APM Integration

edit

Version

8.4.2 (View all)

Compatible Kibana version(s)

8.4.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

The APM integration installs Elasticsearch templates and ingest node pipelines for APM data.

To learn more about the APM Integration architecture, see APM Components.

Quick start

edit

Ready to jump in? Read the APM quick start.

How to use this integration

edit

Add the APM integration to an Elastic Agent policy to create an apm input. Any Elastic Agents set up with this policy will run an APM Server binary locally. Don’t forget to configure the APM Server host, especially if it needs to be accessed from outside, like when running in Docker. Then, configure your APM agents to communicate with APM Server.

If you have Real User Monitoring (RUM) enabled, you must run Elastic Agent centrally. Otherwise, you can run it on edge machines by downloading and installing Elastic Agent on the same machines that your instrumented services run.

Data Streams
edit

When using the APM integration, apm events are indexed into data streams. Data stream names contain the event type, service name, and a user-configurable namespace.

There is no specific recommendation for what to use as a namespace; it is intentionally flexible. You might use the environment, like production, testing, or development, or you could namespace data by business unit. It is your choice.

See APM data streams for more information.

Compatibility

edit

The APM integration requires Kibana and Elasticsearch 7.12.x+ with at least the basic license. The APM integration version should match the Elastic Stack Major.Minor version. For example, the APM integration version 7.16.2 should be run with the Elastic Stack 7.16.x.

If you run APM Server with Elastic Agent manually in standalone mode, you must install the APM integration, otherwise the APM Server will not ingest any events.

Traces

edit

Traces are comprised of spans and transactions.

Traces are written to traces-apm-* data streams, except for RUM traces, which are written to traces-apm.rum-*.

Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

agent.ephemeral_id

Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.

keyword

agent.name

Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.

keyword

agent.version

Version of the agent.

keyword

child.id

The ID(s) of the child event(s).

keyword

client.domain

Client domain.

keyword

client.geo.city_name

City name.

keyword

client.geo.continent_name

Name of the continent.

keyword

client.geo.country_iso_code

Country ISO code.

keyword

client.geo.country_name

Country name.

keyword

client.geo.location

Longitude and latitude.

geo_point

client.geo.region_iso_code

Region ISO code.

keyword

client.geo.region_name

Region name.

keyword

client.ip

IP address of the client (IPv4 or IPv6).

ip

client.port

Port of the client.

long

cloud.account.id

The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

keyword

cloud.account.name

The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.

keyword

cloud.availability_zone

Availability zone in which this host, resource, or service is located.

keyword

cloud.instance.id

Instance ID of the host machine.

keyword

cloud.instance.name

Instance name of the host machine.

keyword

cloud.machine.type

Machine type of the host machine.

keyword

cloud.origin.account.id

The cloud account or organization id used to identify different entities in a multi-tenant environment.

keyword

cloud.origin.provider

Name of the cloud provider.

keyword

cloud.origin.region

Region in which this host, resource, or service is located.

keyword

cloud.origin.service.name

The cloud service name is intended to distinguish services running on different platforms within a provider.

keyword

cloud.project.id

The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.

keyword

cloud.project.name

The cloud project name. Examples: Google Cloud Project name, Azure Project name.

keyword

cloud.provider

Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

keyword

cloud.region

Region in which this host, resource, or service is located.

keyword

cloud.service.name

The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.

keyword

container.id

Unique container id.

keyword

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

keyword

destination.ip

IP address of the destination (IPv4 or IPv6).

ip

destination.port

Port of the destination.

long

ecs.version

ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.

keyword

event.outcome

This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense.

keyword

faas.coldstart

Boolean indicating whether the function invocation was a coldstart or not.

boolean

faas.execution

Request ID of the function invocation.

keyword

faas.id

A unique identifier of the invoked serverless function.

keyword

faas.name

The lambda function name.

keyword

faas.trigger.request_id

The ID of the origin trigger request.

keyword

faas.trigger.type

The trigger type.

keyword

faas.version

The lambda function version.

keyword

host.architecture

Operating system architecture.

keyword

host.hostname

Hostname of the host. It normally contains what the hostname command returns on the host machine.

keyword

host.ip

Host ip addresses.

ip

host.name

Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.

keyword

host.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

http.request.headers

The canonical headers of the monitored HTTP request.

object

http.request.method

HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0

keyword

http.request.referrer

Referrer for this HTTP request.

keyword

http.response.finished

Used by the Node agent to indicate when in the response life cycle an error has occurred.

boolean

http.response.headers

The canonical headers of the monitored HTTP response.

object

http.response.status_code

HTTP response status code.

long

http.version

HTTP version.

keyword

kubernetes.namespace

Kubernetes namespace

keyword

kubernetes.node.name

Kubernetes node name

keyword

kubernetes.pod.name

Kubernetes pod name

keyword

kubernetes.pod.uid

Kubernetes Pod UID

keyword

labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: docker and k8s labels.

object

network.carrier.icc

ISO country code, eg. US

keyword

network.carrier.mcc

Mobile country code

keyword

network.carrier.mnc

Mobile network code

keyword

network.carrier.name

Carrier name, eg. Vodafone, T-Mobile, etc.

