System fieldsedit

System status metrics, like CPU and memory usage, that are collected from the operating system.

system fieldsedit

system contains local system metrics.

core fieldsedit

system-core contains CPU metrics for a single core of a multi-core system.

system.core.idedit

type: long

CPU Core number.

system.core.user.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in user space.

system.core.user.ticksedit

type: long

The amount of CPU time spent in user space.

system.core.system.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in kernel space.

system.core.system.ticksedit

type: long

The amount of CPU time spent in kernel space.

system.core.nice.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent on low-priority processes.

system.core.nice.ticksedit

type: long

The amount of CPU time spent on low-priority processes.

system.core.idle.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent idle.

system.core.idle.ticksedit

type: long

The amount of CPU time spent idle.

system.core.iowait.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in wait (on disk).

system.core.iowait.ticksedit

type: long

The amount of CPU time spent in wait (on disk).

system.core.irq.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling hardware interrupts.

system.core.irq.ticksedit

type: long

The amount of CPU time spent servicing and handling hardware interrupts.

system.core.softirq.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling software interrupts.

system.core.softirq.ticksedit

type: long

The amount of CPU time spent servicing and handling software interrupts.

system.core.steal.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

system.core.steal.ticksedit

type: long

The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

cpu fieldsedit

cpu contains local CPU stats.

system.cpu.coresedit

type: long

The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of 100% * cores. The normalized percentages already take this value into account and have a maximum value of 100%.

system.cpu.user.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the system.cpu.user.pct will be 180%.

system.cpu.system.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in kernel space.

system.cpu.nice.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent on low-priority processes.

system.cpu.idle.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent idle.

system.cpu.iowait.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in wait (on disk).

system.cpu.irq.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling hardware interrupts.

system.cpu.softirq.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling software interrupts.

system.cpu.steal.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

system.cpu.total.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in non-idle state.

system.cpu.user.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in user space.

system.cpu.system.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in kernel space.

system.cpu.nice.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent on low-priority processes.

system.cpu.idle.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent idle.

system.cpu.iowait.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in wait (on disk).

system.cpu.irq.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling hardware interrupts.

system.cpu.softirq.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling software interrupts.

system.cpu.steal.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

system.cpu.total.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent in non-idle state.

system.cpu.total.valueedit

type: long

The value of CPU usage since starting the process.

system.cpu.user.ticksedit

type: long

The amount of CPU time spent in user space.

system.cpu.system.ticksedit

type: long

The amount of CPU time spent in kernel space.

system.cpu.nice.ticksedit

type: long

The amount of CPU time spent on low-priority processes.

system.cpu.idle.ticksedit

type: long

The amount of CPU time spent idle.

system.cpu.iowait.ticksedit

type: long

The amount of CPU time spent in wait (on disk).

system.cpu.irq.ticksedit

type: long

The amount of CPU time spent servicing and handling hardware interrupts.

system.cpu.softirq.ticksedit

type: long

The amount of CPU time spent servicing and handling software interrupts.

system.cpu.steal.ticksedit

type: long

The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

diskio fieldsedit

disk contains disk IO metrics collected from the operating system.

system.diskio.nameedit

type: keyword

example: sda1

The disk name.

system.diskio.serial_numberedit

type: keyword

The disk’s serial number. This may not be provided by all operating systems.

system.diskio.read.countedit

type: long

The total number of reads completed successfully.

system.diskio.write.countedit

type: long

The total number of writes completed successfully.

system.diskio.read.bytesedit

type: long

format: bytes

The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512.

system.diskio.write.bytesedit

type: long

format: bytes

The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512.

system.diskio.read.timeedit

type: long

The total number of milliseconds spent by all reads.

system.diskio.write.timeedit

type: long

The total number of milliseconds spent by all writes.

system.diskio.io.timeedit

type: long

The total number of of milliseconds spent doing I/Os.

system.diskio.iostat.read.request.merges_per_secedit

type: float

The number of read requests merged per second that were queued to the device.

system.diskio.iostat.write.request.merges_per_secedit

type: float

The number of write requests merged per second that were queued to the device.

