APM Transaction fields

edit

Transaction-specific data for APM

processor.name

Processor name.

type: keyword

Yes ECS field.

processor.event

Processor event.

type: keyword

Yes ECS field.

timestamp.us

Timestamp of the event in microseconds since Unix epoch.

type: long

Yes ECS field.

url

edit

A complete Url, with scheme, host and path.

url.scheme

The protocol of the request, e.g. "https:".

type: keyword

Yes ECS field.

url.full

The full, possibly agent-assembled URL of the request, e.g https://example.com:443/search?q=elasticsearch#top.

type: keyword

Yes ECS field.

url.domain

The hostname of the request, e.g. "example.com".

type: keyword

Yes ECS field.

url.port

The port of the request, e.g. 443.

type: long

Yes ECS field.

url.path

The path of the request, e.g. "/search".

type: keyword

Yes ECS field.

url.query

The query string of the request, e.g. "q=elasticsearch".

type: keyword

Yes ECS field.

url.fragment

A fragment specifying a location in a web page , e.g. "top".

type: keyword

Yes ECS field.

http.version

The http version of the request leading to this event.

type: keyword

Yes ECS field.

http.request.method

The http method of the request leading to this event.

type: keyword

Yes ECS field.

http.request.headers

The canonical headers of the monitored HTTP request.

type: object

Yes ECS field.

Object is not enabled.

http.request.referrer

Referrer for this HTTP request.

type: keyword

Yes ECS field.

http.response.status_code

The status code of the HTTP response.

type: long

Yes ECS field.

http.response.finished

Used by the Node agent to indicate when in the response life cycle an error has occurred.

type: boolean

Yes ECS field.

http.response.headers

The canonical headers of the monitored HTTP response.

type: object

Yes ECS field.

Object is not enabled.

labels

A flat mapping of user-defined labels with string, boolean or number values.

type: object

Yes ECS field.

service

edit

Service fields.

service.name

Immutable name of the service emitting this event.

type: keyword

Yes ECS field.

service.version

Version of the service emitting this event.

type: keyword

Yes ECS field.

service.environment

Service environment.

type: keyword

Yes ECS field.

service.node.name

Unique meaningful name of the service node.

type: keyword

Yes ECS field.

service.language.name

Name of the programming language used.

type: keyword

Yes ECS field.

service.language.version

Version of the programming language used.

type: keyword

Yes ECS field.

service.runtime.name

Name of the runtime used.

type: keyword

Yes ECS field.

service.runtime.version

Version of the runtime used.

type: keyword

Yes ECS field.

service.framework.name

Name of the framework used.

type: keyword

Yes ECS field.

service.framework.version

Version of the framework used.

type: keyword

Yes ECS field.

transaction.duration.us

Total duration of this transaction, in microseconds.

type: long

transaction.result

The result of the transaction. HTTP status code for HTTP-related transactions.

type: keyword

transaction.marks

A user-defined mapping of groups of marks in milliseconds.

type: object

transaction.marks.*.*

type: object

transaction.experience.cls

The Cumulative Layout Shift metric

type: scaled_float

transaction.experience.fid

The First Input Delay metric

type: scaled_float

transaction.experience.tbt

The Total Blocking Time metric

type: scaled_float

longtask

edit

Longtask duration/count metrics

transaction.experience.longtask.count

The total number of of longtasks

type: long

transaction.experience.longtask.sum

The sum of longtask durations

type: scaled_float

transaction.experience.longtask.max

The max longtask duration

type: scaled_float

transaction.span_count.dropped

The total amount of dropped spans for this transaction.

type: long

transaction.message.queue.name

Name of the message queue or topic where the message is published or received.

type: keyword

transaction.message.age.ms

Age of a message in milliseconds.

type: long

span.type

Keyword of specific relevance in the service’s domain (eg: db.postgresql.query, template.erb, cache, etc).

type: keyword

Yes ECS field.

span.subtype

A further sub-division of the type (e.g. postgresql, elasticsearch)

type: keyword

Yes ECS field.

self_time

edit

Portion of the span’s duration where no direct child was running

span.self_time.count

type: long

Yes ECS field.

span.self_time.sum.us

type: long

Yes ECS field.

trace.id

The ID of the trace to which the event belongs to.

type: keyword

Yes ECS field.

parent.id

The ID of the parent event.

type: keyword

Yes ECS field.

agent.name

Name of the agent used.

type: keyword

Yes ECS field.

agent.version

Version of the agent used.

type: keyword

Yes ECS field.

agent.ephemeral_id

The Ephemeral ID identifies a running process.