keyword

network.connection.subtype

Detailed network connection sub-type, e.g. "LTE", "CDMA"

keyword

network.connection.type

Network connection type, eg. "wifi", "cell"

keyword

numeric_labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as scaled_float.

object

observer.ephemeral_id

Ephemeral identifier of the APM Server.

keyword

observer.hostname

Hostname of the observer.

keyword

observer.id

Unique identifier of the APM Server.

keyword

observer.name

Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.

keyword

observer.type

The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are forwarder, firewall, ids, ips, proxy, poller, sensor, APM server.

keyword

observer.version

Observer version.

keyword

parent.id

The ID of the parent event.

keyword

process.args

Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.

keyword

process.pid

Process id.

long

process.ppid

Parent process' pid.

long

process.title

Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

keyword

process.title.text

Multi-field of process.title.

match_only_text

processor.event

Processor event.

keyword

processor.name

Processor name.

constant_keyword

service.environment

Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.

keyword

service.framework.name

Name of the framework used.

keyword

service.framework.version

Version of the framework used.

keyword

service.language.name

Name of the programming language used.

keyword

service.language.version

Version of the programming language used.

keyword

service.name

Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.

keyword

service.node.name

Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, service.node.name should typically be unique across nodes of a given service. In the case of Elasticsearch, the service.node.name could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.

keyword

service.origin.id

Immutable id of the service emitting this event.

keyword

service.origin.name

Immutable name of the service emitting this event.

keyword

service.origin.version

The version of the service the data was collected from.

keyword

service.runtime.name

Name of the runtime used.

keyword

service.runtime.version

Version of the runtime used.

keyword

service.target.name

Target service for which data is collected.

keyword

service.target.type

Type of the target service for which data is collected

keyword

service.version

Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

keyword

session.id

The ID of the session to which the event belongs.

keyword

session.sequence

The sequence number of the event within the session to which the event belongs.

long

source.domain

Source domain.

keyword

source.ip

IP address of the source (IPv4 or IPv6).

ip

source.nat.ip

Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.

ip

source.nat.port

Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.

long

source.port

Port of the source.

long

span.action

The specific kind of event within the sub-type represented by the span (e.g. query, connect)

keyword

span.composite.compression_strategy

The compression strategy that was used.

keyword

span.composite.count

Number of compressed spans the composite span represents.

long

span.composite.sum.us

Sum of the durations of the compressed spans, in microseconds.

long

span.db.link

Database link.

keyword

span.db.rows_affected

Number of rows affected by the database statement.

long

span.destination.service.name

Identifier for the destination service (e.g. http://elastic.co, elasticsearch, rabbitmq) DEPRECATED: this field will be removed in a future release

keyword

span.destination.service.resource

Identifier for the destination service resource being operated on (e.g. http://elastic.co:80, elasticsearch, rabbitmq/queue_name)

keyword

span.destination.service.type

Type of the destination service (e.g. db, elasticsearch). Should typically be the same as span.type. DEPRECATED: this field will be removed in a future release

keyword

span.duration.us

Duration of the span, in microseconds.

long

span.id

Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.

keyword

span.kind

"The kind of span: CLIENT, SERVER, PRODUCER, CONSUMER, or INTERNAL."

keyword

span.links.span.id

Unique identifier of the linked span.

keyword

span.links.trace.id

Unique identifier of the linked trace.

keyword

span.message.age.ms

Age of a message in milliseconds.

long

span.message.queue.name

Name of the message queue or topic where the message is published or received.

keyword

span.name

Generic designation of a span in the scope of a transaction.

keyword

span.subtype

A further sub-division of the type (e.g. postgresql, elasticsearch)

keyword

span.sync

Indicates whether the span was executed synchronously or asynchronously.

boolean

span.type

Keyword of specific relevance in the service’s domain (eg: db.postgresql.query, template.erb, cache, etc).

keyword

timestamp.us

Timestamp of the event in microseconds since Unix epoch.

long

trace.id

Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.

keyword

transaction.duration.us

Total duration of this transaction, in microseconds.

long

transaction.experience.cls

The Cumulative Layout Shift metric

scaled_float

transaction.experience.fid

The First Input Delay metric

scaled_float

transaction.experience.longtask.count

The total number of of longtasks

long

transaction.experience.longtask.max

The max longtask duration

scaled_float

transaction.experience.longtask.sum

The sum of longtask durations

scaled_float

transaction.experience.tbt

The Total Blocking Time metric

scaled_float

transaction.id

Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.

keyword

transaction.marks

A user-defined mapping of groups of marks in milliseconds.

object

transaction.message.age.ms

Age of a message in milliseconds.

long

transaction.message.queue.name

Name of the message queue or topic where the message is published or received.

keyword

transaction.name

Generic designation of a transaction in the scope of a single service (eg. GET /users/:id).

keyword

transaction.name.text

Multi-field of transaction.name.

text

transaction.result

The result of the transaction. HTTP status code for HTTP-related transactions.

keyword

transaction.sampled

Transactions that are sampled will include all available information. Transactions that are not sampled will not have spans or context.

boolean

transaction.span_count.dropped

The total amount of dropped spans for this transaction.

long

transaction.type

Keyword of specific relevance in the service’s domain (eg. request, backgroundjob, etc)

keyword

url.domain

Domain of the url, such as "http://www.elastic.co[www.elastic.co]". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field. If the URL contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [ and ] characters should also be captured in the domain field.

