When creating events, use the following conventions for field names and abbreviations.
Use the following naming conventions for field names:
- All fields must be lower case.
- Use snake case (underscores) for combining words.
Group related fields into subdocuments by using dot (.) notation. Groups typically have common prefixes. For example, if you have fields called
CPUSystemin a service, you would convert them into
cpu.systemin the event.
Avoid repeating the namespace in field names. If a word or abbreviation appears in the namespace, it’s not needed in the field name. For example, instead of
- Use units suffix when the metric matches one of the known units.
- Use standardised names and avoid using abbreviations that aren’t commonly known.
Organise the documents from general to specific to allow for namespacing. The type, such as
.pct, should always be last. For example,
If two fields are the same, but with different units, remove the less granular one. For example, include
timeout.sec, but don’t include
timeout.min. If a less granular value is required, you can calculate it later.
If a field name matches the namespace used for nested fields, add
.valueto the field name. For example, instead of:
workers workers.busy workers.idle
workers.value workers.busy workers.idle
- Do not use dots (.) in individual field names. Dots are reserved for grouping related fields into subdocuments.
Use singular and plural names properly to reflect the field content. For example, use
These are well-known suffixes to represent units of stored values, use them as a dotted suffix when
possible. For example
Here is a list of standardised names and units that are used across all Beats: