | Namespace of the source endpoint. |
-| `src_type` | keyword | Source endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `src_type` | keyword | Source endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, the one with the longest-prefix match is chosen. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_name_aggr` | keyword | Contains one of the following values:
- Aggregated name of the destination pod.
- `pvt`: endpoint is not a pod. Its IP address belongs to a private subnet.
- `pub`: endpoint is not a pod. Its IP address does not belong to a private subnet. It is probably an endpoint on the public internet. |
| `dest_namespace` | keyword | Namespace of the destination endpoint. |
-| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A Networkset. If multiple Networksets match, the selection priority is: namespace-specific match, then GlobalNetworkSets, then other namespace match. Within each category, the one with the longest prefix match is chosen. Ties are broken by lexicographic order.
- `net`: A Network. The IP address did not fall into a known endpoint type. |
+| `dest_type` | keyword | Destination endpoint type. Possible values:
- `wep`: A workload endpoint, a pod in Kubernetes.
- `ns`: A network set. If multiple match, priority is given to NetworkSets in the workload’s own namespace, then to GlobalNetworkSets, and then to NetworkSets in other namespaces. For ties between matching network sets within each category, CIDR matches outrank domain matches and longest-prefix wins between competing CIDR matches. Remaining ties are resolved alphabetically by the NetworkSet’s full identity (using namespace/name or just name).
- `net`: A Network. The IP address did not fall into a known endpoint type. |
| `dest_service_name` | keyword | Name of the destination service. This may be empty if the request was not made against a service. |
| `dest_service_namespace` | keyword | Namespace of the destination service. This may be empty if the request was not made against a service. |
| `dest_service_port` | long | Destination service port. |