Schema Reference

In AppScope, events are structured according to one pattern, and metrics are structured according to another. These patterns are defined rigorously, in validatable JSON Schema.

Three definitions schemas govern the basic patterns. Then there is an individual schema for each event and metric, documented below. The definitions schemas define the elements that can be present in individual event and metric schemas, as well as the overall structures into which those elements fit.

When we say "the AppScope schema," we mean the whole set of schemas. The AppScope schema now in use was introduced in AppScope 1.0.1.

A few event and metric schema elements, namely title and description, have placeholder values. In the future, we might make these more informative. They are essentially "internal documentation" within the schemas and do not affect how the schemas function in AppScope. In the event that you develop any code that depends on AppScope schemas, be aware that the content of title and description fields may evolve.

For more about how events and metrics work in AppScope, see this overview.

---

console ^

Structure of the console event

Examples

{
  "type": "evt",
  "id": "eaf4d0598443-a.out-./a.out",
  "_channel": "8499188821284",
  "body": {
    "sourcetype": "console",
    "_time": 1643883251.376672,
    "source": "stderr",
    "host": "eaf4d0598443",
    "proc": "a.out",
    "cmd": "./a.out",
    "pid": 986,
    "data": {
      "message": "stderr hello world"
    }
  }
}

{
  "type": "evt",
  "id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
  "_channel": "13468365092424",
  "body": {
    "sourcetype": "console",
    "_time": 1643735941.602952,
    "source": "stdout",
    "host": "ubuntu",
    "proc": "sh",
    "cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
    "pid": 6545,
    "data": {
      "message": "/usr/bin/firefox\n"
    }
  }
}

console properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

console.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is console. Value must be console.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Specifies whether AppScope is capturing either stderr or stdout from console. Possible values: stderr stdout
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

console.body.data properties

Property	Description
message (string)	The textual data written to a console or file.

---

dns.req ^

Structure of the dns.req event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470757294558",
  "body": {
    "sourcetype": "dns",
    "_time": 1643735942.526987,
    "source": "dns.req",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "domain": "detectportal.firefox.com"
    }
  }
}

dns.req properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

dns.req.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is DNS. Value must be dns.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a Network DNS operation. Value must be dns.req.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

dns.req.body.data properties

Property	Description
domain required (string)	The domain for which the scoped app made a DNS request.

---

dns.resp ^

Structure of the dns.resp event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470823778038",
  "body": {
    "sourcetype": "dns",
    "_time": 1643735942.552667,
    "source": "dns.resp",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "duration": 25,
      "domain": "detectportal.firefox.com",
      "addrs": [
        "34.107.221.82"
      ]
    }
  }
}

dns.resp properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

dns.resp.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is DNS. Value must be dns.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a DNS response operation . Value must be dns.resp.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

dns.resp.body.data properties

Property	Description
duration (number)	Duration in milliseconds. Example: 55
domain (string)	The domain for which the scoped app made a DNS request.
addrs (array)	IP address(es) of the domain for which the scoped app sent a DNS request.

---

file ^

Structure of the file event

Example

{
  "type": "evt",
  "id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
  "_channel": "13468365092424",
  "body": {
    "sourcetype": "file",
    "_time": 1643735941.602952,
    "source": "/var/log/firefox.log",
    "host": "ubuntu",
    "proc": "sh",
    "cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
    "pid": 6545,
    "data": {
      "message": "/usr/bin/firefox\n"
    }
  }
}

file properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

file.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is file. Value must be file.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	String that describes a file path.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

file.body.data properties

Property	Description
message (string)	The textual data written to a console or file.

---

fs.close ^

Structure of the fs.close event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890090429747",
  "body": {
    "sourcetype": "fs",
    "_time": 1643735835.455002,
    "source": "fs.close",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "proc": "accept01",
      "pid": 1933,
      "host": "8bc1398c19f3",
      "file": "/dev/shm/ltp_accept01_1931",
      "proc_uid": 0,
      "proc_gid": 0,
      "proc_cgroup": "0::/system.slice/containerd.service",
      "file_perms": 600,
      "file_owner": 0,
      "file_group": 0,
      "file_read_bytes": 0,
      "file_read_ops": 0,
      "file_write_bytes": 0,
      "file_write_ops": 0,
      "duration": 0,
      "op": "close"
    }
  }
}

fs.close properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.close.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is filesystem. Value must be fs.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File Close operation. Value must be fs.close.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.close.body.data properties

