Schema Reference
In AppScope, events are structured according to one pattern, and metrics are structured according to another. These patterns are defined rigorously, in validatable JSON Schema.
Three definitions schemas govern the basic patterns. Then there is an individual schema for each event and metric, documented below. The definitions schemas define the elements that can be present in individual event and metric schemas, as well as the overall structures into which those elements fit.
When we say "the AppScope schema," we mean the whole set of schemas. The AppScope schema now in use was introduced in AppScope 1.0.1.
A few event and metric schema elements, namely title and description, have placeholder values. In the future, we might make these more informative. They are essentially "internal documentation" within the schemas and do not affect how the schemas function in AppScope. In the event that you develop any code that depends on AppScope schemas, be aware that the content of title and description fields may evolve.
For more about how events and metrics work in AppScope, see this overview.
console ^
Structure of the console event
Examples
{
"type": "evt",
"id": "eaf4d0598443-a.out-./a.out",
"_channel": "8499188821284",
"body": {
"sourcetype": "console",
"_time": 1643883251.376672,
"source": "stderr",
"host": "eaf4d0598443",
"proc": "a.out",
"cmd": "./a.out",
"pid": 986,
"data": {
"message": "stderr hello world"
}
}
}
{
"type": "evt",
"id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
"_channel": "13468365092424",
"body": {
"sourcetype": "console",
"_time": 1643735941.602952,
"source": "stdout",
"host": "ubuntu",
"proc": "sh",
"cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
"pid": 6545,
"data": {
"message": "/usr/bin/firefox\n"
}
}
}
console properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
console.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is console. Value must be console. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Specifies whether AppScope is capturing either stderr or stdout from console.Possible values:
|
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
console.body.data properties
| Property | Description |
|---|---|
message (string) |
The textual data written to a console or file. |
dns.req ^
Structure of the dns.req event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470757294558",
"body": {
"sourcetype": "dns",
"_time": 1643735942.526987,
"source": "dns.req",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"domain": "detectportal.firefox.com"
}
}
}
dns.req properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
dns.req.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is DNS. Value must be dns. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a Network DNS operation. Value must be dns.req. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
dns.req.body.data properties
| Property | Description |
|---|---|
domain required (string) |
The domain for which the scoped app made a DNS request. |
dns.resp ^
Structure of the dns.resp event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470823778038",
"body": {
"sourcetype": "dns",
"_time": 1643735942.552667,
"source": "dns.resp",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"duration": 25,
"domain": "detectportal.firefox.com",
"addrs": [
"34.107.221.82"
]
}
}
}
dns.resp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
dns.resp.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is DNS. Value must be dns. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a DNS response operation . Value must be dns.resp. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
dns.resp.body.data properties
| Property | Description |
|---|---|
duration (number) |
Duration in milliseconds. Example: 55 |
domain (string) |
The domain for which the scoped app made a DNS request. |
addrs (array) |
IP address(es) of the domain for which the scoped app sent a DNS request. |
file ^
Structure of the file event
Example
{
"type": "evt",
"id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
"_channel": "13468365092424",
"body": {
"sourcetype": "file",
"_time": 1643735941.602952,
"source": "/var/log/firefox.log",
"host": "ubuntu",
"proc": "sh",
"cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
"pid": 6545,
"data": {
"message": "/usr/bin/firefox\n"
}
}
}
file properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
file.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is file. Value must be file. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
String that describes a file path. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
file.body.data properties
| Property | Description |
|---|---|
message (string) |
The textual data written to a console or file. |
fs.close ^
Structure of the fs.close event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890090429747",
"body": {
"sourcetype": "fs",
"_time": 1643735835.455002,
"source": "fs.close",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"proc": "accept01",
"pid": 1933,
"host": "8bc1398c19f3",
"file": "/dev/shm/ltp_accept01_1931",
"proc_uid": 0,
"proc_gid": 0,
"proc_cgroup": "0::/system.slice/containerd.service",
"file_perms": 600,
"file_owner": 0,
"file_group": 0,
"file_read_bytes": 0,
"file_read_ops": 0,
"file_write_bytes": 0,
"file_write_ops": 0,
"duration": 0,
"op": "close"
}
}
}
fs.close properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.close.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is filesystem. Value must be fs. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File Close operation. Value must be fs.close. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.close.body.data properties
| Property | Description |
|---|---|
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
host (string) |
Hostname for the host on which the scoped app was run. |
file (string) |
The name of the file. |
proc_uid (integer) |
The user ID of the user who started the scoped app. Example: 0 |
proc_gid (integer) |
The group ID of the user who started the scoped app. Example: 0 |
proc_cgroup (string) |
The control group used in container creation. Example: 0::/user.slice/user-1000.slice/session-3.scope |
file_perms (integer) |
The permissions of the file, in octal format. Example: 777 |
file_owner (number) |
The user ID of the file owner. Example: 0 |
file_group (number) |
The group ID of the file owner. Example: 0 |
file_read_bytes (integer) |
The number of bytes of data read from a file. Example: 512 |
file_read_ops (integer) |
Count of individual read operations aggregated. Example: 5 |
file_write_bytes (integer) |
The number of bytes of data written to a file. Example: 10 |
file_write_ops (integer) |
Count of individual write operations aggregated. Example: 5 |
duration (number) |
Duration in milliseconds. Example: 55 |
op (string) |
The close operation that was executed on the filesystem. Possible values:
|
fs.delete ^
Structure of the fs.delete event
Example
{
"type": "evt",
"id": "b6209181773f-rm-rm test.txt",
"_channel": "none",
"body": {
"sourcetype": "fs",
"_time": 1643793922.040438,
"source": "fs.delete",
"host": "b6209181773f",
"proc": "rm",
"cmd": "rm test.txt",
"pid": 306,
"data": {
"proc": "rm",
"pid": 306,
"host": "b6209181773f",
"op": "unlinkat",
"file": "test.txt",
"unit": "operation"
}
}
}
fs.delete properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.delete.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is filesystem. Value must be fs. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File Delete operation. Value must be fs.delete. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.delete.body.data properties
| Property | Description |
|---|---|
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
host (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The delete operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
unit (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
fs.duration ^
Structure of the fs.duration event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091215105",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455057,
"source": "fs.duration",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 12,
"proc": "accept01",
"pid": 1933,
"fd": 3,
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "microsecond"
}
}
}
fs.duration properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.duration.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File Duration operation. Value must be fs.duration. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.duration.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a File Duration operation. Value must be fs.duration. |
_metric_type (string) |
Indicates that the metric from the scoped app is a histogram. Value must be histogram. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
op (string) |
The function that was executed. |
file (string) |
The name of the file. |
numops (number) |
Count of individual operations aggregated. |
unit (string) |
Indicates that the metric's value is in microseconds. Value must be microsecond. |
fs.error ^
Structure of the fs.error event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890094642989",
"body": {
"sourcetype": "metric",
"_time": 1643735835.45777,
"source": "fs.error",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1931,
"data": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1931,
"op": "access",
"file": "/dev/shm/ltp_accept01_1931",
"class": "stat",
"unit": "operation"
}
}
}
fs.error properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.error.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File Error operation. Value must be fs.error. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.error.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a File Error operation. Value must be fs.error. |
_metric_type (string) |
