Schema Reference
In AppScope, events are structured according to one pattern, and metrics are structured according to another. These patterns are defined rigorously, in validatable JSON Schema.
Three definitions schemas govern the basic patterns. Then there is an individual schema for each event and metric, documented below. The definitions schemas define the elements that can be present in individual event and metric schemas, as well as the overall structures into which those elements fit.
When we say "the AppScope schema," we mean the whole set of schemas. The AppScope schema now in use was introduced in AppScope 1.0.1.
A few event and metric schema elements, namely title and description, have placeholder values. In the future, we might make these more informative. They are essentially "internal documentation" within the schemas and do not affect how the schemas function in AppScope. In the event that you develop any code that depends on AppScope schemas, be aware that the content of title and description fields may evolve.
For more about how events and metrics work in AppScope, see this overview.
dns.req ^
Structure of the dns.req event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470757294558",
"body": {
"sourcetype": "dns",
"_time": 1643735942.526987,
"source": "dns.req",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"domain": "detectportal.firefox.com"
}
}
}
dns.req properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
dns.req.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - dns Value must be dns. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - DNS request Value must be dns.req. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
dns.req.body.data properties
| Property | Description |
|---|---|
domain required (string) |
domain |
dns.resp ^
Structure of the dns.resp event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470823778038",
"body": {
"sourcetype": "dns",
"_time": 1643735942.552667,
"source": "dns.resp",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"duration": 25,
"domain": "detectportal.firefox.com",
"addrs": [
"34.107.221.82"
]
}
}
}
dns.resp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
dns.resp.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - dns Value must be dns. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - DNS response Value must be dns.resp. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
dns.resp.body.data properties
| Property | Description |
|---|---|
duration (number) |
duration Example: 55 |
domain (string) |
domain |
addrs (array) |
addrs |
fs.close ^
Structure of the fs.close event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890090429747",
"body": {
"sourcetype": "fs",
"_time": 1643735835.455002,
"source": "fs.close",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"proc": "accept01",
"pid": 1933,
"host": "8bc1398c19f3",
"file": "/dev/shm/ltp_accept01_1931",
"proc_uid": 0,
"proc_gid": 0,
"proc_cgroup": "0::/system.slice/containerd.service",
"file_perms": 600,
"file_owner": 0,
"file_group": 0,
"file_read_bytes": 0,
"file_read_ops": 0,
"file_write_bytes": 0,
"file_write_ops": 0,
"duration": 0,
"op": "close"
}
}
}
fs.close properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.close.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - fs Value must be fs. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File Close Value must be fs.close. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.close.body.data properties
| Property | Description |
|---|---|
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
host (string) |
host |
file (string) |
file |
proc_uid (integer) |
proc_uid Example: 0 |
proc_gid (integer) |
proc_gid Example: 0 |
proc_cgroup (string) |
proc_cgroup Example: 0::/user.slice/user-1000.slice/session-3.scope |
file_perms (integer) |
file_perms Example: 777 |
file_owner (number) |
file_owner Example: 0 |
file_group (number) |
file_group Example: 0 |
file_read_bytes (integer) |
file_read_bytes Example: 512 |
file_read_ops (integer) |
file_read_ops Example: 5 |
file_write_bytes (integer) |
file_write_bytes Example: 10 |
file_write_ops (integer) |
file_write_ops Example: 5 |
duration (number) |
duration Example: 55 |
op (string) |
op_fs_close Possible values:
|
fs.delete ^
Structure of the fs.delete event
Example
{
"type": "evt",
"id": "b6209181773f-rm-rm test.txt",
"_channel": "none",
"body": {
"sourcetype": "fs",
"_time": 1643793922.040438,
"source": "fs.delete",
"host": "b6209181773f",
"proc": "rm",
"cmd": "rm test.txt",
"pid": 306,
"data": {
"proc": "rm",
"pid": 306,
"host": "b6209181773f",
"op": "unlinkat",
"file": "test.txt",
"unit": "operation"
}
}
}
fs.delete properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.delete.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - fs Value must be fs. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File Delete Value must be fs.delete. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.delete.body.data properties
| Property | Description |
|---|---|
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
host (string) |
host |
op (string) |
op_fs_delete Possible values:
|
file (string) |
file |
unit (string) |
Unit - operation Value must be operation. |
fs.duration ^
Structure of the fs.duration event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091215105",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455057,
"source": "fs.duration",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 12,
"proc": "accept01",
"pid": 1933,
"fd": 3,
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "microsecond"
}
}
}
fs.duration properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.duration.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File Duration Value must be fs.duration. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.duration.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - File Duration Value must be fs.duration. |
_metric_type (string) |
histogram Value must be histogram. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
op (string) |
op |
file (string) |
file |
numops (number) |
numops |
unit (string) |
Unit - microsecond Value must be microsecond. |
fs.error ^
Structure of the fs.error event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890094642989",
"body": {
"sourcetype": "metric",
"_time": 1643735835.45777,
"source": "fs.error",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1931,
"data": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1931,
"op": "access",
"file": "/dev/shm/ltp_accept01_1931",
"class": "stat",
"unit": "operation"
}
}
}
fs.error properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.error.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File Error Value must be fs.error. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.error.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - File Error Value must be fs.error. |
_metric_type (string) |
counter Value must be counter. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
op (string) |
op |
file (string) |
file |
class (string) |
class fs.error Possible values:
|
unit (string) |