keyword

url.fragment

Portion of the url after the #, such as "top". The # is not part of the fragment.

keyword

url.full

If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

wildcard

url.full.text

Multi-field of url.full.

match_only_text

url.original

Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.

wildcard

url.original.text

Multi-field of url.original.

match_only_text

url.path

Path of the request, such as "/search".

wildcard

url.port

Port of the request, such as 443.

long

url.query

The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

keyword

url.scheme

Scheme of the request, such as "https". Note: The : is not part of the scheme.

keyword

user.domain

Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

keyword

user.email

User email address.

keyword

user.id

Unique identifier of the user.

keyword

user.name

Short name or login of the user.

keyword

user.name.text

Multi-field of user.name.

match_only_text

user_agent.device.name

Name of the device.

keyword

user_agent.name

Name of the user agent.

keyword

user_agent.original

Unparsed user_agent string.

keyword

user_agent.original.text

Multi-field of user_agent.original.

match_only_text

user_agent.os.family

OS family (such as redhat, debian, freebsd, windows).

keyword

user_agent.os.full

Operating system name, including the version or code name.

keyword

user_agent.os.full.text

Multi-field of user_agent.os.full.

match_only_text

user_agent.os.kernel

Operating system kernel version as a raw string.

keyword

user_agent.os.name

Operating system name, without the version.

keyword

user_agent.os.name.text

Multi-field of user_agent.os.name.

match_only_text

user_agent.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

user_agent.os.version

Operating system version as a raw string.

keyword

user_agent.version

Version of the user agent.

keyword

Application Metrics

edit

Application metrics are comprised of custom, application-specific metrics, basic system metrics such as CPU and memory usage, and runtime metrics such as JVM garbage collection statistics.

Application metrics are written to service-specific metrics-apm.app.*-* data streams.

Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

agent.ephemeral_id

Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.

keyword

agent.name

Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.

keyword

agent.version

Version of the agent.

keyword

client.domain

Client domain.

keyword

client.geo.city_name

City name.

keyword

client.geo.continent_name

Name of the continent.

keyword

client.geo.country_iso_code

Country ISO code.

keyword

client.geo.country_name

Country name.

keyword

client.geo.location

Longitude and latitude.

geo_point

client.geo.region_iso_code

Region ISO code.

keyword

client.geo.region_name

Region name.

keyword

client.ip

IP address of the client (IPv4 or IPv6).

ip

client.port

Port of the client.

long

cloud.account.id

The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

keyword

cloud.account.name

The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.

keyword

cloud.availability_zone

Availability zone in which this host, resource, or service is located.

keyword

cloud.instance.id

Instance ID of the host machine.

keyword

cloud.instance.name

Instance name of the host machine.

keyword

cloud.machine.type

Machine type of the host machine.

keyword

cloud.project.id

The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.

keyword

cloud.project.name

The cloud project name. Examples: Google Cloud Project name, Azure Project name.

keyword

cloud.provider

Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

keyword

cloud.region

Region in which this host, resource, or service is located.

keyword

cloud.service.name

The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.

keyword

container.id

Unique container id.

keyword

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

keyword

destination.ip

IP address of the destination (IPv4 or IPv6).

ip

destination.port

Port of the destination.

long

ecs.version

ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.

keyword

event.outcome

This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense.

keyword

host.architecture

Operating system architecture.

keyword

host.hostname

Hostname of the host. It normally contains what the hostname command returns on the host machine.

keyword

host.ip

Host ip addresses.

ip

host.name

Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.

keyword

host.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

kubernetes.namespace

Kubernetes namespace

keyword

kubernetes.node.name

Kubernetes node name

keyword

kubernetes.pod.name

Kubernetes pod name

keyword

kubernetes.pod.uid

Kubernetes Pod UID

keyword

labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: docker and k8s labels.

object

metricset.name

Name of the set of metrics.

keyword

network.connection.type

Network connection type, eg. "wifi", "cell"

keyword

numeric_labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as scaled_float.

object

observer.ephemeral_id

Ephemeral identifier of the APM Server.

keyword

observer.hostname

Hostname of the observer.

keyword

observer.id

Unique identifier of the APM Server.

keyword

observer.name

Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.

keyword

observer.type

The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are forwarder, firewall, ids, ips, proxy, poller, sensor, APM server.

keyword

observer.version

Observer version.

keyword

process.args

Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.

keyword

process.pid

Process id.

long

process.ppid

Parent process' pid.

long

process.title

Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

keyword

process.title.text

Multi-field of process.title.

match_only_text

processor.event

Processor event.

constant_keyword

processor.name

Processor name.

constant_keyword

service.environment

Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.

keyword

service.framework.name

Name of the framework used.

keyword

service.framework.version

Version of the framework used.

keyword

service.language.name

Name of the programming language used.

keyword

service.language.version

Version of the programming language used.

keyword

service.name

Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.

keyword

service.node.name

Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, service.node.name should typically be unique across nodes of a given service. In the case of Elasticsearch, the service.node.name could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.

keyword

service.runtime.name

Name of the runtime used.

keyword

service.runtime.version

Version of the runtime used.

keyword

service.version

Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

keyword

source.domain

Source domain.

keyword

source.ip

IP address of the source (IPv4 or IPv6).

ip

source.nat.ip

Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.

ip

source.nat.port

Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.

