Component(s)

pkg/ottl

Is your feature request related to a problem? Please describe.

What is a community ID and why do we need it?

• It is a single unique ID based on the network flow info. It is an additional flow identifier and doesn't replace existing flow identification mechanisms already supported by the monitors. See the specification.
• When monitoring/analyzing network flow, for example threat hunting security use cases, it's often required to make "joins" on network source and destination info where community_id simplifies, also gives a better user experience when analyzing the data (aggregate by community ID to collect statistics, etc.)
• visual example
  

The feature is widely used and here some reference applications:

• Suricate, Zeek, MISP, etc..: https://zeek.org/2019/07/31/an-update-on-community-id/
• Wireshark: https://corelight.com/blog/community-id-support-for-wireshark
• Tenzip, a security data lake: Implement generic Community ID computation API tenzir/tenzir#525
• Elastic beats: https://www.elastic.co/guide/en/beats/filebeat/current/community-id.html
• Elasticsearch community_id: https://www.elastic.co/guide/en/beats/filebeat/current/community-id.html
• List of vendor implementations: https://github.com/corelight/community-id-spec?tab=readme-ov-file#production-implementations

Describe the solution you'd like

Introduce a converter which calculates the community ID based on the specification.

Describe alternatives you've considered

This requires a discussion of either

• implement from scratch like Elastic beats has communityid
• or use existing active go library, such as https://pkg.go.dev/github.com/satta/gommunityid

Additional context

No response

Example

• Config

processors:
  batch:
  transform:
    log_statements:
      - context: log
        statements:
          - set(attributes["community_id"], CommunityID(attributes["source.ip"], attributes["source.port"], attributes["destination.ip"], attributes["destination.port"]))

• Expected output

Timestamp: 2018-12-13 14:51:00.3 +0000 UTC
SeverityText: Information
SeverityNumber: Info2(10)
Body: Str(Example log record)
Attributes:
     -> timestamp: Str(2025-05-21T09:25:18Z)
     -> source.ip: Str(123.124.125.126)
     -> source.port: Int(12345)
     -> destination.ip: Str(55.56.57.58)
     -> destination.port: Int(80)
     -> boolean.attribute: Bool(true)
     -> int.attribute: Int(10)
     -> double.attribute: Double(637.704)
     -> array.attribute: Slice(["many","values"])
     -> map.attribute: Map({"some.map.key":"some value"})
     -> community_id: Str(1:3vT0XsYnQuR8XHIYy6Acr7kpWGc=)
Trace ID: 5b8efff798038103d269b633813fc60c
Span ID: eee19b7ec3c1b174