Unit - operation Value must be operation. |
fs.open ^
Structure of the fs.open event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890090429747",
"body": {
"sourcetype": "fs",
"_time": 1643735835.454946,
"source": "fs.open",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"proc": "accept01",
"pid": 1933,
"host": "8bc1398c19f3",
"file": "/dev/shm/ltp_accept01_1931",
"proc_uid": 0,
"proc_gid": 0,
"proc_cgroup": "0::/system.slice/containerd.service",
"file_perms": 600,
"file_owner": 0,
"file_group": 0,
"op": "open"
}
}
}
fs.open properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.open.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - fs Value must be fs. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File open Value must be fs.open. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.open.body.data properties
| Property | Description |
|---|---|
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
host (string) |
host |
file (string) |
file |
proc_uid (integer) |
proc_uid Example: 0 |
proc_gid (integer) |
proc_gid Example: 0 |
proc_cgroup (string) |
proc_cgroup Example: 0::/user.slice/user-1000.slice/session-3.scope |
file_perms (integer) |
file_perms Example: 777 |
file_owner (number) |
file_owner Example: 0 |
file_group (number) |
file_group Example: 0 |
op (string) |
op_fs_open Possible values:
|
fs.read ^
Structure of the fs.read event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091215105",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455076,
"source": "fs.read",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.read",
"_metric_type": "histogram",
"_value": 4096,
"proc": "accept01",
"pid": 1933,
"fd": 3,
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "byte"
}
}
}
fs.read properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.read.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File Read Value must be fs.read. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.read.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - File Read Value must be fs.read. |
_metric_type (string) |
histogram Value must be histogram. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
op (string) |
op_fs_read Possible values:
|
file (string) |
file |
numops (number) |
numops |
unit (string) |
Unit - byte Value must be byte. |
fs.seek ^
Structure of the fs.seek event
Example
{
"type": "evt",
"id": "8bc1398c19f3-sh-/bin/sh ./file_x",
"_channel": "5891441789884",
"body": {
"sourcetype": "metric",
"_time": 1643735836.805196,
"source": "fs.seek",
"host": "8bc1398c19f3",
"proc": "sh",
"cmd": "/bin/sh ./file_x",
"pid": 2061,
"data": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 1,
"proc": "sh",
"pid": 2061,
"fd": 3,
"op": "lseek",
"file": "./file_x",
"unit": "operation"
}
}
}
fs.seek properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.seek.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File Seek Value must be fs.seek. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.seek.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - File Seek Value must be fs.seek. |
_metric_type (string) |
counter Value must be counter. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
op (string) |
op_fs_seek Possible values:
|
file (string) |
file |
unit (string) |
Unit - operation Value must be operation. |
fs.stat ^
Structure of the fs.stat event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091777333",
"body": {
"sourcetype": "metric",
"_time": 1643735835.454905,
"source": "fs.stat",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1933,
"op": "access",
"file": "/dev/shm",
"unit": "operation"
}
}
}
fs.stat properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.stat.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File Stat Value must be fs.stat. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.stat.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - File Stat Value must be fs.stat. |
_metric_type (string) |
counter Value must be counter. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
op (string) |
op_fs_stat Possible values:
|
file (string) |
file |
unit (string) |
Unit - operation Value must be operation. |
fs.write ^
Structure of the fs.write event
Example
{
"type": "evt",
"id": "8bc1398c19f3-access02-/kernel/syscalls/access/access02",
"_channel": "5891407740765",
"body": {
"sourcetype": "metric",
"_time": 1643735836.773249,
"source": "fs.write",
"host": "8bc1398c19f3",
"proc": "access02",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/access/access02",
"pid": 2058,
"data": {
"_metric": "fs.write",
"_metric_type": "histogram",
"_value": 10,
"proc": "access02",
"pid": 2058,
"fd": 3,
"op": "__write_libc",
"file": "file_x",
"numops": 1,
"unit": "byte"
}
}
}
fs.write properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
fs.write.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - File Write Value must be fs.write. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
fs.write.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - File Write Value must be fs.write. |
_metric_type (string) |
histogram Value must be histogram. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
op (string) |
op_fs_write Possible values:
|
file (string) |
file |
numops (number) |
numops |
unit (string) |
Unit - byte Value must be byte. |
http.req ^
Structure of the http.req event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "http",
"_time": 1643735942.588626,
"source": "http.req",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"http_method": "GET",
"http_target": "/canonical.html",
"http_flavor": "1.1",
"http_scheme": "http",
"http_host": "detectportal.firefox.com",
"http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"net_transport": "IP.TCP",
"net_peer_ip": "34.107.221.82",
"net_peer_port": 80,
"net_host_ip": "172.16.198.210",
"net_host_port": 33712
}
}
}
http.req properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
http.req.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - http Value must be http. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - HTTP request Value must be http.req. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
http.req.body.data properties
| Property | Description |
|---|---|
http_method (string) |
http_method |
http_frame (string) |
http_frame Possible values:
|
http_target (string) |
http_target |
http_flavor (string) |
http_flavor |
http_stream (integer) |
http_stream |
http_scheme (string) |
http_scheme Possible values:
|
http_host (string) |
http_host |
http_user_agent (string) |
http_user_agent |
http_client_ip (string) |
http_client_ip |
net_transport (string) |
net_transport Possible values:
|
net_peer_ip (string) |
net_peer_ip |
net_peer_port (integer) |
net_peer_port |
net_host_ip (string) |
net_host_ip |
net_host_port (integer) |
net_host_port |
x_appscope (string) |
x-appscope Value must be x-appscope. |
http.resp ^
Structure of the http.resp event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "http",
"_time": 1643735942.613892,
"source": "http.resp",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"http_method": "GET",
"http_target": "/canonical.html",
"http_scheme": "http",
"http_flavor": "1.1",