Indicates that the metric is a counter. Value must be counter. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
op (string) |
The function that was executed. |
file (string) |
The name of the file. |
class (string) |
Subcategory of filesystem error. Possible values:
|
unit (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
fs.open ^
Structure of the fs.open event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890090429747",
"body": {
"sourcetype": "fs",
"_time": 1643735835.454946,
"source": "fs.open",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"proc": "accept01",
"pid": 1933,
"host": "8bc1398c19f3",
"file": "/dev/shm/ltp_accept01_1931",
"proc_uid": 0,
"proc_gid": 0,
"proc_cgroup": "0::/system.slice/containerd.service",
"file_perms": 600,
"file_owner": 0,
"file_group": 0,
"op": "open"
}
}
}
fs.open properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.open.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is filesystem. Value must be fs. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File open operation. Value must be fs.open. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.open.body.data properties
| Property | Description |
|---|---|
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
host (string) |
Hostname for the host on which the scoped app was run. |
file (string) |
The name of the file. |
proc_uid (integer) |
The user ID of the user who started the scoped app. Example: 0 |
proc_gid (integer) |
The group ID of the user who started the scoped app. Example: 0 |
proc_cgroup (string) |
The control group used in container creation. Example: 0::/user.slice/user-1000.slice/session-3.scope |
file_perms (integer) |
The permissions of the file, in octal format. Example: 777 |
file_owner (number) |
The user ID of the file owner. Example: 0 |
file_group (number) |
The group ID of the file owner. Example: 0 |
op (string) |
The open operation that was executed on the filesystem. Possible values:
|
fs.read ^
Structure of the fs.read event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091215105",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455076,
"source": "fs.read",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.read",
"_metric_type": "histogram",
"_value": 4096,
"proc": "accept01",
"pid": 1933,
"fd": 3,
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "byte"
}
}
}
fs.read properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.read.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File Read operation. Value must be fs.read. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.read.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a File Read operation. Value must be fs.read. |
_metric_type (string) |
Indicates that the metric from the scoped app is a histogram. Value must be histogram. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
op (string) |
The read operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
numops (number) |
Count of individual operations aggregated. |
unit (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
fs.seek ^
Structure of the fs.seek event
Example
{
"type": "evt",
"id": "8bc1398c19f3-sh-/bin/sh ./file_x",
"_channel": "5891441789884",
"body": {
"sourcetype": "metric",
"_time": 1643735836.805196,
"source": "fs.seek",
"host": "8bc1398c19f3",
"proc": "sh",
"cmd": "/bin/sh ./file_x",
"pid": 2061,
"data": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 1,
"proc": "sh",
"pid": 2061,
"fd": 3,
"op": "lseek",
"file": "./file_x",
"unit": "operation"
}
}
}
fs.seek properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.seek.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File Seek operation. Value must be fs.seek. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.seek.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a File Seek operation. Value must be fs.seek. |
_metric_type (string) |
Indicates that the metric is a counter. Value must be counter. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
op (string) |
The seek operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
unit (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
fs.stat ^
Structure of the fs.stat event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091777333",
"body": {
"sourcetype": "metric",
"_time": 1643735835.454905,
"source": "fs.stat",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1933,
"op": "access",
"file": "/dev/shm",
"unit": "operation"
}
}
}
fs.stat properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.stat.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File Stat operation. Value must be fs.stat. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.stat.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a File Stat operation. Value must be fs.stat. |
_metric_type (string) |
Indicates that the metric is a counter. Value must be counter. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
op (string) |
The stat operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
unit (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
fs.write ^
Structure of the fs.write event
Example
{
"type": "evt",
"id": "8bc1398c19f3-access02-/kernel/syscalls/access/access02",
"_channel": "5891407740765",
"body": {
"sourcetype": "metric",
"_time": 1643735836.773249,
"source": "fs.write",
"host": "8bc1398c19f3",
"proc": "access02",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/access/access02",
"pid": 2058,
"data": {
"_metric": "fs.write",
"_metric_type": "histogram",
"_value": 10,
"proc": "access02",
"pid": 2058,
"fd": 3,
"op": "__write_libc",
"file": "file_x",
"numops": 1,
"unit": "byte"
}
}
}
fs.write properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.write.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a File Write operation. Value must be fs.write. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
fs.write.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a File Write operation. Value must be fs.write. |
_metric_type (string) |
Indicates that the metric from the scoped app is a histogram. Value must be histogram. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
op (string) |
The write operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
numops (number) |
Count of individual operations aggregated. |
unit (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
http.req ^
Structure of the http.req event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "http",
"_time": 1643735942.588626,
"source": "http.req",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"http_method": "GET",
"http_target": "/canonical.html",
"http_flavor": "1.1",
"http_scheme": "http",
"http_host": "detectportal.firefox.com",
"http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"net_transport": "IP.TCP",
"net_peer_ip": "34.107.221.82",
"net_peer_port": 80,
"net_host_ip": "172.16.198.210",
"net_host_port": 33712
}
}
}
http.req properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
http.req.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is HTTP. Value must be http. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the event Source is an HTTP request. Value must be http.req. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
http.req.body.data properties
| Property | Description |
|---|---|
http_method (string) |
Specifies the method of an HTTP request in the data; e.g., GET, POST, PATCH, etc. |
http_frame (string) |
Type of the HTTP/2 frame as described in RFC 7540. Possible values:
|
http_target (string) |
In a URL, the path or file after the FQDN. |
http_flavor (string) |
Specifies whether an HTTP request or response is in HTTP/1.1 or HTTP/2.0. |
http_stream (integer) |
HTTP/2 Stream Identifier. |
http_scheme (string) |
Specifies whether data was unencrypted (HTTP) or encrypted (HTTPS). Possible values:
|
http_host (string) |
Hostname of the host to which an HTTP request was sent; or, from which a response was received. |
http_user_agent (string) |
HTTP header property describing the web client. |
http_client_ip (string) |
IP address of the host that issued an HTTP request or received the response. |
net_transport (string) |
Network layer used (before the dot) and transport layer used (after the dot). Possible values:
|
net_peer_ip (string) |
The IP address portion of the remote side of a network connection. |
net_peer_port (integer) |
The port portion of the remote side of a network connection. |
net_host_ip (string) |
The IP address portion of the local side of a network connection. |
net_host_port (integer) |
The port portion of the local side of a network connection. |
x_appscope (string) |
Value of the x-appscope HTTP header (if present).Value must be x-appscope. |
http.resp ^
Structure of the http.resp event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "http",
"_time": 1643735942.613892,
"source": "http.resp",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"http_method": "GET",
"http_target": "/canonical.html",
"http_scheme": "http",
"http_flavor": "1.1",
"http_status_code": 200,
"http_status_text": "OK",
"http_server_duration": 26,
"http_host": "detectportal.firefox.com",
"http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"net_transport": "IP.TCP",
"net_peer_ip": "34.107.221.82",
"net_peer_port": 80,
"net_host_ip": "172.16.198.210",
"net_host_port": 33712,
"http_response_content_length": 90
}
}
}
http.resp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
http.resp.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is HTTP. Value must be http. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is an HTTP response. Value must be http.resp. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
http.resp.body.data properties
| Property | Description |
|---|---|
http_method (string) |
Specifies the method of an HTTP request in the data; e.g., GET, POST, PATCH, etc. |
http_target (string) |
In a URL, the path or file after the FQDN. |
