APM Error fields

edit

Error-specific data for APM

processor.name

Processor name.

type: keyword

processor.event

Processor event.

type: keyword

timestamp.us

Timestamp of the event in microseconds since Unix epoch.

type: long

message

The original error message.

type: text

Yes ECS field.

url

edit

A complete Url, with scheme, host and path.

url.scheme

The protocol of the request, e.g. "https:".

type: keyword

Yes ECS field.

url.full

The full, possibly agent-assembled URL of the request, e.g https://example.com:443/search?q=elasticsearch#top.

type: keyword

Yes ECS field.

url.domain

The hostname of the request, e.g. "example.com".

type: keyword

Yes ECS field.

url.port

The port of the request, e.g. 443.

type: long

Yes ECS field.

url.path

The path of the request, e.g. "/search".

type: keyword

Yes ECS field.

url.query

The query string of the request, e.g. "q=elasticsearch".

type: keyword

Yes ECS field.

url.fragment

A fragment specifying a location in a web page , e.g. "top".

type: keyword

Yes ECS field.

http.version

The http version of the request leading to this event.

type: keyword

Yes ECS field.

http.request.method

The http method of the request leading to this event.

type: keyword

Yes ECS field.

http.request.headers

The canonical headers of the monitored HTTP request.

type: object

Object is not enabled.

http.request.referrer

Referrer for this HTTP request.

type: keyword

Yes ECS field.

http.response.status_code

The status code of the HTTP response.

type: long

Yes ECS field.

http.response.finished

Used by the Node agent to indicate when in the response life cycle an error has occurred.

type: boolean

http.response.headers

The canonical headers of the monitored HTTP response.

type: object

Object is not enabled.

labels

A flat mapping of user-defined labels with string, boolean or number values.

type: object

Yes ECS field.

service

edit

Service fields.

service.name

Immutable name of the service emitting this event.

type: keyword

Yes ECS field.

service.version

Version of the service emitting this event.

type: keyword

Yes ECS field.

service.environment

Service environment.

type: keyword

service.node.name

Unique meaningful name of the service node.

type: keyword

Yes ECS field.

service.language.name

Name of the programming language used.

type: keyword

service.language.version

Version of the programming language used.

type: keyword

service.runtime.name

Name of the runtime used.

type: keyword

service.runtime.version

Version of the runtime used.

type: keyword

service.framework.name

Name of the framework used.

type: keyword

service.framework.version

Version of the framework used.

type: keyword

transaction.id

The transaction ID.

type: keyword

Yes ECS field.

transaction.sampled

Transactions that are sampled will include all available information. Transactions that are not sampled will not have spans or context.

type: boolean

transaction.type

Keyword of specific relevance in the service’s domain (eg. request, backgroundjob, etc)

type: keyword

transaction.name

Generic designation of a transaction in the scope of a single service (eg. GET /users/:id).

type: keyword

transaction.name.text

type: text

trace.id

The ID of the trace to which the event belongs to.

type: keyword

Yes ECS field.

parent.id

The ID of the parent event.

type: keyword

agent.name

Name of the agent used.

type: keyword

Yes ECS field.

agent.version

Version of the agent used.

type: keyword

Yes ECS field.

agent.ephemeral_id

The Ephemeral ID identifies a running process.

type: keyword

Yes ECS field.

container

edit

Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.

container.id

Unique container id.

type: keyword

Yes ECS field.

kubernetes

edit

Kubernetes metadata reported by agents

kubernetes.namespace

Kubernetes namespace

type: keyword

kubernetes.node.name

Kubernetes node name

type: keyword

kubernetes.pod.name

Kubernetes pod name

type: keyword

kubernetes.pod.uid

Kubernetes Pod UID

type: keyword

network

edit

Optional network fields

connection

edit

Network connection details

network.connection.type

Network connection type, eg. "wifi", "cell"

type: keyword

network.connection.subtype

Detailed network connection sub-type, e.g. "LTE", "CDMA"

type: keyword

carrier

edit

Network operator

network.carrier.name

Carrier name, eg. Vodafone, T-Mobile, etc.

type: keyword

network.carrier.mcc

Mobile country code

type: keyword

network.carrier.mnc

Mobile network code

type: keyword

network.carrier.icc

ISO country code, eg. US

type: keyword

host

edit

Optional host fields.

host.architecture

The architecture of the host the event was recorded on.

type: keyword

Yes ECS field.

host.hostname

The hostname of the host the event was recorded on.

type: keyword

Yes ECS field.

host.name

Name of the host the event was recorded on. It can contain same information as host.hostname or a name specified by the user.

type: keyword

Yes ECS field.

host.ip

IP of the host that records the event.

type: ip

Yes ECS field.