"http_status_code": 200,
"http_status_text": "OK",
"http_server_duration": 26,
"http_host": "detectportal.firefox.com",
"http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"net_transport": "IP.TCP",
"net_peer_ip": "34.107.221.82",
"net_peer_port": 80,
"net_host_ip": "172.16.198.210",
"net_host_port": 33712,
"http_response_content_length": 90
}
}
}
http.resp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
http.resp.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - http Value must be http. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - HTTP response Value must be http.resp. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
http.resp.body.data properties
| Property | Description |
|---|---|
http_method (string) |
http_method |
http_target (string) |
http_target |
http_stream (integer) |
http_stream |
http_scheme (string) |
http_scheme Possible values:
|
http_flavor (string) |
http_flavor |
http_status_code (integer) |
http_status_code Possible values:
|
http_status_text (string) |
http_status_text Possible values:
|
http_client_duration (number) |
http_client_duration |
http_server_duration (number) |
http_server_duration |
http_host (string) |
http_host |
http_user_agent (string) |
http_user_agent |
net_transport (string) |
net_transport Possible values:
|
net_peer_ip (string) |
net_peer_ip |
net_peer_port (integer) |
net_peer_port |
net_host_ip (string) |
net_host_ip |
net_host_port (integer) |
net_host_port |
http_response_content_length (number) |
http_response_content_length |
net.app ^
Structure of the net.app event
Example
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "net",
"_time": 1643735942.588594,
"source": "net.app",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"proc": "firefox",
"pid": 6544,
"fd": 91,
"host": "ubuntu",
"protocol": "HTTP"
}
}
}
net.app properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.app.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - net Value must be net. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net App Value must be net.app. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.app.body.data properties
| Property | Description |
|---|---|
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host (string) |
host |
protocol (string) |
protocol Possible values:
|
net.close ^
Structure of the net.close event
Example
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618970557",
"body": {
"sourcetype": "net",
"_time": 1643735857.983449,
"source": "net.close",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3793,
"data": {
"net_transport": "IP.TCP",
"net_peer_ip": "0.0.0.0",
"net_peer_port": 35533,
"net_host_ip": "127.0.0.1",
"net_host_port": 40184,
"duration": 0,
"net_bytes_sent": 0,
"net_bytes_recv": 6,
"net_close_reason": "local"
}
}
}
net.close properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.close.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - net Value must be net. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net Close Value must be net.close. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.close.body.data properties
| Property | Description |
|---|---|
net_transport (string) |
net_transport Possible values:
|
net_peer_ip (string) |
net_peer_ip |
net_peer_port (integer) |
net_peer_port |
net_host_ip (string) |
net_host_ip |
net_host_port (integer) |
net_host_port |
net_protocol (string) |
net_protocol Value must be http. |
unix_peer_inode (number) |
unix_peer_inode |
unix_local_inode (number) |
unix_local_inode |
duration (number) |
duration Example: 55 |
net_bytes_sent (number) |
net_bytes_sent |
net_bytes_recv (number) |
net_bytes_recv |
net_close_reason (string) |
net_close_reason Possible values:
|
net.duration ^
Structure of the net.duration event
Example
{
"type": "evt",
"id": "8bc1398c19f3-recvmsg01-ernel/syscalls/recvmsg/recvmsg01",
"_channel": "5912681876432",
"body": {
"sourcetype": "metric",
"_time": 1643735858.046756,
"source": "net.duration",
"host": "8bc1398c19f3",
"proc": "recvmsg01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvmsg/recvmsg01",
"pid": 3798,
"data": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 1,
"proc": "recvmsg01",
"pid": 3798,
"fd": 4,
"proto": "TCP",
"port": 41482,
"numops": 1,
"unit": "millisecond"
}
}
}
net.duration properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.duration.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net duration Value must be net.duration. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.duration.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - Net duration Value must be net.duration. |
_metric_type (string) |
timer Value must be timer. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
proto (string) |
proto Possible values:
|
port (number) |
port |
numops (number) |
numops |
unit (string) |
Unit - millisecond Value must be millisecond. |
net.error ^
Structure of the net.error event
Example
{
"type": "evt",
"id": "90aac4bb0722-accept01-/kernel/syscalls/accept/accept01",
"_channel": "2745569202700291",
"body": {
"sourcetype": "metric",
"_time": 1643972258.00885,
"source": "net.error",
"host": "90aac4bb0722",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1934,
"data": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1934,
"op": "accept",
"class": "connection",
"unit": "operation"
}
}
}
net.error properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.error.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net Error Value must be net.error. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.error.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - Net Error Value must be net.error. |
_metric_type (string) |
counter Value must be counter. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
op (string) |
op |
class (string) |
connection Value must be connection. |
unit (string) |
Unit - operation Value must be operation. |
net.open ^
Structure of the net.open event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept02-/kernel/syscalls/accept/accept02",
"_channel": "5890157346952",
"body": {
"sourcetype": "net",
"_time": 1643735835.521928,
"source": "net.open",
"host": "8bc1398c19f3",
"proc": "accept02",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept02",
"pid": 1936,
"data": {
"net_transport": "IP.TCP",
"net_peer_ip": "127.0.0.1",
"net_peer_port": 58625,
"net_host_ip": "0.0.0.0",
"net_host_port": 0
}
}
}
net.open properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.open.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - net Value must be net. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net Open Value must be net.open. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.open.body.data properties
| Property | Description |
|---|---|
net_transport (string) |
net_transport Possible values:
|
net_peer_ip (string) |
net_peer_ip |
net_peer_port (integer) |
net_peer_port |
net_host_ip (string) |
net_host_ip |
net_host_port (integer) |
net_host_port |
unix_peer_inode (number) |
unix_peer_inode |
unix_local_inode (number) |
unix_local_inode |
net_protocol (string) |
net_protocol Value must be http. |
net.other ^
Structure of the net.other event