type: keyword

Yes ECS field.

container

edit

Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.

container.id

Unique container id.

type: keyword

Yes ECS field.

kubernetes

edit

Kubernetes metadata reported by agents

kubernetes.namespace

Kubernetes namespace

type: keyword

kubernetes.node.name

Kubernetes node name

type: keyword

kubernetes.pod.name

Kubernetes pod name

type: keyword

kubernetes.pod.uid

Kubernetes Pod UID

type: keyword

host

edit

Optional host fields.

host.architecture

The architecture of the host the event was recorded on.

type: keyword

Yes ECS field.

host.hostname

The hostname of the host the event was recorded on.

type: keyword

Yes ECS field.

host.name

Name of the host the event was recorded on. It can contain same information as host.hostname or a name specified by the user.

type: keyword

Yes ECS field.

host.ip

IP of the host that records the event.

type: ip

Yes ECS field.

The OS fields contain information about the operating system.

host.os.platform

The platform of the host the event was recorded on.

type: keyword

Yes ECS field.

process

edit

Information pertaining to the running process where the data was collected

process.args

Process arguments. May be filtered to protect sensitive information.

type: keyword

Yes ECS field.

process.pid

Numeric process ID of the service process.

type: long

Yes ECS field.

process.ppid

Numeric ID of the service’s parent process.

type: long

Yes ECS field.

process.title

Service process title.

type: keyword

Yes ECS field.

observer.listening

Address the server is listening on.

type: keyword

Yes ECS field.

observer.hostname

Hostname of the APM Server.

type: keyword

Yes ECS field.

observer.version

APM Server version.

type: keyword

Yes ECS field.

observer.version_major

Major version number of the observer

type: byte

Yes ECS field.

observer.type

The type will be set to apm-server.

type: keyword

Yes ECS field.

user.name

The username of the logged in user.

type: keyword

Yes ECS field.

user.id

Identifier of the logged in user.

type: keyword

Yes ECS field.

user.email

Email of the logged in user.

type: keyword

Yes ECS field.

client.ip

IP address of the client of a recorded event. This is typically obtained from a request’s X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.

type: ip

Yes ECS field.

source.ip

IP address of the source of a recorded event. This is typically obtained from a request’s X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.

type: ip

Yes ECS field.

destination

edit

Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields.

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

Yes ECS field.

destination.ip

IP addess of the destination. Can be one of multiple IPv4 or IPv6 addresses.

type: ip

Yes ECS field.

destination.port

Port of the destination.

type: long

format: string

Yes ECS field.

user_agent

edit

The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.

user_agent.original

Unparsed version of the user_agent.

type: keyword

example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1

Yes ECS field.

user_agent.original.text

Software agent acting in behalf of a user, eg. a web browser / OS combination.

type: text

Yes ECS field.

user_agent.name

Name of the user agent.

type: keyword

example: Safari

Yes ECS field.

user_agent.version

Version of the user agent.

type: keyword

example: 12.0

Yes ECS field.

device

edit

Information concerning the device.

user_agent.device.name

Name of the device.

type: keyword

example: iPhone

Yes ECS field.

The OS fields contain information about the operating system.

user_agent.os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

Yes ECS field.

user_agent.os.name

Operating system name, without the version.

type: keyword

example: Mac OS X

Yes ECS field.

user_agent.os.full

Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave

Yes ECS field.

user_agent.os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

Yes ECS field.

user_agent.os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

Yes ECS field.

user_agent.os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

Yes ECS field.

experimental

Additional experimental data sent by the agents.

type: object

Yes ECS field.

cloud

edit

Cloud metadata reported by agents

cloud.account.id

Cloud account ID

type: keyword

Yes ECS field.

cloud.account.name

Cloud account name

type: keyword

Yes ECS field.

cloud.availability_zone

Cloud availability zone name

type: keyword

example: us-east1-a

Yes ECS field.

cloud.instance.id

Cloud instance/machine ID

type: keyword

Yes ECS field.

cloud.instance.name

Cloud instance/machine name

type: keyword

Yes ECS field.

cloud.machine.type

Cloud instance/machine type

type: keyword

example: t2.medium

Yes ECS field.

cloud.project.id

Cloud project ID

type: keyword

Yes ECS field.

cloud.project.name

Cloud project name

type: keyword

Yes ECS field.

cloud.provider

Cloud provider name

type: keyword

example: gcp

Yes ECS field.

cloud.region

Cloud region name

type: keyword

example: us-east1

Yes ECS field.

event.outcome

event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.

type: keyword

example: success

Yes ECS field.