long

source.port

Port of the source.

long

user.domain

Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

keyword

user.email

User email address.

keyword

user.id

Unique identifier of the user.

keyword

user.name

Short name or login of the user.

keyword

user.name.text

Multi-field of user.name.

match_only_text

user_agent.device.name

Name of the device.

keyword

user_agent.name

Name of the user agent.

keyword

user_agent.original

Unparsed user_agent string.

keyword

user_agent.original.text

Multi-field of user_agent.original.

match_only_text

user_agent.os.family

OS family (such as redhat, debian, freebsd, windows).

keyword

user_agent.os.full

Operating system name, including the version or code name.

keyword

user_agent.os.full.text

Multi-field of user_agent.os.full.

match_only_text

user_agent.os.kernel

Operating system kernel version as a raw string.

keyword

user_agent.os.name

Operating system name, without the version.

keyword

user_agent.os.name.text

Multi-field of user_agent.os.name.

match_only_text

user_agent.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

user_agent.os.version

Operating system version as a raw string.

keyword

user_agent.version

Version of the user agent.

keyword

Internal Metrics

edit

Internal metrics comprises metrics produced by Elastic APM agents and Elastic APM server for powering various Kibana charts in the APM app, such as "Time spent by span type".

Internal metrics are written to metrics-apm.internal-* data streams.

Exported fields
Field Description Type Unit Metric Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

agent.ephemeral_id

Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.

keyword

agent.name

Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.

keyword

agent.version

Version of the agent.

keyword

agent_config_applied

Value for agent_config_applied

long

client.domain

Client domain.

keyword

client.geo.city_name

City name.

keyword

client.geo.continent_name

Name of the continent.

keyword

client.geo.country_iso_code

Country ISO code.

keyword

client.geo.country_name

Country name.

keyword

client.geo.location

Longitude and latitude.

geo_point

client.geo.region_iso_code

Region ISO code.

keyword

client.geo.region_name

Region name.

keyword

client.ip

IP address of the client (IPv4 or IPv6).

ip

client.port

Port of the client.

long

cloud.account.id

The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

keyword

cloud.account.name

The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.

keyword

cloud.availability_zone

Availability zone in which this host, resource, or service is located.

keyword

cloud.instance.id

Instance ID of the host machine.

keyword

cloud.instance.name

Instance name of the host machine.

keyword

cloud.machine.type

Machine type of the host machine.

keyword

cloud.project.id

The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.

keyword

cloud.project.name

The cloud project name. Examples: Google Cloud Project name, Azure Project name.

keyword

cloud.provider

Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

keyword

cloud.region

Region in which this host, resource, or service is located.

keyword

cloud.service.name

The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.

keyword

clr.gc.count

The total number of GC collections that have occurred.

long

counter

clr.gc.gen0size

The size of the generation 0 heap.

long

byte

gauge

clr.gc.gen1size

The size of the generation 1 heap.

long

byte

gauge

clr.gc.gen2size

The size of the generation 2 heap.

long

byte

gauge

clr.gc.gen3size

The size of the generation 3 heap - also known as Large Object Heap (LOH).

long

byte

gauge

clr.gc.time

The approximate accumulated collection elapsed time in milliseconds.

long

ms

counter

container.id

Unique container id.

keyword

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

keyword

destination.ip

IP address of the destination (IPv4 or IPv6).

ip

destination.port

Port of the destination.

long

ecs.version

ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.

keyword

event.outcome

This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense.

keyword

faas.billed_duration

The number of milliseconds for which the FaaS end user is billed.

long

ms

counter

faas.coldstart

Boolean indicating whether the function invocation was a coldstart or not.

boolean

faas.coldstart_duration

The number of milliseconds elapsed during cold start.

float

ms

counter

faas.duration

The total number of milliseconds elapsed during the execution of the FaaS invocation.

float

ms

counter

faas.execution

Request ID of the function invocation.

keyword

faas.id

A unique identifier of the invoked serverless function.

keyword

faas.name

The lambda function name.

keyword

faas.timeout

The FaaS invocation timeout, expressed in milliseconds.

long

ms

counter

faas.trigger.request_id

The ID of the origin trigger request.

keyword

faas.trigger.type

The trigger type.

keyword

faas.version

The lambda function version.

keyword

golang.goroutines

The number of goroutines that currently exist.

long

counter

golang.heap.allocations.active

Bytes in non-idle spans.

long

byte

gauge

golang.heap.allocations.allocated

Bytes allocated and not yet freed (same as Alloc from runtime.MemStats).

long

byte

gauge

golang.heap.allocations.frees

The number of frees.

long

counter

golang.heap.allocations.idle

Bytes in idle spans.

long

byte

gauge

golang.heap.allocations.mallocs

The number of mallocs.

long

counter

golang.heap.allocations.objects

The total number of allocated objects.

long

counter

golang.heap.allocations.total

Bytes allocated (even if freed) throughout the lifetime.

long

byte

counter

golang.heap.gc.cpu_fraction

Fraction of CPU time used by garbage collection.

scaled_float

percent

gauge

golang.heap.gc.next_gc_limit

Target heap size of the next garbage collection cycle.

long

byte

gauge

golang.heap.gc.total_count

The total number of garbage collections.

long

counter

golang.heap.gc.total_pause.ns

The total garbage collection duration in nanoseconds.