Example
{
"type": "evt",
"id": "test_user-server_seqpacket-./server_seqpacket",
"_channel": "11977632602680",
"body": {
"sourcetype": "metric",
"_time": 1643886739.820863,
"source": "net.other",
"host": "test_user",
"proc": "server_seqpacket",
"cmd": "./server_seqpacket",
"pid": 232570,
"data": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 232570,
"fd": 3,
"proto": "SEQPACKET",
"port": 0,
"unit": "connection"
}
}
}
net.other properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.other.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net other Value must be net.other. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.other.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - Net other Value must be net.other. |
_metric_type (string) |
gauge Value must be gauge. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
proto (string) |
proto Possible values:
|
port (number) |
port |
unit (string) |
Unit - connection Value must be connection. |
net.port ^
Structure of the net.port event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091645261",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455222,
"source": "net.port",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 1933,
"fd": 4,
"proto": "TCP",
"port": 0,
"unit": "instance"
}
}
}
net.port properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.port.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net port Value must be net.port. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.port.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - Net port Value must be net.port. |
_metric_type (string) |
gauge Value must be gauge. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
proto (string) |
proto Possible values:
|
port (number) |
port |
unit (string) |
Unit - instance Value must be instance. |
net.rx ^
Structure of the net.rx event
Example
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618970557",
"body": {
"sourcetype": "metric",
"_time": 1643735857.983368,
"source": "net.rx",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3793,
"data": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 3793,
"fd": 4,
"domain": "AF_INET",
"proto": "TCP",
"localip": "127.0.0.1",
"localp": 40184,
"remoteip": "0.0.0.0",
"remotep": 35533,
"data": "clear",
"numops": 1,
"unit": "byte"
}
}
}
net.rx properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.rx.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net RX Value must be net.rx. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.rx.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - Net RX Value must be net.rx. |
_metric_type (string) |
counter Value must be counter. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
domain (string) |
domain |
proto (string) |
proto Possible values:
|
localip (string) |
localip Example: 127.0.0.1 |
localp (number) |
localp Example: 9109 |
localn (number) |
localn |
remoteip (string) |
remoteip Example: 192.158.1.38 |
remotep (number) |
remotep Example: 9108 |
remoten (number) |
remoten |
data (string) |
data Possible values:
|
numops (number) |
numops |
unit (string) |
Unit - byte Value must be byte. |
net.tcp ^
Structure of the net.tcp event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091645261",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455387,
"source": "net.tcp",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1933,
"fd": 4,
"proto": "TCP",
"port": 0,
"unit": "connection"
}
}
}
net.tcp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.tcp.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net tcp Value must be net.tcp. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.tcp.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - Net tcp Value must be net.tcp. |
_metric_type (string) |
gauge Value must be gauge. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
proto (string) |
proto_tcp Value must be TCP. |
port (number) |
port |
unit (string) |
Unit - connection Value must be connection. |
net.tx ^
Structure of the net.tx event
Example
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618642035",
"body": {
"sourcetype": "metric",
"_time": 1643735857.983059,
"source": "net.tx",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3795,
"data": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 3795,
"fd": 4,
"domain": "AF_INET",
"proto": "TCP",
"localip": "0.0.0.0",
"localp": 0,
"remoteip": "127.0.0.1",
"remotep": 40184,
"data": "clear",
"numops": 1,
"unit": "byte"
}
}
}
net.tx properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.tx.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net TX Value must be net.tx. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.tx.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - Net TX Value must be net.tx. |
_metric_type (string) |
counter Value must be counter. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
domain (string) |
domain |
proto (string) |
proto Possible values:
|
localip (string) |
localip Example: 127.0.0.1 |
localp (number) |
localp Example: 9109 |
localn (number) |
localn |
remoteip (string) |
remoteip Example: 192.158.1.38 |
remotep (number) |
remotep Example: 9108 |
remoten (number) |
remoten |
data (string) |
data Possible values:
|
numops (number) |
numops |
unit (string) |
Unit - byte Value must be byte. |
net.udp ^
Structure of the net.udp event
Example
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091656419",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455419,
"source": "net.udp",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.udp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1933,
"fd": 5,
"proto": "UDP",
"port": 0,
"unit": "connection"
}
}
}
net.udp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
net.udp.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - Net udp Value must be net.udp. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
net.udp.body.data properties
| Property | Description |
|---|---|
_metric (string) |
Source - Net udp Value must be net.udp. |
_metric_type (string) |
gauge Value must be gauge. |
_value (number) |
_value Example: 1 |
proc (string) |
proc |
pid (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
proto (string) |
proto_udp Value must be UDP. |
port (number) |
port |
unit (string) |
Unit - connection Value must be connection. |
notice ^
Structure of the notice event
Example
{
"type": "evt",
"id": "9a721a6ad0be-htop-htop",
"_channel": "13544129471303",
"body": {
"sourcetype": "metric",
"_time": 1643888296.317304,
"source": "notice",
"host": "9a721a6ad0be",
"proc": "htop",
"cmd": "htop",
"pid": 302,
"data": "Truncated metrics. Your rate exceeded 10000 metrics per second"
}
}
notice properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
notice.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - metric Value must be metric. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Source - notice Value must be notice. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (string) |
data |
console ^
Structure of the console event
Example
{
"type": "evt",
"id": "eaf4d0598443-a.out-./a.out",
"_channel": "8499188821284",
"body": {
"sourcetype": "console",