http_stream (integer) |
HTTP/2 Stream Identifier. |
http_scheme (string) |
Specifies whether data was unencrypted (HTTP) or encrypted (HTTPS). Possible values:
|
http_flavor (string) |
Specifies whether an HTTP request or response is in HTTP/1.1 or HTTP/2.0. |
http_status_code (integer) |
Specifies the status code of an HTTP response. Possible values:
|
http_status_text (string) |
The standard text that accompanies an HTTP response status code. Possible values:
|
http_client_duration (number) |
Time elapsed between when a request was issued and when the response was received, in milliseconds. |
http_server_duration (number) |
Time elapsed between when a request was received and when the response was issued, in milliseconds. |
http_host (string) |
Hostname of the host to which an HTTP request was sent; or, from which a response was received. |
http_user_agent (string) |
HTTP header property describing the web client. |
net_transport (string) |
Network layer used (before the dot) and transport layer used (after the dot). Possible values:
|
net_peer_ip (string) |
The IP address portion of the remote side of a network connection. |
net_peer_port (integer) |
The port portion of the remote side of a network connection. |
net_host_ip (string) |
The IP address portion of the local side of a network connection. |
net_host_port (integer) |
The port portion of the local side of a network connection. |
http_response_content_length (number) |
Specifies the length in bytes of the HTTP response body. |
net.app ^
Structure of the net.app event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "net",
"_time": 1643735942.588594,
"source": "net.app",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"proc": "firefox",
"pid": 6544,
"fd": 91,
"host": "ubuntu",
"protocol": "HTTP"
}
}
}
net.app properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.app.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is net (meaning network). Value must be net. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a Network App (protocol detection) operation. Value must be net.app. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.app.body.data properties
| Property | Description |
|---|---|
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host (string) |
Hostname for the host on which the scoped app was run. |
protocol (string) |
Protocol detected in data transmitted over a network connection. Possible values:
|
net.close ^
Structure of the net.close event
Example
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618970557",
"body": {
"sourcetype": "net",
"_time": 1643735857.983449,
"source": "net.close",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3793,
"data": {
"net_transport": "IP.TCP",
"net_peer_ip": "0.0.0.0",
"net_peer_port": 35533,
"net_host_ip": "127.0.0.1",
"net_host_port": 40184,
"duration": 0,
"net_bytes_sent": 0,
"net_bytes_recv": 6,
"net_close_reason": "local"
}
}
}
net.close properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.close.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is net (meaning network). Value must be net. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a Network Close operation. Value must be net.close. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.close.body.data properties
| Property | Description |
|---|---|
net_transport (string) |
Network layer used (before the dot) and transport layer used (after the dot). Possible values:
|
net_peer_ip (string) |
The IP address portion of the remote side of a network connection. |
net_peer_port (integer) |
The port portion of the remote side of a network connection. |
net_host_ip (string) |
The IP address portion of the local side of a network connection. |
net_host_port (integer) |
The port portion of the local side of a network connection. |
net_protocol (string) |
First network protocol detected from data sent or received. Value must be http. |
unix_peer_inode (number) |
Inode number for the remote end of a UNIX domain socket. |
unix_local_inode (number) |
Inode number for the local end of a UNIX domain socket. |
duration (number) |
Duration in milliseconds. Example: 55 |
net_bytes_sent (number) |
The number of bytes of data sent over a network connection. |
net_bytes_recv (number) |
The number of bytes of data received over a network connection. |
net_close_reason (string) |
Specifies which end of a network connection initiated the closing of the connection. Possible values:
|
net.duration ^
Structure of the net.duration event
Example
{
"type": "evt",
"id": "8bc1398c19f3-recvmsg01-ernel/syscalls/recvmsg/recvmsg01",
"_channel": "5912681876432",
"body": {
"sourcetype": "metric",
"_time": 1643735858.046756,
"source": "net.duration",
"host": "8bc1398c19f3",
"proc": "recvmsg01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvmsg/recvmsg01",
"pid": 3798,
"data": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 1,
"proc": "recvmsg01",
"pid": 3798,
"fd": 4,
"proto": "TCP",
"port": 41482,
"numops": 1,
"unit": "millisecond"
}
}
}
net.duration properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.duration.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a counter that measures Network duration. Value must be net.duration. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.duration.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a counter that measures Network duration. Value must be net.duration. |
_metric_type (string) |
Indicates that the metric is a timer. Value must be timer. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
numops (number) |
Count of individual operations aggregated. |
unit (string) |
Indicates that the metric's value is in milliseconds. Value must be millisecond. |
net.error ^
Structure of the net.error event
Example
{
"type": "evt",
"id": "90aac4bb0722-accept01-/kernel/syscalls/accept/accept01",
"_channel": "2745569202700291",
"body": {
"sourcetype": "metric",
"_time": 1643972258.00885,
"source": "net.error",
"host": "90aac4bb0722",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1934,
"data": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1934,
"op": "accept",
"class": "connection",
"unit": "operation"
}
}
}
net.error properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.error.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a Network Error operation. Value must be net.error. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.error.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a Network Error operation. Value must be net.error. |
_metric_type (string) |
Indicates that the metric is a counter. Value must be counter. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
op (string) |
The function that was executed. |
class (string) |
Subcategory of network error. Value must be connection. |
unit (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
net.open ^
Structure of the net.open event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept02-/kernel/syscalls/accept/accept02",
"_channel": "5890157346952",
"body": {
"sourcetype": "net",
"_time": 1643735835.521928,
"source": "net.open",
"host": "8bc1398c19f3",
"proc": "accept02",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept02",
"pid": 1936,
"data": {
"net_transport": "IP.TCP",
"net_peer_ip": "127.0.0.1",
"net_peer_port": 58625,
"net_host_ip": "0.0.0.0",
"net_host_port": 0
}
}
}
net.open properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.open.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is net (meaning network). Value must be net. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a Network Open operation. Value must be net.open. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.open.body.data properties
| Property | Description |
|---|---|
net_transport (string) |
Network layer used (before the dot) and transport layer used (after the dot). Possible values:
|
net_peer_ip (string) |
The IP address portion of the remote side of a network connection. |
net_peer_port (integer) |
The port portion of the remote side of a network connection. |
net_host_ip (string) |
The IP address portion of the local side of a network connection. |
net_host_port (integer) |
The port portion of the local side of a network connection. |
unix_peer_inode (number) |
Inode number for the remote end of a UNIX domain socket. |
unix_local_inode (number) |
Inode number for the local end of a UNIX domain socket. |
net_protocol (string) |
First network protocol detected from data sent or received. Value must be http. |
net.other ^
Structure of the net.other event
Example
{
"type": "evt",
"id": "test_user-server_seqpacket-./server_seqpacket",
"_channel": "11977632602680",
"body": {
"sourcetype": "metric",
"_time": 1643886739.820863,
"source": "net.other",
"host": "test_user",
"proc": "server_seqpacket",
"cmd": "./server_seqpacket",
"pid": 232570,
"data": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 232570,
"fd": 3,
"proto": "SEQPACKET",
"port": 0,
"unit": "connection"
}
}
}
net.other properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.other.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.other.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other. |
_metric_type (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit (string) |
Indicates that the metric's value is a number of connections. Value must be connection. |
net.port ^
Structure of the net.port event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091645261",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455222,
"source": "net.port",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 1933,
"fd": 4,
"proto": "TCP",
"port": 0,
"unit": "instance"
}
}
}
net.port properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.port.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a gauge that identifies open ports. Value must be net.port. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.port.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a gauge that identifies open ports. Value must be net.port. |