long

nanos

counter

golang.heap.system.obtained

Via HeapSys from runtime.MemStats, bytes obtained from system. heap_sys = heap_idle + heap_inuse.

long

byte

gauge

golang.heap.system.released

Bytes released to the OS.

long

byte

gauge

golang.heap.system.stack

Bytes of stack memory obtained from the OS.

long

byte

gauge

golang.heap.system.total

Total bytes obtained from system (sum of XxxSys from runtime.MemStats).

long

byte

gauge

host.architecture

Operating system architecture.

keyword

host.hostname

Hostname of the host. It normally contains what the hostname command returns on the host machine.

keyword

host.ip

Host ip addresses.

ip

host.name

Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.

keyword

host.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

jvm.gc.alloc

long

byte

gauge

jvm.gc.count

long

gauge

jvm.gc.time

long

ms

gauge

jvm.memory.heap.committed

long

byte

gauge

jvm.memory.heap.max

long

byte

gauge

jvm.memory.heap.pool.committed

long

byte

gauge

jvm.memory.heap.pool.max

long

byte

gauge

jvm.memory.heap.pool.used

long

byte

gauge

jvm.memory.heap.used

long

byte

gauge

jvm.memory.non_heap.committed

long

byte

gauge

jvm.memory.non_heap.max

long

byte

gauge

jvm.memory.non_heap.used

long

byte

gauge

jvm.thread.count

long

gauge

kubernetes.namespace

Kubernetes namespace

keyword

kubernetes.node.name

Kubernetes node name

keyword

kubernetes.pod.name

Kubernetes pod name

keyword

kubernetes.pod.uid

Kubernetes Pod UID

keyword

labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: docker and k8s labels.

object

metricset.name

Name of the set of metrics.

keyword

network.connection.type

Network connection type, eg. "wifi", "cell"

keyword

nodejs.eventloop.delay.avg.ms

scaled_float

ms

gauge

nodejs.handles.active

long

gauge

nodejs.memory.arrayBuffers.bytes

long

byte

gauge

nodejs.memory.external.bytes

long

byte

gauge

nodejs.memory.heap.allocated.bytes

long

byte

gauge

nodejs.memory.heap.used.bytes

long

byte

gauge

nodejs.requests.active

long

gauge

numeric_labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as scaled_float.

object

observer.ephemeral_id

Ephemeral identifier of the APM Server.

keyword

observer.hostname

Hostname of the observer.

keyword

observer.id

Unique identifier of the APM Server.

keyword

observer.name

Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.

keyword

observer.type

The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are forwarder, firewall, ids, ips, proxy, poller, sensor, APM server.

keyword

observer.version

Observer version.

keyword

process.args

Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.

keyword

process.pid

Process id.

long

process.ppid

Parent process' pid.

long

process.title

Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

keyword

process.title.text

Multi-field of process.title.

match_only_text

processor.event

Processor event.

constant_keyword

processor.name

Processor name.

constant_keyword

ruby.gc.count

long

counter

ruby.gc.time

scaled_float

counter

ruby.heap.allocations.total

long

gauge

ruby.heap.slots.free

long

gauge

ruby.heap.slots.live

long

gauge

ruby.threads

long

gauge

service.environment

Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.

keyword

service.framework.name

Name of the framework used.

keyword

service.framework.version

Version of the framework used.

keyword

service.language.name

Name of the programming language used.

keyword

service.language.version

Version of the programming language used.

keyword

service.name

Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.

keyword

service.node.name

Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, service.node.name should typically be unique across nodes of a given service. In the case of Elasticsearch, the service.node.name could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.

keyword

service.runtime.name

Name of the runtime used.

keyword

service.runtime.version

Version of the runtime used.

keyword

service.target.name

Target service for which data is collected.

keyword

service.target.type

Type of the target service for which data is collected

keyword

service.version

Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

keyword

source.domain

Source domain.

keyword

source.ip

IP address of the source (IPv4 or IPv6).

ip

source.nat.ip

Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.

ip

source.nat.port

Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.

long

source.port

Port of the source.

long

span.destination.service.resource

Identifier for the destination service resource being operated on (e.g. http://elastic.co:80, elasticsearch, rabbitmq/queue_name)

keyword

span.destination.service.response_time.count

Number of aggregated outgoing requests.

long

span.destination.service.response_time.sum.us

Aggregated duration of outgoing requests, in microseconds.

long

micros

span.name

Generic designation of a span in the scope of a transaction.

keyword

span.self_time.count

Number of aggregated spans.

long

span.self_time.sum.us

Aggregated span duration, excluding the time periods where a direct child was running, in microseconds.

long

micros

span.subtype

A further sub-division of the type (e.g. postgresql, elasticsearch)

keyword

span.type

Keyword of specific relevance in the service’s domain (eg: db.postgresql.query, template.erb, cache, etc).

keyword

system.cpu.total.norm.pct

The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.

scaled_float

percent

gauge

system.memory.actual.free

Actual free memory in bytes. It is calculated based on the OS. On Linux it consists of the free memory plus caches and buffers. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to system.memory.free.

long

byte

gauge

system.memory.total

Total memory.

long

byte

gauge

system.process.cgroup.cpu.cfs.period.us

CFS period in microseconds.