"_time": 1643883251.376672,
"source": "stderr",
"host": "eaf4d0598443",
"proc": "a.out",
"cmd": "./a.out",
"pid": 986,
"data": {
"message": "stderr hello world"
}
}
}
console properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
console.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - console Value must be console. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
Specifies whether AppScope is capturing either stderr or file from console.Value must be stderr or file. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
console.body.data properties
| Property | Description |
|---|---|
message (string) |
message |
file ^
Structure of the file event
Example
{
"type": "evt",
"id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
"_channel": "13468365092424",
"body": {
"sourcetype": "file",
"_time": 1643735941.602952,
"source": "/var/log/firefox.log",
"host": "ubuntu",
"proc": "sh",
"cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
"pid": 6545,
"data": {
"message": "/usr/bin/firefox\n"
}
}
}
file properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes events from metrics. Value must be evt. |
id required (string) |
Identifies the application that the process is associated with. |
_channel required (string) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object) |
body Details below. |
file.body properties
| Property | Description |
|---|---|
sourcetype required (string) |
Sourcetype - file Value must be file. |
_time required (number) |
_time Example: 1643662126.91777 |
source required (string) |
String that describes a file path. |
host required (string) |
host |
proc required (string) |
proc |
cmd required (string) |
cmd Example: top |
pid required (integer) |
pid Example: 1000 |
data required (object) |
data Details below. |
file.body.data properties
| Property | Description |
|---|---|
message (string) |
message |
fs.close ^
Structure of the fs.close metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.121424
}
}
{
"type": "metric",
"body": {
"_metric": "fs.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "close",
"file": "/dev/shm/ltp_accept01_9870",
"unit": "operation",
"_time": 1643826292.07658
}
}
fs.close properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.close.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - File Close Value must be fs.close. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
op (string) |
op_fs_close Possible values:
|
file (string) |
file |
unit required (string) |
Unit - operation Value must be operation. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
fs.duration ^
Structure of the fs.duration metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 1,
"proc": "access01",
"pid": 13697,
"host": "1f0ec6c8a7bc",
"unit": "microsecond",
"summary": "true",
"_time": 1643826404.006442
}
}
{
"type": "metric",
"body": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 16,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "microsecond",
"_time": 1643826292.076675
}
}
fs.duration properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.duration.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - File Duration Value must be fs.duration. |
_metric_type required (string) |
histogram Value must be histogram. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
op (string) |
op |
file (string) |
file |
numops (number) |
numops |
unit required (string) |
Unit - microsecond Value must be microsecond. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
fs.error ^
Structure of the fs.error metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13686,
"host": "1f0ec6c8a7bc",
"class": "stat",
"unit": "operation",
"summary": "true",
"_time": 1643826403.123802
}
}
{
"type": "metric",
"body": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept02",
"pid": 9872,
"host": "1f0ec6c8a7bc",
"op": "readdir",
"file": "/tmp/QxbCjC",
"class": "read_write",
"unit": "operation",
"_time": 1643826292.14466
}
}
fs.error properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.error.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - File Error Value must be fs.error. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
op (string) |
op |
file (string) |
file |
class required (string) |
class fs.error Possible values:
|
unit required (string) |
Unit - operation Value must be operation. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
fs.open ^
Structure of the fs.open metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.121411
}
}
{
"type": "metric",
"body": {
"_metric": "fs.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "open",
"file": "/dev/shm/ltp_accept01_9870",
"unit": "operation",
"_time": 1643826292.076503
}
}
fs.open properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.open.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - File open Value must be fs.open. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
op (string) |
op_fs_open Possible values:
|
file (string) |
file |
unit required (string) |
Unit - operation Value must be operation. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
fs.read ^
Structure of the fs.read metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.read",
"_metric_type": "counter",
"_value": 13312,
"proc": "access01",
"pid": 13697,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"summary": "true",
"_time": 1643826404.006381
}
}
{
"type": "metric",
"body": {
"_metric": "fs.read",
"_metric_type": "counter",
"_value": 4096,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "byte",
"_time": 1643826292.076709
}
}
fs.read properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.read.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - File Read Value must be fs.read. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
op (string) |
op_fs_read Possible values:
|
file (string) |
file |
numops (number) |
numops |
unit required (string) |
Unit - byte Value must be byte. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
fs.seek ^
Structure of the fs.seek metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 3,
"proc": "sh",
"pid": 13810,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826404.175738
}
}
{
"type": "metric",
"body": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 1,
"proc": "sh",
"pid": 9994,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "lseek",
"file": "./file_x",
"unit": "operation",
"_time": 1643826293.407508
}
}
fs.seek properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.seek.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - File Seek Value must be fs.seek. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
op (string) |
op |
file (string) |
file |
unit required (string) |
Unit - operation Value must be operation. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
fs.stat ^
Structure of the fs.stat metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13686,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.123752
}
}
{
"type": "metric",
"body": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"host": "1f0ec6c8a7bc",
"op": "access",
"file": "/dev/shm",
"unit": "operation",
"_time": 1643826292.076446
}
}