_metric_type (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit (string) |
Indicates that the metric's value is a number of instances. Value must be instance. |
net.rx ^
Structure of the net.rx event
Example
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618970557",
"body": {
"sourcetype": "metric",
"_time": 1643735857.983368,
"source": "net.rx",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3793,
"data": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 3793,
"fd": 4,
"domain": "AF_INET",
"proto": "TCP",
"localip": "127.0.0.1",
"localp": 40184,
"remoteip": "0.0.0.0",
"remotep": 35533,
"data": "clear",
"numops": 1,
"unit": "byte"
}
}
}
net.rx properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.rx.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a Network receive operation. Value must be net.rx. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.rx.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a Network receive operation. Value must be net.rx. |
_metric_type (string) |
Indicates that the metric is a counter. Value must be counter. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
domain (string) |
The domain for which the scoped app made a DNS request. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
localip (string) |
The IP address portion of the local end of a network connection. Example: 127.0.0.1 |
localp (number) |
The port portion of the local end of a network connection. Example: 9109 |
localn (number) |
Inode number for the local end of a UNIX domain socket. |
remoteip (string) |
IP address for the remote end of a network socket. Example: 192.158.1.38 |
remotep (number) |
Port for the remote end of a network socket. Example: 9108 |
remoten (number) |
Inode number for the remote end of a UNIX domain socket. |
data (string) |
Specifies whether data was unencrypted (clear) or encrypted (SSL). Possible values:
|
numops (number) |
Count of individual operations aggregated. |
unit (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
net.tcp ^
Structure of the net.tcp event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091645261",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455387,
"source": "net.tcp",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1933,
"fd": 4,
"proto": "TCP",
"port": 0,
"unit": "connection"
}
}
}
net.tcp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.tcp.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.tcp.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp. |
_metric_type (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
proto (string) |
The transmission protocol that the scoped app used to send data. Value must be TCP. |
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit (string) |
Indicates that the metric's value is a number of connections. Value must be connection. |
net.tx ^
Structure of the net.tx event
Example
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618642035",
"body": {
"sourcetype": "metric",
"_time": 1643735857.983059,
"source": "net.tx",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3795,
"data": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 3795,
"fd": 4,
"domain": "AF_INET",
"proto": "TCP",
"localip": "0.0.0.0",
"localp": 0,
"remoteip": "127.0.0.1",
"remotep": 40184,
"data": "clear",
"numops": 1,
"unit": "byte"
}
}
}
net.tx properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.tx.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a Network transmit operation. Value must be net.tx. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.tx.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a Network transmit operation. Value must be net.tx. |
_metric_type (string) |
Indicates that the metric is a counter. Value must be counter. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
domain (string) |
The domain for which the scoped app made a DNS request. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
localip (string) |
The IP address portion of the local end of a network connection. Example: 127.0.0.1 |
localp (number) |
The port portion of the local end of a network connection. Example: 9109 |
localn (number) |
Inode number for the local end of a UNIX domain socket. |
remoteip (string) |
IP address for the remote end of a network socket. Example: 192.158.1.38 |
remotep (number) |
Port for the remote end of a network socket. Example: 9108 |
remoten (number) |
Inode number for the remote end of a UNIX domain socket. |
data (string) |
Specifies whether data was unencrypted (clear) or encrypted (SSL). Possible values:
|
numops (number) |
Count of individual operations aggregated. |
unit (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
net.udp ^
Structure of the net.udp event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091656419",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455419,
"source": "net.udp",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.udp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1933,
"fd": 5,
"proto": "UDP",
"port": 0,
"unit": "connection"
}
}
}
net.udp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.udp.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (object) |
data Details below. |
net.udp.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp. |
_metric_type (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value (number) |
The value reported by the event or metric. Example: 1 |
proc (string) |
The name of the scoped app's process. |
pid (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
proto (string) |
The transmission protocol that the scoped app used to send data. Value must be UDP. |
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit (string) |
Indicates that the metric's value is a number of connections. Value must be connection. |
notice ^
Structure of the notice event
Example
{
"type": "evt",
"id": "9a721a6ad0be-htop-htop",
"_channel": "13544129471303",
"body": {
"sourcetype": "metric",
"_time": 1643888296.317304,
"source": "notice",
"host": "9a721a6ad0be",
"proc": "htop",
"cmd": "htop",
"pid": 302,
"data": "Truncated metrics. Your rate exceeded 10000 metrics per second"
}
}
notice properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
notice.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Indicates that the Sourcetype is metric. Value must be metric. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string) |
Indicates that the Source is an AppScope notification. Value must be notice. |
host required (string) |
Hostname for the host on which the scoped app was run. |
proc required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
data required (string) |
The data that the scoped app emitted as output. |
start.msg ^
Structure of the process-start message
Example
{
"format": "ndjson",
"info": {
"process": {
"libscopever": "v1.3.0",
"pid": 35673,
"ppid": 3390,
"gid": 1000,
"groupname": "test_user",
"uid": 1000,
"username": "test_user",
"hostname": "test_user",
"procname": "ls",
"cmd": "ls --color=auto",
"id": "test_user-ls-ls --color=auto",
"cgroup": "9:cpuset:/",
"machine_id": "a1e2ada5a5b1b273b4b5c0c2c1c4f5d1",
"uuid": "da845a9b-a55d-4c42-893d-08b54ee6e999"
},
"configuration": {
"current": {
"metric": {
"enable": "true",
"transport": {
"type": "udp",
"host": "127.0.0.1",
"port": "8125",
"tls": {
"enable": "false",
"validateserver": "true",
"cacertpath": ""
}
},
"format": {
"type": "statsd",
"statsdprefix": "",
"statsdmaxlen": 512,
"verbosity": 4
},
"watch": [
{
"type": "fs"
},
{
"type": "net"
},
{
"type": "http"
},
{
"type": "dns"
},
{
"type": "process"
},
{
"type": "statsd"
}
]
},
"libscope": {
"log": {
"level": "info",
"transport": {
"type": "file",
"path": "/tmp/scope.log",
"buffering": "line"
}
},
"snapshot": {
"coredump": "false",
"backtrace": "false"
},
"configevent": "true",
"summaryperiod": 10,
"commanddir": "/tmp"
},
"event": {
"enable": "true",
"transport": {
"type": "tcp",
"host": "127.0.0.1",
"port": "9109",
"tls": {
"enable": "false",
"validateserver": "true",
"cacertpath": ""
}
},
"format": {
"type": "ndjson",
"maxeventpersec": 10000,
"enhancefs": "true"
},
"watch": [
{
"type": "file",
"name": "(\\/logs?\\/)|(\\.log$)|(\\.log[.\\d])",
"field": ".*",
"value": ".*"
},
{
"type": "console",
"name": "(stdout)|(stderr)",
"field": ".*",
"value": ".*",
"allowbinary": "true"
},
{
"type": "http",
"name": ".*",
"field": ".*",
"value": ".*",
"headers": []
},
{
"type": "net",
"name": ".*",
"field": ".*",
"value": ".*"
},
{
"type": "fs",
"name": ".*",
"field": ".*",
"value": ".*"
},
{
"type": "dns",
"name": ".*",
"field": ".*",
"value": ".*"
}
]
},
"payload": {
"enable": "false",
"dir": "/tmp"
},
"tags": {},
"protocol": [],
"cribl": {
"enable": "false",
"transport": {
"type": "edge"
},
"authtoken": ""
}
}
},
"environment": {}
}
}
start.msg properties
| Property | Description |
|---|---|
authtoken (string) |
Token used for authenticating to Cribl Edge or Stream. |
format required (string) |
Specifies the format for output of events and metrics from AppScope. See scope.yml.Possible values:
|
breaker (string) |
Specifies an Event Breaker for Cribl Edge or Stream to use. Value must be Cribl - Do Not Break Ruleset. |
info required (object) |
The principal container for start-message information, in the form of nested process, configuration, and environment objects.Details below. |
start.msg.info properties
| Property | Description |
|---|---|
process required (object) |
Describes the process associated with the scoped app. Details below. |
configuration required (object) |
Container for configurations. For now, describes current configuration only. Details below. |
environment required (object) |
Environment variables present when the current configuration was loaded. Details below. |