long

micros

counter

system.process.cgroup.cpu.cfs.quota.us

CFS quota in microseconds.

long

micros

counter

system.process.cgroup.cpu.stats.periods

Number of periods seen by the CPU.

long

counter

system.process.cgroup.cpu.stats.throttled.ns

Nanoseconds spent throttled seen by the CPU.

long

nanos

counter

system.process.cgroup.cpu.stats.throttled.periods

Number of throttled periods seen by the CPU.

long

counter

system.process.cgroup.cpuacct.total.ns

Total CPU time for the current cgroup CPU in nanoseconds.

long

nanos

counter

system.process.cgroup.memory.mem.limit.bytes

Memory limit for the current cgroup slice.

long

byte

gauge

system.process.cgroup.memory.mem.usage.bytes

Memory usage by the current cgroup slice.

long

byte

gauge

system.process.cgroup.memory.stats.inactive_file.bytes

File-backed memory on inactive LRU list, in bytes.

long

byte

gauge

system.process.cpu.system.norm.pct

The percentage of CPU time spent by the process executing kernel code since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.

scaled_float

percent

gauge

system.process.cpu.total.norm.pct

The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.

scaled_float

percent

gauge

system.process.cpu.user.norm.pct

The percentage of CPU time spent by the process executing application code since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.

scaled_float

percent

gauge

system.process.memory.rss.bytes

The Resident Set Size. The amount of memory the process occupied in main memory (RAM).

long

byte

gauge

system.process.memory.size

The total virtual memory the process has.

long

byte

gauge

tags

List of keywords used to tag each event.

keyword

timeseries.instance

Time series instance ID

keyword

transaction.duration.histogram

Pre-aggregated histogram of transaction durations.

histogram

transaction.name

Generic designation of a transaction in the scope of a single service (eg. GET /users/:id).

keyword

transaction.result

The result of the transaction. HTTP status code for HTTP-related transactions.

keyword

transaction.root

Identifies metrics for root transactions. This can be used for calculating metrics for traces.

boolean

transaction.sampled

Transactions that are sampled will include all available information. Transactions that are not sampled will not have spans or context.

boolean

transaction.self_time.count

Number of aggregated transactions.

long

transaction.self_time.sum.us

Aggregated transaction duration, excluding the time periods where a direct child was running, in microseconds.

long

micros

transaction.type

Keyword of specific relevance in the service’s domain (eg. request, backgroundjob, etc)

keyword

user.domain

Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

keyword

user.email

User email address.

keyword

user.id

Unique identifier of the user.

keyword

user.name

Short name or login of the user.

keyword

user.name.text

Multi-field of user.name.

match_only_text

user_agent.device.name

Name of the device.

keyword

user_agent.name

Name of the user agent.

keyword

user_agent.original

Unparsed user_agent string.

keyword

user_agent.original.text

Multi-field of user_agent.original.

match_only_text

user_agent.os.family

OS family (such as redhat, debian, freebsd, windows).

keyword

user_agent.os.full

Operating system name, including the version or code name.

keyword

user_agent.os.full.text

Multi-field of user_agent.os.full.

match_only_text

user_agent.os.kernel

Operating system kernel version as a raw string.

keyword

user_agent.os.name

Operating system name, without the version.

keyword

user_agent.os.name.text

Multi-field of user_agent.os.name.

match_only_text

user_agent.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

user_agent.os.version

Operating system version as a raw string.

keyword

user_agent.version

Version of the user agent.

keyword

Application errors

edit

Application errors comprises error/exception events occurring in an application.

Application errors are written to logs-apm.error.* data stream.

Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

agent.ephemeral_id

Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.

keyword

agent.name

Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.

keyword

agent.version

Version of the agent.

keyword

client.domain

Client domain.

keyword

client.geo.city_name

City name.

keyword

client.geo.continent_name

Name of the continent.

keyword

client.geo.country_iso_code

Country ISO code.

keyword

client.geo.country_name

Country name.

keyword

client.geo.location

Longitude and latitude.

geo_point

client.geo.region_iso_code

Region ISO code.

keyword

client.geo.region_name

Region name.

keyword

client.ip

IP address of the client (IPv4 or IPv6).

ip

client.port

Port of the client.

long

cloud.account.id

The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

keyword

cloud.account.name

The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.

keyword

cloud.availability_zone

Availability zone in which this host, resource, or service is located.

keyword

cloud.instance.id

Instance ID of the host machine.

keyword

cloud.instance.name

Instance name of the host machine.

keyword

cloud.machine.type

Machine type of the host machine.

keyword

cloud.project.id

The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.

keyword

cloud.project.name

The cloud project name. Examples: Google Cloud Project name, Azure Project name.

keyword

cloud.provider

Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

keyword

cloud.region

Region in which this host, resource, or service is located.

keyword

cloud.service.name

The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda.

keyword

container.id

Unique container id.

keyword

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

keyword

destination.ip

IP address of the destination (IPv4 or IPv6).

ip

destination.port

Port of the destination.

long

ecs.version

ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.

keyword

error.culprit

Function call which was the primary perpetrator of this event.

keyword

error.exception.code

The error code set when the error happened, e.g. database error code.

keyword

error.exception.handled

Indicator whether the error was caught somewhere in the code or not.

boolean

error.exception.message

The original error message.

text

error.exception.module

The module namespace of the original error.