system.diskio.iostat.read.request.per_secedit

type: float

The number of read requests that were issued to the device per second

system.diskio.iostat.write.request.per_secedit

type: float

The number of write requests that were issued to the device per second

system.diskio.iostat.read.per_sec.bytesedit

type: float

format: bytes

The number of Bytes read from the device per second.

system.diskio.iostat.write.per_sec.bytesedit

type: float

format: bytes

The number of Bytes write from the device per second.

system.diskio.iostat.request.avg_sizeedit

type: float

The average size (in sectors) of the requests that were issued to the device.

system.diskio.iostat.queue.avg_sizeedit

type: float

The average queue length of the requests that were issued to the device.

system.diskio.iostat.awaitedit

type: float

The average time spent for requests issued to the device to be served.

system.diskio.iostat.service_timeedit

type: float

The average service time (in milliseconds) for I/O requests that were issued to the device.

system.diskio.iostat.busyedit

type: float

Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.

filesystem fieldsedit

filesystem contains local filesystem stats.

system.filesystem.availableedit

type: long

format: bytes

The disk space available to an unprivileged user in bytes.

system.filesystem.device_nameedit

type: keyword

The disk name. For example: /dev/disk1

system.filesystem.typeedit

type: keyword

The disk type. For example: ext4

system.filesystem.mount_pointedit

type: keyword

The mounting point. For example: /

system.filesystem.filesedit

type: long

The total number of file nodes in the file system.

system.filesystem.freeedit

type: long

format: bytes

The disk space available in bytes.

system.filesystem.free_filesedit

type: long

The number of free file nodes in the file system.

system.filesystem.totaledit

type: long

format: bytes

The total disk space in bytes.

system.filesystem.used.bytesedit

type: long

format: bytes

The used disk space in bytes.

system.filesystem.used.pctedit

type: scaled_float

format: percent

The percentage of used disk space.

fsstat fieldsedit

system.fsstat contains filesystem metrics aggregated from all mounted filesystems, similar with what df -a prints out.

system.fsstat.countedit

type: long

Number of file systems found.

system.fsstat.total_filesedit

type: long

Total number of files.

total_size fieldsedit

Nested file system docs.

system.fsstat.total_size.freeedit

type: long

format: bytes

Total free space.

system.fsstat.total_size.usededit

type: long

format: bytes

Total used space.

system.fsstat.total_size.totaledit

type: long

format: bytes

Total space (used plus free).

load fieldsedit

CPU load averages.

system.load.1edit

type: scaled_float

Load average for the last minute.

system.load.5edit

type: scaled_float

Load average for the last 5 minutes.

system.load.15edit

type: scaled_float

Load average for the last 15 minutes.

system.load.norm.1edit

type: scaled_float

Load for the last minute divided by the number of cores.

system.load.norm.5edit

type: scaled_float

Load for the last 5 minutes divided by the number of cores.

system.load.norm.15edit

type: scaled_float

Load for the last 15 minutes divided by the number of cores.

system.load.coresedit

type: long

The number of CPU cores present on the host.

memory fieldsedit

memory contains local memory stats.

system.memory.totaledit

type: long

format: bytes

Total memory.

system.memory.used.bytesedit

type: long

format: bytes

Used memory.

system.memory.freeedit

type: long

format: bytes

The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free).

system.memory.used.pctedit

type: scaled_float

format: percent

The percentage of used memory.

actual fieldsedit

Actual memory used and free.

system.memory.actual.used.bytesedit

type: long

format: bytes

Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check system.actual.free.

system.memory.actual.freeedit

type: long

format: bytes

Actual free memory in bytes. It is calculated based on the OS. On Linux it consists of the free memory plus caches and buffers. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to system.memory.free.

system.memory.actual.used.pctedit

type: scaled_float

format: percent

The percentage of actual used memory.

swap fieldsedit

This group contains statistics related to the swap memory usage on the system.

system.memory.swap.totaledit

type: long

format: bytes

Total swap memory.

system.memory.swap.used.bytesedit

type: long

format: bytes

Used swap memory.

system.memory.swap.freeedit

type: long

format: bytes

Available swap memory.