start.msg.info.process properties
| Property | Description |
|---|---|
libscopever required (string) |
Version of the AppScope library that is currently loaded. Example: v1.0.0 |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
ppid required (integer) |
The process ID of the parent process of the scoped app. |
gid required (integer) |
Group ID of the user who created the process. Example: 0 |
groupname required (string) |
Groupname of the user who created the process. Example: root |
uid required (integer) |
User ID of the user who created the process. Example: 0 |
username required (string) |
Username of the user who created the process. Example: root |
hostname required (string) |
Hostname for the host on which the scoped app was run. |
procname required (string) |
The name of the scoped app's process. |
cmd required (string) |
The command that was run to start the scoped app. Example: top |
id required (string) |
An ID that concatenates (possibly truncated) the scoped app's hostname, procname, and command, to facilitate correlation of similar processes when searching, graphing, or aggregating. |
cgroup required (string) |
The cgroup for the process. |
machine_id required (string) |
A unique identifier for a machine. |
uuid required (string) |
A unique identifier for a process. |
start.msg.info.configuration properties
| Property | Description |
|---|---|
current (object) |
Describes the current configuration. Details below. |
start.msg.info.environment properties
| Property | Description |
|---|
start.msg.info.configuration.current properties
| Property | Description |
|---|---|
metric (object) |
Settings for metrics. See scope.yml.Details below. |
libscope (object) |
Specifies how to set up the AppScope library. See scope.yml.Details below. |
event (object) |
Settings for events. See scope.yml.Details below. |
payload (object) |
Settings for enabling and storing payloads. See scope.yml.Details below. |
tags (object) |
User-defined tags which become fields in generated events and metrics. See scope.yml.Details below. |
protocol (array) |
List whose entries define protocols that AppScope should detect in network payloads, and how to handle matches. See scope.yml. |
cribl (object) |
Settings for the cribl backend. See scope.yml.Details below. |
start.msg.info.configuration.current.metric properties
| Property | Description |
|---|---|
enable (string) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
transport (object) |
Backend connection for metrics or events. See scope.yml.Details below. |
format (object) |
Settings for the format of metric data. See scope.yml.Details below. |
watch (array) |
Array containing objects that enable different categories of metrics. See scope.yml. |
start.msg.info.configuration.current.libscope properties
| Property | Description |
|---|---|
log (object) |
Logging settings for the AppScope library. See scope.yml.Details below. |
configevent (string) |
When enabled, AppScope guarantees that a process start message is the first event sent over the current connection. Possible values:
|
summaryperiod (integer) |
Time interval over which to perform aggregation. See scope.yml. |
commanddir (string) |
The directory AppScope polls for a scope.<pid> file, as explained in the Dynamic Configuration section of the Using the CLI page of the AppScope docs. |
snapshot (object) |
Settings to specify content of the snapshot AppScope creates for crash analysis. Details below. |
start.msg.info.configuration.current.event properties
| Property | Description |
|---|---|
enable (string) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
transport (object) |
Backend connection for events. See scope.yml.Details below. |
format (object) |
Settings for the format of event data. See scope.yml.Details below. |
watch (array) |
Array containing objects that enable different categories of events. See scope.yml. |
start.msg.info.configuration.current.payload properties
| Property | Description |
|---|---|
enable (string) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
dir (string) |
Specifies director where payload data should be written. Applies only when payloads are enabled and a backend other than cribl is used. See scope.yml. |
start.msg.info.configuration.current.tags properties
| Property | Description |
|---|
start.msg.info.configuration.current.cribl properties
| Property | Description |
|---|---|
enable (string) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
transport (object) |
Backend connection to Cribl Edge or Stream. See scope.yml.Details below. |
authtoken (string) |
Token used for authenticating to Cribl Edge or Stream. |
start.msg.info.configuration.current.metric.transport properties
| Property | Description |
|---|---|
type (string) |
Specifies the transport mechanism on which to send and/or receive data. See scope.yml.Possible values:
|
host (string) |
Hostname for the host on which the scoped app was run. |
port (string) |
Connection port. See scope.yml. |
path (string) |
File or UNIX domain socket path. See scope.yml.Example: /tmp/scope.log |
buffering (string) |
File buffering. See scope.yml.Possible values:
|
tls (object) |
TLS connection settings. See scope.yml.Details below. |
start.msg.info.configuration.current.metric.format properties
| Property | Description |
|---|---|
type (string) |
Specifies the format of metric data. See scope.yml. Possible values:
|
statsdprefix (string) |
Specifies a prefix to prepend the metric name. See scope.yml. |
statsdmaxlen (integer) |
Specifies the maximum length for a string that expresses a StatsD metric. See scope.yml. |
verbosity (integer) |
Controls the tag cardinality and aggregation of a metric. See scope.yml. |
start.msg.info.configuration.current.libscope.log properties
| Property | Description |
|---|---|
level (string) |
Specifies log level. See scope.yml.Possible values:
|
transport (object) |
Backend connection for AppScope library logging. See scope.yml.Details below. |
start.msg.info.configuration.current.libscope.snapshot properties
| Property | Description |
|---|---|
coredump (string) |
When true, AppScope captures a core dump whenever the kernel sends the scoped app a fatal signal (i.e., illegal instruction, bus error, segmentation fault, or floating point exception). Possible values:
|
backtrace (string) |
When true, AppScope captures a backtrace (a.k.a. stack trace) whenever the kernel sends the scoped app a fatal signal (i.e., illegal instruction, bus error, segmentation fault, or floating point exception). Possible values:
|
start.msg.info.configuration.current.event.transport properties
| Property | Description |
|---|---|
type (string) |
Specifies the transport mechanism on which to send and/or receive data. See scope.yml.Possible values:
|
host (string) |
Hostname for the host on which the scoped app was run. |
port (string) |
Connection port. See scope.yml. |
path (string) |
File or UNIX domain socket path. See scope.yml.Example: /tmp/scope.log |
buffering (string) |
File buffering. See scope.yml.Possible values:
|
tls (object) |
Specifies whether to enable TLS for the metrics backend. See scope.yml.Details below. |
start.msg.info.configuration.current.event.format properties
| Property | Description |
|---|---|
type (string) |
Specifies the format of metric data. See scope.yml. Possible values:
|
maxeventpersec (integer) |
Specifies a rate limit for events. See scope.yml. |
enhancefs (string) |
Specifies whether to display full information about fs events.Possible values:
|
start.msg.info.configuration.current.cribl.transport properties
| Property | Description |
|---|---|
type (string) |
Specifies the transport mechanism on which to send and/or receive data. See scope.yml.Possible values:
|
host (string) |
Hostname for the host on which the scoped app was run. |
port (string) |
Connection port. See scope.yml. |
path (string) |
File or UNIX domain socket path. See scope.yml.Example: /tmp/scope.log |
buffering (string) |
File buffering. See scope.yml.Possible values:
|
tls (object) |
TLS settings for the Cribl backend. See scope.yml.Details below. |
start.msg.info.configuration.current.metric.transport.tls properties
| Property | Description |
|---|---|
enable (string) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
validateserver (string) |
Specifies whether to validate the TLS server certificate. See scope.yml.Possible values:
|
cacertpath (string) |
CA Certificate Path. See scope.yml. |
start.msg.info.configuration.current.libscope.log.transport properties
| Property | Description |
|---|---|
type (string) |
Specifies the transport mechanism on which to send and/or receive data. See scope.yml.Possible values:
|
host (string) |
Hostname for the host on which the scoped app was run. |
port (string) |
Connection port. See scope.yml. |
path (string) |
File or UNIX domain socket path. See scope.yml.Example: /tmp/scope.log |
buffering (string) |
File buffering. See scope.yml.Possible values:
|
tls (object) |
TLS settings for backend used by the AppScope library. See scope.yml.Details below. |
start.msg.info.configuration.current.event.transport.tls properties
| Property | Description |
|---|---|
enable (string) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
validateserver (string) |
Specifies whether to validate the TLS server certificate. See scope.yml.Possible values:
|
cacertpath (string) |
CA Certificate Path. See scope.yml. |
start.msg.info.configuration.current.cribl.transport.tls properties
| Property | Description |
|---|---|
enable (string) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
validateserver (string) |
Specifies whether to validate the TLS server certificate. See scope.yml.Possible values:
|
cacertpath (string) |
CA Certificate Path. See scope.yml. |
start.msg.info.configuration.current.libscope.log.transport.tls properties
| Property | Description |
|---|---|