keyword

error.exception.type

The type of the original error, e.g. the Java exception class name.

keyword

error.grouping_key

Hash of select properties of the logged error for grouping purposes.

keyword

error.grouping_name

Name to associate with an error group. Errors belonging to the same group (same grouping_key) may have differing values for grouping_name. Consumers may choose one arbitrarily.

keyword

error.id

Unique identifier for the error.

keyword

error.log.level

The severity of the record.

keyword

error.log.logger_name

The name of the logger instance used.

keyword

error.log.message

The additionally logged error message.

text

error.log.param_message

A parametrized message. E.g. Could not connect to %s. The property message is still required, and should be equal to the param_message, but with placeholders replaced. In some situations the param_message is used to group errors together.

keyword

error.stack_trace

The stack trace of this error in plain text.

wildcard

error.stack_trace.text

Multi-field of error.stack_trace.

match_only_text

event.outcome

This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense.

keyword

host.architecture

Operating system architecture.

keyword

host.hostname

Hostname of the host. It normally contains what the hostname command returns on the host machine.

keyword

host.ip

Host ip addresses.

ip

host.name

Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.

keyword

host.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

http.request.headers

The canonical headers of the monitored HTTP request.

object

http.request.method

HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0

keyword

http.request.referrer

Referrer for this HTTP request.

keyword

http.response.finished

Used by the Node agent to indicate when in the response life cycle an error has occurred.

boolean

http.response.headers

The canonical headers of the monitored HTTP response.

object

http.response.status_code

HTTP response status code.

long

http.version

HTTP version.

keyword

kubernetes.namespace

Kubernetes namespace

keyword

kubernetes.node.name

Kubernetes node name

keyword

kubernetes.pod.name

Kubernetes pod name

keyword

kubernetes.pod.uid

Kubernetes Pod UID

keyword

labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: docker and k8s labels.

object

message

For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.

match_only_text

network.carrier.icc

ISO country code, eg. US

keyword

network.carrier.mcc

Mobile country code

keyword

network.carrier.mnc

Mobile network code

keyword

network.carrier.name

Carrier name, eg. Vodafone, T-Mobile, etc.

keyword

network.connection.subtype

Detailed network connection sub-type, e.g. "LTE", "CDMA"

keyword

network.connection.type

Network connection type, eg. "wifi", "cell"

keyword

numeric_labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as scaled_float.

object

observer.ephemeral_id

Ephemeral identifier of the APM Server.

keyword

observer.hostname

Hostname of the observer.

keyword

observer.id

Unique identifier of the APM Server.

keyword

observer.name

Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.

keyword

observer.type

The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are forwarder, firewall, ids, ips, proxy, poller, sensor, APM server.

keyword

observer.version

Observer version.

keyword

parent.id

The ID of the parent event.

keyword

process.args

Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.

keyword

process.pid

Process id.

long

process.ppid

Parent process' pid.

long

process.title

Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

keyword

process.title.text

Multi-field of process.title.

match_only_text

processor.event

Processor event.

constant_keyword

processor.name

Processor name.

constant_keyword

service.environment

Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.

keyword

service.framework.name

Name of the framework used.

keyword

service.framework.version

Version of the framework used.

keyword

service.language.name

Name of the programming language used.

keyword

service.language.version

Version of the programming language used.

keyword

service.name

Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.

keyword

service.node.name

Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, service.node.name should typically be unique across nodes of a given service. In the case of Elasticsearch, the service.node.name could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.

keyword

service.runtime.name

Name of the runtime used.

keyword

service.runtime.version

Version of the runtime used.

keyword

service.version

Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

keyword

source.domain

Source domain.

keyword

source.ip

IP address of the source (IPv4 or IPv6).

ip

source.nat.ip

Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.

ip

source.nat.port

Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.

long

source.port

Port of the source.

long

span.id

Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.

keyword

timestamp.us

Timestamp of the event in microseconds since Unix epoch.

long

trace.id

Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.

keyword

transaction.id

Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.

keyword

transaction.name

Keyword of designation of a transaction in the scope of a single service, eg: GET /users/:id.

keyword

transaction.sampled

Transactions that are sampled will include all available information. Transactions that are not sampled will not have spans or context.

boolean

transaction.type

Keyword of specific relevance in the service’s domain (eg. request, backgroundjob, etc)

keyword

url.domain

Domain of the url, such as "http://www.elastic.co[www.elastic.co]". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field. If the URL contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [ and ] characters should also be captured in the domain field.

keyword

url.fragment

Portion of the url after the #, such as "top". The # is not part of the fragment.

keyword

url.full

If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

wildcard

url.full.text

Multi-field of url.full.

match_only_text

url.original

Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.

wildcard

url.original.text

Multi-field of url.original.

match_only_text

url.path

Path of the request, such as "/search".

wildcard

url.port

Port of the request, such as 443.

long

url.query

The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

keyword

url.scheme

Scheme of the request, such as "https". Note: The : is not part of the scheme.

keyword

user.domain

Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.

keyword

user.email

User email address.

keyword

user.id

Unique identifier of the user.

keyword

user.name

Short name or login of the user.

keyword

user.name.text

Multi-field of user.name.

match_only_text

user_agent.device.name

Name of the device.

keyword

user_agent.name

Name of the user agent.

keyword

user_agent.original

Unparsed user_agent string.

keyword

user_agent.original.text

Multi-field of user_agent.original.

match_only_text

user_agent.os.family

OS family (such as redhat, debian, freebsd, windows).

keyword

user_agent.os.full

Operating system name, including the version or code name.

keyword

user_agent.os.full.text

Multi-field of user_agent.os.full.

match_only_text

user_agent.os.kernel

Operating system kernel version as a raw string.

keyword

user_agent.os.name

Operating system name, without the version.

keyword

user_agent.os.name.text

Multi-field of user_agent.os.name.

match_only_text

user_agent.os.platform

Operating system platform (such centos, ubuntu, windows).

keyword

user_agent.os.version

Operating system version as a raw string.

keyword

user_agent.version

Version of the user agent.

