User Fieldsedit

The user fields describe information about the user that is relevant to the event.

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

User Field Detailsedit

FieldDescriptionLevel

user.email

User email address.

type: keyword

extended

user.full_name

User’s full name, if available.

type: keyword

example: Albert Einstein

extended

user.hash

Unique user hash to correlate information for a user in anonymized form.

Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

extended

user.id

One or multiple unique identifiers of the user.

type: keyword

core

user.name

Short name or login of the user.

type: keyword

example: albert

core

Field Reuseedit

The user fields are expected to be nested at: client.user, destination.user, host.user, server.user, source.user.

Note also that the user fields may be used directly at the top level.

Field sets that can be nested under Useredit

Nested fieldsDescription

user.group.*

User’s group relevant to the event.