enable (string) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
validateserver (string) |
Specifies whether to validate the TLS server certificate. See scope.yml.Possible values:
|
cacertpath (string) |
CA Certificate Path. See scope.yml. |
dns.req ^
Structure of the dns.req metric
Examples
{
"type": "metric",
"body": {
"_metric": "dns.req",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 31,
"host": "2a6bc132b07a",
"unit": "request",
"summary": "true",
"_time": 1643832467.795134
}
}
{
"type": "metric",
"body": {
"_metric": "dns.req",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 2485,
"host": "2a6bc132b07a",
"domain": "cribl.io",
"duration": 0,
"unit": "request",
"_time": 1643832569.764219
}
}
dns.req properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
dns.req.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a Network DNS operation. Value must be dns.req. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
domain (string) |
The domain for which the scoped app made a DNS request. |
duration (number) |
Duration in milliseconds. Example: 55 |
unit required (string) |
Indicates that the metric's value is a number of a requests. Value must be request. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
fs.close ^
Structure of the fs.close metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.121424
}
}
{
"type": "metric",
"body": {
"_metric": "fs.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "close",
"file": "/dev/shm/ltp_accept01_9870",
"unit": "operation",
"_time": 1643826292.07658
}
}
fs.close properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.close.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a File Close operation. Value must be fs.close. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The close operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
unit required (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
fs.duration ^
Structure of the fs.duration metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 1,
"proc": "access01",
"pid": 13697,
"host": "1f0ec6c8a7bc",
"unit": "microsecond",
"summary": "true",
"_time": 1643826404.006442
}
}
{
"type": "metric",
"body": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 16,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "microsecond",
"_time": 1643826292.076675
}
}
fs.duration properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.duration.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a File Duration operation. Value must be fs.duration. |
_metric_type required (string) |
Indicates that the metric from the scoped app is a histogram. Value must be histogram. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The function that was executed. |
file (string) |
The name of the file. |
numops (number) |
Count of individual operations aggregated. |
unit required (string) |
Indicates that the metric's value is in microseconds. Value must be microsecond. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
fs.error ^
Structure of the fs.error metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13686,
"host": "1f0ec6c8a7bc",
"class": "stat",
"unit": "operation",
"summary": "true",
"_time": 1643826403.123802
}
}
{
"type": "metric",
"body": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept02",
"pid": 9872,
"host": "1f0ec6c8a7bc",
"op": "readdir",
"file": "/tmp/QxbCjC",
"class": "read_write",
"unit": "operation",
"_time": 1643826292.14466
}
}
fs.error properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.error.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a File Error operation. Value must be fs.error. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The function that was executed. |
file (string) |
The name of the file. |
class required (string) |
Subcategory of filesystem error. Possible values:
|
unit required (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
fs.open ^
Structure of the fs.open metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.121411
}
}
{
"type": "metric",
"body": {
"_metric": "fs.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "open",
"file": "/dev/shm/ltp_accept01_9870",
"unit": "operation",
"_time": 1643826292.076503
}
}
fs.open properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.open.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a File open operation. Value must be fs.open. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The open operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
unit required (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
fs.read ^
Structure of the fs.read metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.read",
"_metric_type": "counter",
"_value": 13312,
"proc": "access01",
"pid": 13697,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"summary": "true",
"_time": 1643826404.006381
}
}
{
"type": "metric",
"body": {
"_metric": "fs.read",
"_metric_type": "counter",
"_value": 4096,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "byte",
"_time": 1643826292.076709
}
}
fs.read properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.read.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a File Read operation. Value must be fs.read. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The read operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
numops (number) |
Count of individual operations aggregated. |
unit required (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
fs.seek ^
Structure of the fs.seek metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 3,
"proc": "sh",
"pid": 13810,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826404.175738
}
}
{
"type": "metric",
"body": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 1,
"proc": "sh",
"pid": 9994,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "lseek",
"file": "./file_x",
"unit": "operation",
"_time": 1643826293.407508
}
}
fs.seek properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.seek.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a File Seek operation. Value must be fs.seek. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The function that was executed. |
file (string) |
The name of the file. |
unit required (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
fs.stat ^
Structure of the fs.stat metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13686,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.123752
}
}
{
"type": "metric",
"body": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"host": "1f0ec6c8a7bc",
"op": "access",
"file": "/dev/shm",
"unit": "operation",
"_time": 1643826292.076446
}
}
fs.stat properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.stat.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a File Stat operation. Value must be fs.stat. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The function that was executed. |
file (string) |
The name of the file. |
unit required (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
fs.write ^
Structure of the fs.write metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.write",
"_metric_type": "counter",
"_value": 10,
"proc": "access02",
"pid": 13806,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"summary": "true",
"_time": 1643826404.234963
}
}
{
"type": "metric",
"body": {
"_metric": "fs.write",
"_metric_type": "counter",
"_value": 10,
"proc": "access02",
"pid": 9991,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "__write_libc",
"file": "file_x",
"numops": 1,
"unit": "byte",
"_time": 1643826293.385378
}
}
fs.write properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.write.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a File Write operation. Value must be fs.write. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The write operation that was executed on the filesystem. Possible values:
|
file (string) |
The name of the file. |
numops (number) |
Count of individual operations aggregated. |
unit required (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
http.duration.client ^
Structure of the http.duration.client metric
Examples
{
"type": "metric",
"body": {
"_metric": "http.duration.client",
"_metric_type": "timer",
"_value": 6,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924553.681483
}
}
{
"type": "metric",
"body": {
"_metric": "http.duration.client",
"_metric_type": "timer",
"_value": 7,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924472.648148
}
}
http.duration.client properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.duration.client.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a counter that measures HTTP client duration. Value must be http.duration.client. |
_metric_type required (string) |
Indicates that the metric is a timer. Value must be timer. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
http_target required (string) |
In a URL, the path or file after the FQDN. |
numops required (number) |
Count of individual operations aggregated. |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is in milliseconds. Value must be millisecond. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
http.duration.server ^
Structure of the http.duration.server metric
Examples
{
"type": "metric",
"body": {
"_metric": "http.duration.server",
"_metric_type": "timer",
"_value": 0,
"http_target": "/",
"numops": 1,
"proc": "httpd",
"pid": 2260,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924563.450939
}
}
{
"type": "metric",
"body": {
"_metric": "http.duration.server",
"_metric_type": "timer",
"_value": 1,
"http_target": "/",
"numops": 1,
"proc": "httpd",
"pid": 648,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924498.350866
}
}
http.duration.server properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.duration.server.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a counter that measures HTTP server duration. Value must be http.duration.server. |