The OS fields contain information about the operating system.

host.os.platform

The platform of the host the event was recorded on.

type: keyword

Yes ECS field.

process

edit

Information pertaining to the running process where the data was collected

process.args

Process arguments. May be filtered to protect sensitive information.

type: keyword

Yes ECS field.

process.pid

Numeric process ID of the service process.

type: long

Yes ECS field.

process.ppid

Numeric ID of the service’s parent process.

type: long

Yes ECS field.

process.title

Service process title.

type: keyword

Yes ECS field.

observer.listening

Address the server is listening on.

type: keyword

observer.hostname

Hostname of the APM Server.

type: keyword

Yes ECS field.

observer.version

APM Server version.

type: keyword

Yes ECS field.

observer.version_major

Major version number of the observer

type: byte

observer.type

The type will be set to apm-server.

type: keyword

Yes ECS field.

observer.id

Unique identifier of the APM Server.

type: keyword

observer.ephemeral_id

Ephemeral identifier of the APM Server.

type: keyword

user.name

The username of the logged in user.

type: keyword

Yes ECS field.

user.domain

Domain of the logged in user.

type: keyword

Yes ECS field.

user.id

Identifier of the logged in user.

type: keyword

Yes ECS field.

user.email

Email of the logged in user.

type: keyword

Yes ECS field.

client.domain

Client domain.

type: keyword

Yes ECS field.

client.ip

IP address of the client of a recorded event. This is typically obtained from a request’s X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.

type: ip

Yes ECS field.

client.port

Port of the client.

type: long

Yes ECS field.

source.domain

Source domain.

type: keyword

Yes ECS field.

source.ip

IP address of the source of a recorded event. This is typically obtained from a request’s X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.

type: ip

Yes ECS field.

source.port

Port of the source.

type: long

Yes ECS field.

destination

edit

Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields.

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

Yes ECS field.

destination.ip

IP addess of the destination. Can be one of multiple IPv4 or IPv6 addresses.

type: ip

Yes ECS field.

destination.port

Port of the destination.

type: long

format: string

Yes ECS field.

user_agent

edit

The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.

user_agent.original

Unparsed version of the user_agent.

type: keyword

example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1

Yes ECS field.

user_agent.original.text

Software agent acting in behalf of a user, eg. a web browser / OS combination.

type: text

user_agent.name

Name of the user agent.

type: keyword

example: Safari

Yes ECS field.

user_agent.version

Version of the user agent.

type: keyword

example: 12.0

Yes ECS field.

device

edit

Information concerning the device.

user_agent.device.name

Name of the device.

type: keyword

example: iPhone

Yes ECS field.

The OS fields contain information about the operating system.

user_agent.os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

Yes ECS field.

user_agent.os.name

Operating system name, without the version.

type: keyword

example: Mac OS X

Yes ECS field.

user_agent.os.full

Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave

Yes ECS field.

user_agent.os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

Yes ECS field.

user_agent.os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

Yes ECS field.

user_agent.os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

Yes ECS field.

cloud

edit

Cloud metadata reported by agents

cloud.account.id

Cloud account ID

type: keyword

Yes ECS field.

cloud.account.name

Cloud account name

type: keyword

Yes ECS field.

cloud.availability_zone

Cloud availability zone name

type: keyword

example: us-east1-a

Yes ECS field.

cloud.instance.id

Cloud instance/machine ID

type: keyword

Yes ECS field.

cloud.instance.name

Cloud instance/machine name

type: keyword

Yes ECS field.

cloud.machine.type

Cloud instance/machine type

type: keyword

example: t2.medium

Yes ECS field.

cloud.project.id

Cloud project ID

type: keyword

Yes ECS field.

cloud.project.name

Cloud project name

type: keyword

Yes ECS field.

cloud.provider

Cloud provider name

type: keyword

example: gcp

Yes ECS field.

cloud.region

Cloud region name

type: keyword

example: us-east1

Yes ECS field.

cloud.service.name

Cloud service name, intended to distinguish services running on different platforms within a provider.

type: keyword

error

edit

Data captured by an agent representing an event occurring in a monitored service.

error.id

The ID of the error.

type: keyword

Yes ECS field.

error.culprit

Function call which was the primary perpetrator of this event.

type: keyword

error.grouping_key

Hash of select properties of the logged error for grouping purposes.

type: keyword

error.grouping_name

Name to associate with an error group. Errors belonging to the same group (same grouping_key) may have differing values for grouping_name. Consumers may choose one arbitrarily.

type: keyword

exception

edit

Information about the originally thrown error.

error.exception.code

The error code set when the error happened, e.g. database error code.

type: keyword

error.exception.message

The original error message.

type: text

error.exception.module

The module namespace of the original error.

type: keyword

error.exception.type

The type of the original error, e.g. the Java exception class name.

type: keyword

error.exception.handled

Indicator whether the error was caught somewhere in the code or not.

type: boolean

log

edit

Additional information added by logging the error.

error.log.level

The severity of the record.

type: keyword

error.log.logger_name

The name of the logger instance used.

type: keyword

error.log.message

The additionally logged error message.

type: text

error.log.param_message

A parametrized message. E.g. Could not connect to %s. The property message is still required, and should be equal to the param_message, but with placeholders replaced. In some situations the param_message is used to group errors together.

type: keyword