fs.stat properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.stat.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - File Stat Value must be fs.stat. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
op (string) |
op |
file (string) |
file |
unit required (string) |
Unit - operation Value must be operation. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
fs.write ^
Structure of the fs.write metric
Examples
{
"type": "metric",
"body": {
"_metric": "fs.write",
"_metric_type": "counter",
"_value": 10,
"proc": "access02",
"pid": 13806,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"summary": "true",
"_time": 1643826404.234963
}
}
{
"type": "metric",
"body": {
"_metric": "fs.write",
"_metric_type": "counter",
"_value": 10,
"proc": "access02",
"pid": 9991,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "__write_libc",
"file": "file_x",
"numops": 1,
"unit": "byte",
"_time": 1643826293.385378
}
}
fs.write properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
fs.write.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - File Write Value must be fs.write. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
op (string) |
op_fs_write Possible values:
|
file (string) |
file |
numops (number) |
numops |
unit required (string) |
Unit - byte Value must be byte. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
http.duration.client ^
Structure of the http.duration.client metric
Examples
{
"type": "metric",
"body": {
"_metric": "http.duration.client",
"_metric_type": "timer",
"_value": 6,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924553.681483
}
}
{
"type": "metric",
"body": {
"_metric": "http.duration.client",
"_metric_type": "timer",
"_value": 7,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924472.648148
}
}
http.duration.client properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.duration.client.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - HTTP client duration Value must be http.duration.client. |
_metric_type required (string) |
timer Value must be timer. |
_value required (number) |
_value Example: 1 |
http_target required (string) |
http_target |
numops required (number) |
numops |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - millisecond Value must be millisecond. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
http.req.content_length ^
Structure of the http.req.content_length metric
Example
{
"type": "metric",
"body": {
"_metric": "http.req.content_length",
"_metric_type": "counter",
"_value": 38,
"http_target": "/echo/post/json",
"numops": 1,
"proc": "curl",
"pid": 525,
"host": "272cc69a120a",
"unit": "byte",
"summary": "true",
"_time": 1644230452.63037
}
}
http.req.content_length properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.req.content_length.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - HTTP request content length Value must be http.req.content_length. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
http_target required (string) |
http_target |
numops required (number) |
numops |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - byte Value must be byte. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
http.req ^
Structure of the http.req metric
Examples
{
"type": "metric",
"body": {
"_metric": "http.req",
"_metric_type": "counter",
"_value": 1,
"http_target": "/",
"http_status_code": 200,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "request",
"summary": "true",
"_time": 1643924553.681441
}
}
{
"type": "metric",
"body": {
"_metric": "http.req",
"_metric_type": "counter",
"_value": 1,
"http_target": "/",
"http_status_code": 200,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "request",
"summary": "true",
"_time": 1643924472.64811
}
}
http.req properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.req.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - HTTP requests Value must be http.req. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
http_target required (string) |
http_target |
http_status_code required (integer) |
http_status_code Possible values:
|
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - request Value must be request. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
http.resp.content_length ^
Structure of the http.resp.content_length metric
Examples
{
"type": "metric",
"body": {
"_metric": "http.resp.content_length",
"_metric_type": "counter",
"_value": 58896,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "byte",
"summary": "true",
"_time": 1643924553.6815
}
}
{
"type": "metric",
"body": {
"_metric": "http.resp.content_length",
"_metric_type": "counter",
"_value": 58896,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "byte",
"summary": "true",
"_time": 1643924472.648165
}
}
http.resp.content_length properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.resp.content_length.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - HTTP response content length Value must be http.resp.content_length. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
http_target required (string) |
http_target |
numops required (number) |
numops |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - byte Value must be byte. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
http.duration.server ^
Structure of the http.duration.server metric
Examples
{
"type": "metric",
"body": {
"_metric": "http.duration.server",
"_metric_type": "timer",
"_value": 0,
"http_target": "/",
"numops": 1,
"proc": "httpd",
"pid": 2260,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924563.450939
}
}
{
"type": "metric",
"body": {
"_metric": "http.duration.server",
"_metric_type": "timer",
"_value": 1,
"http_target": "/",
"numops": 1,
"proc": "httpd",
"pid": 648,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924498.350866
}
}
http.duration.server properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
http.duration.server.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - HTTP server duration Value must be http.duration.server. |
_metric_type required (string) |
timer Value must be timer. |
_value required (number) |
_value Example: 1 |
http_target required (string) |
http_target |
numops required (number) |
numops |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - millisecond Value must be millisecond. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.close ^
Structure of the net.close metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.12145
}
}
{
"type": "metric",
"body": {
"_metric": "net.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 5,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643826292.077388
}
}
net.close properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.close.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net Close Value must be net.close. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
op (string) |
op |
proto (string) |
proto Possible values:
|
port (number) |
port |
unit required (string) |
Unit - connection Value must be connection. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
dns.req ^
Structure of the dns.req metric
Examples
{
"type": "metric",
"body": {
"_metric": "dns.req",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 31,
"host": "2a6bc132b07a",
"unit": "request",
"summary": "true",
"_time": 1643832467.795134
}
}
{
"type": "metric",
"body": {
"_metric": "dns.req",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 2485,
"host": "2a6bc132b07a",
"domain": "cribl.io",
"duration": 0,
"unit": "request",
"_time": 1643832569.764219
}
}
dns.req properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
dns.req.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net DNS Value must be dns.req. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
domain (string) |
domain |
duration (number) |
duration Example: 55 |
unit required (string) |
Unit - request Value must be request. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.duration ^
Structure of the net.duration metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 1,
"proc": "sendfile06_64",
"pid": 15385,
"host": "1f0ec6c8a7bc",
"unit": "millisecond",
"summary": "true",
"_time": 1643826428.960074
}
}
{
"type": "metric",
"body": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 53,
"proc": "send02",
"pid": 11555,
"fd": 3,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"numops": 1,
"unit": "millisecond",
"_time": 1643826318.65727
}
}
net.duration properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.duration.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net duration Value must be net.duration. |
_metric_type required (string) |
timer Value must be timer. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
proto (string) |
proto Possible values:
|
port (number) |
port |
numops (number) |
numops |
unit required (string) |
Unit - millisecond Value must be millisecond. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.error ^
Structure of the net.error metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 6,
"proc": "accept01",
"pid": 5920,
"host": "7cb66c7f77dd",
"op": "summary",
"class": "connection",
"unit": "operation",
"_time": 1643749774.573214
}
}
{
"type": "metric",
"body": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 1,
"proc": "recv01",
"pid": 3593,
"host": "7cb66c7f77dd",
"op": "recv",
"class": "rx_tx",
"unit": "operation",
"_time": 1643749590.518109
}
}
net.error properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.error.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net Error Value must be net.error. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
op (string) |
op |
class required (string) |
class net.error Possible values:
|
unit required (string) |
Unit - operation Value must be operation. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.open ^
Structure of the net.open metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.121437
}
}
{
"type": "metric",
"body": {
"_metric": "net.open",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 2485,
"fd": 7,
"host": "2a6bc132b07a",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643832569.764144
}
}
net.open properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.open.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net Open Value must be net.open. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
proto (string) |
proto Possible values:
|
port (number) |
port |
unit required (string) |
Unit - connection Value must be connection. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.other ^
Structure of the net.other metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 234979,
"host": "test_user",
"unit": "connection",
"summary": "true",
"_time": 1643887036.00144
}
}
{
"type": "metric",
"body": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 235293,
"fd": 4,
"host": "test_user",
"proto": "SEQPACKET",
"port": 0,
"unit": "connection",
"_time": 1643887122.646226
}
}
net.other properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.other.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net other Value must be net.other. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
proto (string) |
proto Possible values:
|
port (number) |
port |
unit required (string) |
Unit - connection Value must be connection. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.port ^
Structure of the net.port metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 2,
"proc": "accept02",
"pid": 13689,
"host": "1f0ec6c8a7bc",
"unit": "instance",
"summary": "true",
"_time": 1643826403.184484
}
}
{
"type": "metric",
"body": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 4,
"host": "1f0ec6c8a7bc",
"proto": "TCP",
"port": 0,
"unit": "instance",
"_time": 1643826292.076967
}
}
net.port properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.port.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net port Value must be net.port. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
proto (string) |
proto Possible values:
|
port (number) |
port |
unit required (string) |
Unit - instance Value must be instance. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.rx ^
Structure of the net.rx metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 99000,
"proc": "send02",
"pid": 15371,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"class": "inet_udp",
"summary": "true",
"_time": 1643826428.564141
}
}
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 11544,
"fd": 4,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "TCP",
"localip": "127.0.0.1",
"localp": 37432,
"remoteip": "0.0.0.0",
"remotep": 40765,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826317.098972
}
}
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 16,
"proc": "send02",
"pid": 11555,
"fd": 3,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "UDP",
"localip": "127.0.0.1",
"localp": 0,
"remoteip": " ",
"remotep": 0,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826318.241899
}
}
net.rx properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.rx.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net RX Value must be net.rx. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
domain (string) |
domain |
proto (string) |
proto Possible values:
|
localn (number) |
localn |
localip (string) |
localip Example: 127.0.0.1 |
localp (number) |
localp Example: 9109 |
remoten (number) |
remoten |
remoteip (string) |
remoteip Example: 192.158.1.38 |
remotep (number) |
remotep Example: 9108 |
data (string) |
data |
numops (number) |
numops |
unit required (string) |
Unit - byte Value must be byte. |
class (string) |
class net.rxrx Possible values:
|
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.tcp ^
Structure of the net.tcp metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept02",
"pid": 13689,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.184497
}
}
{
"type": "metric",
"body": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 9871,
"fd": 4,
"host": "1f0ec6c8a7bc",
"proto": "TCP",
"port": 0,
"unit": "connection",
"_time": 1643826292.07731
}
}
net.tcp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.tcp.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net tcp Value must be net.tcp. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
proto (string) |
proto_tcp Value must be TCP. |
port (number) |
port |
unit required (string) |
Unit - connection Value must be connection. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.tx ^
Structure of the net.tx metric
Examples
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 3,
"proc": "recvmsg01",
"pid": 15364,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"class": "unix_tcp",
"summary": "true",
"_time": 1643826427.279136
}
}
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 16,
"proc": "send02",
"pid": 11555,
"fd": 4,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "UDP",
"localip": "0.0.0.0",
"localp": 0,
"remoteip": "127.0.0.1",
"remotep": 38725,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826318.241855
}
}
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 1,
"proc": "recvmsg01",
"pid": 11548,
"fd": 3,
"host": "1f0ec6c8a7bc",
"domain": "UNIX",
"proto": "TCP",
"localn": 48335,
"remoten": 46396,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826317.162209
}
}
net.tx properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.tx.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net TX Value must be net.tx. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd (integer) |
fd Example: 4 |
host required (string) |
host |
domain (string) |
domain |
proto (string) |
proto Possible values:
|
localn (number) |
localn |
localip (string) |
localip Example: 127.0.0.1 |
localp (number) |
localp Example: 9109 |
remoten (number) |
remoten |
remoteip (string) |
remoteip Example: 192.158.1.38 |
remotep (number) |
remotep Example: 9108 |
data (string) |
data |
numops (number) |
numops |
unit required (string) |
Unit - byte Value must be byte. |
class (string) |
class net.rxrx Possible values:
|
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
net.udp ^
Structure of the net.udp metric
Example
{
"type": "metric",
"body": {
"_metric": "net.udp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 9871,
"fd": 5,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643826292.077372
}
}
net.udp properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
net.udp.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - Net udp Value must be net.udp. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
fd required (integer) |
fd Example: 4 |
host required (string) |
host |
proto required (string) |
proto_udp Value must be UDP. |
port required (number) |
port |
unit required (string) |
Unit - connection Value must be connection. |
summary (string) |
summary Value must be true. |
_time required (number) |
_time Example: 1643662126.91777 |
proc.child ^
Structure of the proc.child metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.child",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "process",
"_time": 1643749566.030543
}
}
proc.child properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.child.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - proc child Value must be proc.child. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - process Value must be process. |
_time required (number) |
_time Example: 1643662126.91777 |
proc.cpu ^
Structure of the proc.cpu metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.cpu",
"_metric_type": "counter",
"_value": 2107,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "microsecond",
"_time": 1643749566.030295
}
}
proc.cpu properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.cpu.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - proc cpu Value must be proc.cpu. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - microsecond Value must be microsecond. |
_time required (number) |
_time Example: 1643662126.91777 |
proc.cpu.perc ^
Structure of the proc.cpu_perc metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.cpu_perc",
"_metric_type": "gauge",
"_value": 0.02107,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "percent",
"_time": 1643749566.030327
}
}
proc.cpu.perc properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.cpu.perc.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - proc cpu_perc Value must be proc.cpu_perc. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - percent Value must be percent. |
_time required (number) |
_time Example: 1643662126.91777 |
proc.fd ^
Structure of the proc.fd metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.fd",
"_metric_type": "gauge",
"_value": 5,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "file",
"_time": 1643749566.030497
}
}
proc.fd properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.fd.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - proc fd Value must be proc.fd. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - file Value must be file. |
_time required (number) |
_time Example: 1643662126.91777 |
proc.mem ^
Structure of the proc.mem metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.mem",
"_metric_type": "gauge",
"_value": 31284,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "kibibyte",
"_time": 1643749566.030388
}
}
proc.mem properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.mem.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - proc memory Value must be proc.mem. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - kibibyte Value must be kibibyte. |
_time required (number) |
_time Example: 1643662126.91777 |
proc.start ^
Structure of the proc.start metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.start",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1945,
"gid": 0,
"groupname": "root",
"uid": 0,
"username": "root",
"host": "7cb66c7f77dd",
"args": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"unit": "process",
"_time": 1643749566.026885
}
}
proc.start properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.start.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - proc start Value must be proc.start. |
_metric_type required (string) |
counter Value must be counter. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
gid required (integer) |
gid Example: 0 |
groupname required (string) |
groupname Example: root |
uid required (integer) |
uid Example: 0 |
username required (string) |
username Example: root |
host required (string) |
host |
args required (string) |
args |
unit required (string) |
Unit - process Value must be process. |
_time required (number) |
_time Example: 1643662126.91777 |
proc.thread ^
Structure of the proc.thread metric
Example
{
"type": "metric",
"body": {
"_metric": "proc.thread",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "thread",
"_time": 1643749566.030435
}
}
proc.thread properties
| Property | Description |
|---|---|
type required (string) |
Distinguishes metrics from events. Value must be metric. |
body required (object) |
body Details below. |
proc.thread.body properties
| Property | Description |
|---|---|
_metric required (string) |
Source - proc thread Value must be proc.thread. |
_metric_type required (string) |
gauge Value must be gauge. |
_value required (number) |
_value Example: 1 |
proc required (string) |
proc |
pid required (integer) |
pid Example: 1000 |
host required (string) |
host |
unit required (string) |
Unit - thread Value must be thread. |
_time required (number) |
_time Example: 1643662126.91777 |