_metric_type required (string) |
Indicates that the metric is a timer. Value must be timer. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
http_target required (string) |
In a URL, the path or file after the FQDN. |
numops required (number) |
Count of individual operations aggregated. |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is in milliseconds. Value must be millisecond. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
http.req ^
Structure of the http.req metric
Examples
{
"type": "metric",
"body": {
"_metric": "http.req",
"_metric_type": "counter",
"_value": 1,
"http_target": "/",
"http_status_code": 200,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "request",
"summary": "true",
"_time": 1643924553.681441
}
}
{
"type": "metric",
"body": {
"_metric": "http.req",
"_metric_type": "counter",
"_value": 1,
"http_target": "/",
"http_status_code": 200,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "request",
"summary": "true",
"_time": 1643924472.64811
}
}
http.req properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.req.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the metric Source aggregates HTTP requests and responses. Value must be http.req. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
http_target required (string) |
In a URL, the path or file after the FQDN. |
http_status_code required (integer) |
Specifies the status code of an HTTP response. Possible values:
|
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is a number of a requests. Value must be request. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
http.req.content_length ^
Structure of the http.req.content_length metric
Example
{
"type": "metric",
"body": {
"_metric": "http.req.content_length",
"_metric_type": "counter",
"_value": 38,
"http_target": "/echo/post/json",
"numops": 1,
"proc": "curl",
"pid": 525,
"host": "272cc69a120a",
"unit": "byte",
"summary": "true",
"_time": 1644230452.63037
}
}
http.req.content_length properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.req.content_length.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a counter that measures HTTP request content length. Value must be http.req.content_length. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
http_target required (string) |
In a URL, the path or file after the FQDN. |
numops required (number) |
Count of individual operations aggregated. |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
http.resp.content_length ^
Structure of the http.resp.content_length metric
Examples
{
"type": "metric",
"body": {
"_metric": "http.resp.content_length",
"_metric_type": "counter",
"_value": 58896,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "byte",
"summary": "true",
"_time": 1643924553.6815
}
}
{
"type": "metric",
"body": {
"_metric": "http.resp.content_length",
"_metric_type": "counter",
"_value": 58896,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "byte",
"summary": "true",
"_time": 1643924472.648165
}
}
http.resp.content_length properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.resp.content_length.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a counter that measures HTTP response content length. Value must be http.resp.content_length. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
http_target required (string) |
In a URL, the path or file after the FQDN. |
numops required (number) |
Count of individual operations aggregated. |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.close ^
Structure of the net.close metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.12145
}
}
{
"type": "metric",
"body": {
"_metric": "net.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 5,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643826292.077388
}
}
net.close properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.close.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a Network Close operation. Value must be net.close. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The function that was executed. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string) |
Indicates that the metric's value is a number of connections. Value must be connection. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.duration ^
Structure of the net.duration metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 1,
"proc": "sendfile06_64",
"pid": 15385,
"host": "1f0ec6c8a7bc",
"unit": "millisecond",
"summary": "true",
"_time": 1643826428.960074
}
}
{
"type": "metric",
"body": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 53,
"proc": "send02",
"pid": 11555,
"fd": 3,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"numops": 1,
"unit": "millisecond",
"_time": 1643826318.65727
}
}
net.duration properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.duration.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a counter that measures Network duration. Value must be net.duration. |
_metric_type required (string) |
Indicates that the metric is a timer. Value must be timer. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
numops (number) |
Count of individual operations aggregated. |
unit required (string) |
Indicates that the metric's value is in milliseconds. Value must be millisecond. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.error ^
Structure of the net.error metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 6,
"proc": "accept01",
"pid": 5920,
"host": "7cb66c7f77dd",
"op": "summary",
"class": "connection",
"unit": "operation",
"_time": 1643749774.573214
}
}
{
"type": "metric",
"body": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 1,
"proc": "recv01",
"pid": 3593,
"host": "7cb66c7f77dd",
"op": "recv",
"class": "rx_tx",
"unit": "operation",
"_time": 1643749590.518109
}
}
net.error properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.error.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a Network Error operation. Value must be net.error. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
op (string) |
The function that was executed. |
class required (string) |
Subcategory of network error. Possible values:
|
unit required (string) |
Indicates that the metric's value is a number of operations. Value must be operation. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.open ^
Structure of the net.open metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.121437
}
}
{
"type": "metric",
"body": {
"_metric": "net.open",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 2485,
"fd": 7,
"host": "2a6bc132b07a",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643832569.764144
}
}
net.open properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.open.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a Network Open operation. Value must be net.open. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string) |
Indicates that the metric's value is a number of connections. Value must be connection. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.other ^
Structure of the net.other metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 234979,
"host": "test_user",
"unit": "connection",
"summary": "true",
"_time": 1643887036.00144
}
}
{
"type": "metric",
"body": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 235293,
"fd": 4,
"host": "test_user",
"proto": "SEQPACKET",
"port": 0,
"unit": "connection",
"_time": 1643887122.646226
}
}
net.other properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.other.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string) |
Indicates that the metric's value is a number of connections. Value must be connection. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.port ^
Structure of the net.port metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 2,
"proc": "accept02",
"pid": 13689,
"host": "1f0ec6c8a7bc",
"unit": "instance",
"summary": "true",
"_time": 1643826403.184484
}
}
{
"type": "metric",
"body": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 4,
"host": "1f0ec6c8a7bc",
"proto": "TCP",
"port": 0,
"unit": "instance",
"_time": 1643826292.076967
}
}
net.port properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.port.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a gauge that identifies open ports. Value must be net.port. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string) |
Indicates that the metric's value is a number of instances. Value must be instance. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.rx ^
Structure of the net.rx metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 99000,
"proc": "send02",
"pid": 15371,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"class": "inet_udp",
"summary": "true",
"_time": 1643826428.564141
}
}
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 11544,
"fd": 4,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "TCP",
"localip": "127.0.0.1",
"localp": 37432,
"remoteip": "0.0.0.0",
"remotep": 40765,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826317.098972
}
}
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 16,
"proc": "send02",
"pid": 11555,
"fd": 3,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "UDP",
"localip": "127.0.0.1",
"localp": 0,
"remoteip": " ",
"remotep": 0,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826318.241899
}
}
net.rx properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.rx.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a Network receive operation. Value must be net.rx. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
domain (string) |
The domain for which the scoped app made a DNS request. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
localn (number) |
Inode number for the local end of a UNIX domain socket. |
localip (string) |
The IP address portion of the local end of a network connection. Example: 127.0.0.1 |
localp (number) |
The port portion of the local end of a network connection. Example: 9109 |