system.memory.swap.used.pctedit

type: scaled_float

format: percent

The percentage of used swap memory.

network fieldsedit

network contains network IO metrics for a single network interface.

system.network.nameedit

type: keyword

example: eth0

The network interface name.

system.network.out.bytesedit

type: long

format: bytes

The number of bytes sent.

system.network.in.bytesedit

type: long

format: bytes

The number of bytes received.

system.network.out.packetsedit

type: long

The number of packets sent.

system.network.in.packetsedit

type: long

The number or packets received.

system.network.in.errorsedit

type: long

The number of errors while receiving.

system.network.out.errorsedit

type: long

The number of errors while sending.

system.network.in.droppededit

type: long

The number of incoming packets that were dropped.

system.network.out.droppededit

type: long

The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system.

process fieldsedit

process contains process metadata, CPU metrics, and memory metrics.

system.process.nameedit

type: keyword

The process name.

system.process.stateedit

type: keyword

The process state. For example: "running".

system.process.pidedit

type: long

The process pid.

system.process.ppidedit

type: long

The process parent pid.

system.process.pgidedit

type: long

The process group id.

system.process.cmdlineedit

type: keyword

The full command-line used to start the process, including the arguments separated by space.

system.process.usernameedit

type: keyword

The username of the user that created the process. If the username cannot be determined, the field will contain the user’s numeric identifier (UID). On Windows, this field includes the user’s domain and is formatted as domain\username.

system.process.cwdedit

type: keyword

The current working directory of the process. This field is only available on Linux.

system.process.envedit

type: object

The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X.

cpu fieldsedit

CPU-specific statistics per process.

system.process.cpu.user.ticksedit

type: long

The amount of CPU time the process spent in user space.

system.process.cpu.total.valueedit

type: long

The value of CPU usage since starting the process.

system.process.cpu.total.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.

system.process.cpu.total.norm.pctedit

type: scaled_float

format: percent

The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.

system.process.cpu.system.ticksedit

type: long

The amount of CPU time the process spent in kernel space.

system.process.cpu.total.ticksedit

type: long

The total CPU time spent by the process.

system.process.cpu.start_timeedit

type: date

The time when the process was started.

memory fieldsedit

Memory-specific statistics per process.

system.process.memory.sizeedit

type: long

format: bytes

The total virtual memory the process has.

system.process.memory.rss.bytesedit

type: long

format: bytes

The Resident Set Size. The amount of memory the process occupied in main memory (RAM).

system.process.memory.rss.pctedit

type: scaled_float

format: percent

The percentage of memory the process occupied in main memory (RAM).

system.process.memory.shareedit

type: long

format: bytes

The shared memory the process uses.

fd fieldsedit

File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD.

system.process.fd.openedit

type: long

The number of file descriptors open by the process.

system.process.fd.limit.softedit

type: long

The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.

system.process.fd.limit.hardedit

type: long

The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.

cgroup fieldsedit

Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux.

system.process.cgroup.idedit

type: keyword

The ID common to all cgroups associated with this task. If there isn’t a common ID used by all cgroups this field will be absent.

system.process.cgroup.pathedit

type: keyword

The path to the cgroup relative to the cgroup subsystem’s mountpoint. If there isn’t a common path used by all cgroups this field will be absent.

cpu fieldsedit

The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period.

system.process.cgroup.cpu.idedit

type: keyword

ID of the cgroup.

system.process.cgroup.cpu.pathedit

type: keyword

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

system.process.cgroup.cpu.cfs.period.usedit

type: long

Period of time in microseconds for how regularly a cgroup’s access to CPU resources should be reallocated.

system.process.cgroup.cpu.cfs.quota.usedit

type: long

Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).

system.process.cgroup.cpu.cfs.sharesedit

type: long

An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.

system.process.cgroup.cpu.rt.period.usedit

type: long

Period of time in microseconds for how regularly a cgroup’s access to CPU resources is reallocated.

system.process.cgroup.cpu.rt.runtime.usedit

type: long

Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.

system.process.cgroup.cpu.stats.periodsedit

type: long

Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.