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

8.4.2

Bug fix (View pull request)
Added observer translation to data stream migration pipeline

8.4.0 or higher

8.4.0

Enhancement (View pull request)
Added support for dynamically mapping summary metrics

Enhancement (View pull request)
Added span.name to internal_metrics data stream, for service_destination metrics

Enhancement (View pull request)
Added field mappings for Lambda metrics to internal metrics data stream

8.4.0 or higher

8.3.3

Bug fix (View pull request)
Support TLSv1.3 and remove TLSv1.0 in the default TLS supported protocols

Bug fix (View pull request)
Update APM integration description

Enhancement (View pull request)
Update APM integration screenshots

8.3.0 or higher

8.3.0

Enhancement (View pull request)
Field mapping for target.name and target.type added to traces data stream

Enhancement (View pull request)
Remove the release tag

Enhancement (View pull request)
Added config option for pprof_enabled

Enhancement (View pull request)
Added field mappings for system, process, and runtime metrics to internal metrics data stream

Bug fix (View pull request)
Added tags field mapping to internal_metrics data stream

8.3.0 or higher

8.2.0

Enhancement (View pull request)
Field mapping for source.nat.ip and source.nat.port added to data streams

Enhancement (View pull request)
updated traces and rum_traces ingest pipelines to translate event.duration to <event>.duration.us

Enhancement (View pull request)
added span.links fields to traces and rum_traces data streams

Enhancement (View pull request)
Added field mapping for faas.name and faas.version to internal_metrics data stream

Enhancement (View pull request)
removed observer.version_major field

Bug fix (View pull request)
added field mapping for url.original to traces, rum_traces, app_logs, and error_logs

Enhancement (View pull request)
added field mapping for error.stack_trace to error_logs

8.2.0 or higher

8.1.0

Enhancement (View pull request)
Added field mapping for faas.coldstart and faas.trigger.type

Enhancement (View pull request)
Added field tail_sampling_enabled

Bug fix (View pull request)
added error.id field to error_logs data stream

Enhancement (View pull request)
Added field mapping for faas.id to internal_metrics data stream

8.1.0 or higher

8.0.0

Enhancement (View pull request)
support setting download-agent-version

Bug fix (View pull request)
java attacher config uses discovery-rules, not discovery_rules

Enhancement (View pull request)
add java_attacher support

Enhancement (View pull request)
the auth.anonymous.rate_limit.{event_limit,ip_limit} defaults are now the same as in the default rate_limit struct.

Enhancement (View pull request)
Updated fields @timestamp, data_stream.*, and labels to reference ecs

Enhancement (View pull request)
Ingested labels are now stored as event.{labels,numeric_labels}

Enhancement (View pull request)
added new traces-apm.rum and individual ILM policies per data stream

Bug fix (View pull request)
fixed the sampled_traces data stream’s ILM policy name

Enhancement (View pull request)
added app_logs data stream

Enhancement (View pull request)
updated ingest pipelines to reject events from apm-servers newer than installed integration

Enhancement (View pull request)
added event.{outcome,severity} and log.level to app_logs data stream

8.0.0 or higher

7.16.1

Bug fix (View pull request)
Added agent_config_applied mapping to metrics-apm.internal data stream.

7.16.1 or higher

7.16.0

Enhancement (View pull request)
updated package version to align with stack version

Bug fix (View pull request)
added client.geo fields to internal_metrics

Enhancement (View pull request)
removed unused fields

Enhancement (View pull request)
changed processor.{name,event} to constant_keyword where possible

Enhancement (View pull request)
changed to data-stream specific ingest pipelines

Enhancement (View pull request)
added cluster privilege to package for stack monitoring

7.16.0 or higher

0.5.0

Enhancement (View pull request)
added index sorting for internal metrics

Enhancement (View pull request)
added histogram dynamic_template to app metrics data stream

Enhancement (View pull request)
removed warm phase from ILM policies

Enhancement (View pull request)
added privileges to tail-sampled traces data stream

Enhancement (View pull request)
added tail-sampling config vars

0.4.0

Breaking change (View pull request)
added anonymous auth config, replace some RUM config

Breaking change (View pull request)
updated to use new apm-server.auth config

0.3.0

Enhancement (View pull request)
added apm-server.url config

Enhancement (View pull request)
removed apm-server.kibana.api_key config

0.2.0

Enhancement (View pull request)
added support for apm-server.rum.allow_service_names

Enhancement (View pull request)
added support a configurable default service environment

0.1.0

Enhancement (View pull request)
initial release