remoten (number) |
Inode number for the remote end of a UNIX domain socket. |
remoteip (string) |
IP address for the remote end of a network socket. Example: 192.158.1.38 |
remotep (number) |
Port for the remote end of a network socket. Example: 9108 |
data (string) |
The data that the scoped app emitted as output. |
numops (number) |
Count of individual operations aggregated. |
unit required (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
class (string) |
Subcategory of send and receive operations. Possible values:
|
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.tcp ^
Structure of the net.tcp metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept02",
"pid": 13689,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.184497
}
}
{
"type": "metric",
"body": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 9871,
"fd": 4,
"host": "1f0ec6c8a7bc",
"proto": "TCP",
"port": 0,
"unit": "connection",
"_time": 1643826292.07731
}
}
net.tcp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.tcp.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
proto (string) |
The transmission protocol that the scoped app used to send data. Value must be TCP. |
port (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string) |
Indicates that the metric's value is a number of connections. Value must be connection. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.tx ^
Structure of the net.tx metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 3,
"proc": "recvmsg01",
"pid": 15364,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"class": "unix_tcp",
"summary": "true",
"_time": 1643826427.279136
}
}
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 16,
"proc": "send02",
"pid": 11555,
"fd": 4,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "UDP",
"localip": "0.0.0.0",
"localp": 0,
"remoteip": "127.0.0.1",
"remotep": 38725,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826318.241855
}
}
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 1,
"proc": "recvmsg01",
"pid": 11548,
"fd": 3,
"host": "1f0ec6c8a7bc",
"domain": "UNIX",
"proto": "TCP",
"localn": 48335,
"remoten": 46396,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826317.162209
}
}
net.tx properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.tx.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a Network transmit operation. Value must be net.tx. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
domain (string) |
The domain for which the scoped app made a DNS request. |
proto (string) |
The transmission protocol that the scoped app used to send data. Possible values:
|
localn (number) |
Inode number for the local end of a UNIX domain socket. |
localip (string) |
The IP address portion of the local end of a network connection. Example: 127.0.0.1 |
localp (number) |
The port portion of the local end of a network connection. Example: 9109 |
remoten (number) |
Inode number for the remote end of a UNIX domain socket. |
remoteip (string) |
IP address for the remote end of a network socket. Example: 192.158.1.38 |
remotep (number) |
Port for the remote end of a network socket. Example: 9108 |
data (string) |
The data that the scoped app emitted as output. |
numops (number) |
Count of individual operations aggregated. |
unit required (string) |
Indicates that the metric's value is in bytes. Value must be byte. |
class (string) |
Subcategory of send and receive operations. Possible values:
|
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
net.udp ^
Structure of the net.udp metric
Example
{
"type": "metric",
"body": {
"_metric": "net.udp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 9871,
"fd": 5,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643826292.077372
}
}
net.udp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.udp.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
fd required (integer) |
The file descriptor for an operation. Example: 4 |
host required (string) |
Hostname for the host on which the scoped app was run. |
proto required (string) |
The transmission protocol that the scoped app used to send data. Value must be UDP. |
port required (number) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string) |
Indicates that the metric's value is a number of connections. Value must be connection. |
summary (string) |
When true, indicates that the metric value is an aggregation. Value must be true. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
proc.child ^
Structure of the proc.child metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.child",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "process",
"_time": 1643749566.030543
}
}
proc.child properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.child.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a gauge of child processes spawned. Value must be proc.child. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is a number of processes. Value must be process. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
proc.cpu ^
Structure of the proc.cpu metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.cpu",
"_metric_type": "counter",
"_value": 2107,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "microsecond",
"_time": 1643749566.030295
}
}
proc.cpu properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.cpu.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a counter of microseconds of the process's CPU were scheduled. Value must be proc.cpu. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is in microseconds. Value must be microsecond. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
proc.cpu.perc ^
Structure of the proc.cpu_perc metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.cpu_perc",
"_metric_type": "gauge",
"_value": 0.02107,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "percent",
"_time": 1643749566.030327
}
}
proc.cpu.perc properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.cpu.perc.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a gauge that measures percentage of CPU used by the process. Value must be proc.cpu_perc. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is a percentage. Value must be percent. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
proc.fd ^
Structure of the proc.fd metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.fd",
"_metric_type": "gauge",
"_value": 5,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "file",
"_time": 1643749566.030497
}
}
proc.fd properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.fd.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a gauge that reports how many file descriptors the process has opened. Value must be proc.fd. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is a number of files. Value must be file. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
proc.mem ^
Structure of the proc.mem metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.mem",
"_metric_type": "gauge",
"_value": 31284,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "kibibyte",
"_time": 1643749566.030388
}
}
proc.mem properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.mem.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a gauge that reports process memory consumption. Value must be proc.mem. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is in kibibytes. Value must be kibibyte. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
proc.start ^
Structure of the proc.start metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.start",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1945,
"gid": 0,
"groupname": "root",
"uid": 0,
"username": "root",
"host": "7cb66c7f77dd",
"args": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"unit": "process",
"_time": 1643749566.026885
}
}
proc.start properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.start.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a counter which can only be 1, meaning that the process has started. Value must be proc.start. |
_metric_type required (string) |
Indicates that the metric is a counter. Value must be counter. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
gid required (integer) |
Group ID of the user who created the process. Example: 0 |
groupname required (string) |
Groupname of the user who created the process. Example: root |
uid required (integer) |
User ID of the user who created the process. Example: 0 |
username required (string) |
Username of the user who created the process. Example: root |
host required (string) |
Hostname for the host on which the scoped app was run. |
args required (string) |
The arguments with which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is a number of processes. Value must be process. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
proc.thread ^
Structure of the proc.thread metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.thread",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "thread",
"_time": 1643749566.030435
}
}
proc.thread properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.thread.body properties
| Property | Description |
|---|---|
_metric required (string) |
Indicates that the Source is a gauge that reports how many threads are running in the process. Value must be proc.thread. |
_metric_type required (string) |
Indicates that the metric is a gauge. Value must be gauge. |
_value required (number) |
The value reported by the event or metric. Example: 1 |
proc required (string) |
The name of the scoped app's process. |
pid required (integer) |
The process ID of the scoped app. Example: 1000 |
host required (string) |
Hostname for the host on which the scoped app was run. |
unit required (string) |
Indicates that the metric's value is a number of threads. Value must be thread. |
_time required (number) |
The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