system.process.cgroup.cpu.stats.throttled.periodsedit

type: long

Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).

system.process.cgroup.cpu.stats.throttled.nsedit

type: long

The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.

cpuacct fieldsedit

CPU accounting metrics.

system.process.cgroup.cpuacct.idedit

type: keyword

ID of the cgroup.

system.process.cgroup.cpuacct.pathedit

type: keyword

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

system.process.cgroup.cpuacct.total.nsedit

type: long

Total CPU time in nanoseconds consumed by all tasks in the cgroup.

system.process.cgroup.cpuacct.stats.user.nsedit

type: long

CPU time consumed by tasks in user mode.

system.process.cgroup.cpuacct.stats.system.nsedit

type: long

CPU time consumed by tasks in user (kernel) mode.

system.process.cgroup.cpuacct.percpuedit

type: object

CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.

memory fieldsedit

Memory limits and metrics.

system.process.cgroup.memory.idedit

type: keyword

ID of the cgroup.

system.process.cgroup.memory.pathedit

type: keyword

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

system.process.cgroup.memory.mem.usage.bytesedit

type: long

format: bytes

Total memory usage by processes in the cgroup (in bytes).

system.process.cgroup.memory.mem.usage.max.bytesedit

type: long

format: bytes

The maximum memory used by processes in the cgroup (in bytes).

system.process.cgroup.memory.mem.limit.bytesedit

type: long

format: bytes

The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.

system.process.cgroup.memory.mem.failuresedit

type: long

The number of times that the memory limit (mem.limit.bytes) was reached.

system.process.cgroup.memory.memsw.usage.bytesedit

type: long

format: bytes

The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).

system.process.cgroup.memory.memsw.usage.max.bytesedit

type: long

format: bytes

The maximum amount of memory and swap space used by processes in the cgroup (in bytes).

system.process.cgroup.memory.memsw.limit.bytesedit

type: long

format: bytes

The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.

system.process.cgroup.memory.memsw.failuresedit

type: long

The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.

system.process.cgroup.memory.kmem.usage.bytesedit

type: long

format: bytes

Total kernel memory usage by processes in the cgroup (in bytes).

system.process.cgroup.memory.kmem.usage.max.bytesedit

type: long

format: bytes

The maximum kernel memory used by processes in the cgroup (in bytes).

system.process.cgroup.memory.kmem.limit.bytesedit

type: long

format: bytes

The maximum amount of kernel memory that tasks in the cgroup are allowed to use.

system.process.cgroup.memory.kmem.failuresedit

type: long

The number of times that the memory limit (kmem.limit.bytes) was reached.

system.process.cgroup.memory.kmem_tcp.usage.bytesedit

type: long

format: bytes

Total memory usage for TCP buffers in bytes.

system.process.cgroup.memory.kmem_tcp.usage.max.bytesedit

type: long

format: bytes

The maximum memory used for TCP buffers by processes in the cgroup (in bytes).

system.process.cgroup.memory.kmem_tcp.limit.bytesedit

type: long

format: bytes

The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.

system.process.cgroup.memory.kmem_tcp.failuresedit

type: long

The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.

system.process.cgroup.memory.stats.active_anon.bytesedit

type: long

format: bytes

Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.

system.process.cgroup.memory.stats.active_file.bytesedit

type: long

format: bytes

File-backed memory on active LRU list, in bytes.

system.process.cgroup.memory.stats.cache.bytesedit

type: long

format: bytes

Page cache, including tmpfs (shmem), in bytes.

system.process.cgroup.memory.stats.hierarchical_memory_limit.bytesedit

type: long

format: bytes

Memory limit for the hierarchy that contains the memory cgroup, in bytes.

system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytesedit

type: long

format: bytes

Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.

system.process.cgroup.memory.stats.inactive_anon.bytesedit

type: long

format: bytes

Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes

system.process.cgroup.memory.stats.inactive_file.bytesedit

type: long

format: bytes

File-backed memory on inactive LRU list, in bytes.

system.process.cgroup.memory.stats.mapped_file.bytesedit

type: long

format: bytes

Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.

system.process.cgroup.memory.stats.page_faultsedit

type: long

Number of times that a process in the cgroup triggered a page fault.

system.process.cgroup.memory.stats.major_page_faultsedit

type: long

Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk.

system.process.cgroup.memory.stats.pages_inedit

type: long

Number of pages paged into memory. This is a counter.

system.process.cgroup.memory.stats.pages_outedit

type: long

Number of pages paged out of memory. This is a counter.

system.process.cgroup.memory.stats.rss.bytesedit

type: long

format: bytes

Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.

system.process.cgroup.memory.stats.rss_huge.bytesedit

type: long

format: bytes

Number of bytes of anonymous transparent hugepages.

system.process.cgroup.memory.stats.swap.bytesedit

type: long

format: bytes

Swap usage, in bytes.

system.process.cgroup.memory.stats.unevictable.bytesedit

type: long

format: bytes

Memory that cannot be reclaimed, in bytes.

blkio fieldsedit

Block IO metrics.

system.process.cgroup.blkio.idedit

type: keyword

ID of the cgroup.

system.process.cgroup.blkio.pathedit

type: keyword

Path to the cgroup relative to the cgroup subsystems mountpoint.

system.process.cgroup.blkio.total.bytesedit

type: long

format: bytes

Total number of bytes transferred to and from all block devices by processes in the cgroup.

system.process.cgroup.blkio.total.iosedit

type: long

Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.

process.summary fieldsedit

Summary metrics for the processes running on the host.

system.process.summary.totaledit

type: long

Total number of processes on this host.

system.process.summary.runningedit

type: long

Number of running processes on this host.

system.process.summary.idleedit

type: long

Number of idle processes on this host.

system.process.summary.sleepingedit

type: long

Number of sleeping processes on this host.

system.process.summary.stoppededit

type: long

Number of stopped processes on this host.

system.process.summary.zombieedit

type: long

Number of zombie processes on this host.

system.process.summary.unknownedit

type: long

Number of processes for which the state couldn’t be retrieved or is unknown.

raid fieldsedit

raid

system.raid.nameedit

type: keyword

Name of the device.

system.raid.activity_stateedit

type: keyword

activity-state of the device.

system.raid.disks.activeedit

type: long

Number of active disks.

system.raid.disks.totaledit

type: long

Total number of disks the device consists of.

system.raid.blocks.totaledit

type: long

Number of blocks the device holds.

system.raid.blocks.syncededit

type: long

Number of blocks on the device that are in sync.

socket fieldsedit

TCP sockets that are active.

system.socket.directionedit

type: keyword

example: incoming

How the socket was initiated. Possible values are incoming, outgoing, or listening.

system.socket.familyedit

type: keyword

example: ipv4

Address family.

system.socket.local.ipedit

type: ip

example: 192.0.2.1 or 2001:0DB8:ABED:8536::1

Local IP address. This can be an IPv4 or IPv6 address.

system.socket.local.portedit

type: long

example: 22

Local port.

system.socket.remote.ipedit

type: ip

example: 192.0.2.1 or 2001:0DB8:ABED:8536::1

Remote IP address. This can be an IPv4 or IPv6 address.

system.socket.remote.portedit

type: long

example: 22

Remote port.

system.socket.remote.hostedit

type: keyword

example: 76-211-117-36.nw.example.com.

PTR record associated with the remote IP. It is obtained via reverse IP lookup.

system.socket.remote.etld_plus_oneedit

type: keyword

example: example.com.

The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.

system.socket.remote.host_erroredit

type: keyword

Error describing the cause of the reverse lookup failure.

system.socket.process.pidedit

type: long

ID of the process that opened the socket.

system.socket.process.commandedit

type: keyword

Name of the command (limited to 20 chars by the OS).

system.socket.process.cmdlineedit

type: keyword

system.socket.process.exeedit

type: keyword

Absolute path to the executable.

system.socket.user.idedit

type: long

UID of the user running the process.

system.socket.user.nameedit

type: keyword

Name of the user running the process.

uptime fieldsedit

uptime contains the operating system uptime metric.

system.uptime.duration.msedit

type: long

format: duration

The OS uptime in milliseconds.