Property	Description
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
host (string)	Hostname for the host on which the scoped app was run.
file (string)	The name of the file.
proc_uid (integer)	The user ID of the user who started the scoped app. Example: 0
proc_gid (integer)	The group ID of the user who started the scoped app. Example: 0
proc_cgroup (string)	The control group used in container creation. Example: 0::/user.slice/user-1000.slice/session-3.scope
file_perms (integer)	The permissions of the file, in octal format. Example: 777
file_owner (number)	The user ID of the file owner. Example: 0
file_group (number)	The group ID of the file owner. Example: 0
file_read_bytes (integer)	The number of bytes of data read from a file. Example: 512
file_read_ops (integer)	Count of individual read operations aggregated. Example: 5
file_write_bytes (integer)	The number of bytes of data written to a file. Example: 10
file_write_ops (integer)	Count of individual write operations aggregated. Example: 5
duration (number)	Duration in milliseconds. Example: 55
op (string)	The close operation that was executed on the filesystem. Possible values: go_close closedir freopen freopen64 close fclose close$NOCANCEL guarded_close_np close_nocancel

---

fs.delete ^

Structure of the fs.delete event

Example

{
  "type": "evt",
  "id": "b6209181773f-rm-rm test.txt",
  "_channel": "none",
  "body": {
    "sourcetype": "fs",
    "_time": 1643793922.040438,
    "source": "fs.delete",
    "host": "b6209181773f",
    "proc": "rm",
    "cmd": "rm test.txt",
    "pid": 306,
    "data": {
      "proc": "rm",
      "pid": 306,
      "host": "b6209181773f",
      "op": "unlinkat",
      "file": "test.txt",
      "unit": "operation"
    }
  }
}

fs.delete properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.delete.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is filesystem. Value must be fs.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File Delete operation. Value must be fs.delete.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.delete.body.data properties

Property	Description
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
host (string)	Hostname for the host on which the scoped app was run.
op (string)	The delete operation that was executed on the filesystem. Possible values: go_unlinkat unlink unlinkat
file (string)	The name of the file.
unit (string)	Indicates that the metric's value is a number of operations. Value must be operation.

---

fs.duration ^

Structure of the fs.duration event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091215105",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455057,
    "source": "fs.duration",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "fs.duration",
      "_metric_type": "histogram",
      "_value": 12,
      "proc": "accept01",
      "pid": 1933,
      "fd": 3,
      "op": "fgets_unlocked",
      "file": "/etc/passwd",
      "numops": 1,
      "unit": "microsecond"
    }
  }
}

fs.duration properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.duration.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File Duration operation. Value must be fs.duration.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.duration.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a File Duration operation. Value must be fs.duration.
_metric_type (string)	Indicates that the metric from the scoped app is a histogram. Value must be histogram.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
op (string)	The function that was executed.
file (string)	The name of the file.
numops (number)	Count of individual operations aggregated.
unit (string)	Indicates that the metric's value is in microseconds. Value must be microsecond.

---

fs.error ^

Structure of the fs.error event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890094642989",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.45777,
    "source": "fs.error",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1931,
    "data": {
      "_metric": "fs.error",
      "_metric_type": "counter",
      "_value": 1,
      "proc": "accept01",
      "pid": 1931,
      "op": "access",
      "file": "/dev/shm/ltp_accept01_1931",
      "class": "stat",
      "unit": "operation"
    }
  }
}

fs.error properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.error.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File Error operation. Value must be fs.error.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.error.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a File Error operation. Value must be fs.error.
_metric_type (string)	Indicates that the metric is a counter. Value must be counter.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
op (string)	The function that was executed.
file (string)	The name of the file.
class (string)	Subcategory of filesystem error. Possible values: open_close read_write stat
unit (string)	Indicates that the metric's value is a number of operations. Value must be operation.

---

fs.open ^

Structure of the fs.open event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890090429747",
  "body": {
    "sourcetype": "fs",
    "_time": 1643735835.454946,
    "source": "fs.open",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "proc": "accept01",
      "pid": 1933,
      "host": "8bc1398c19f3",
      "file": "/dev/shm/ltp_accept01_1931",
      "proc_uid": 0,
      "proc_gid": 0,
      "proc_cgroup": "0::/system.slice/containerd.service",
      "file_perms": 600,
      "file_owner": 0,
      "file_group": 0,
      "op": "open"
    }
  }
}

fs.open properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.open.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is filesystem. Value must be fs.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File open operation. Value must be fs.open.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.open.body.data properties

Property	Description
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
host (string)	Hostname for the host on which the scoped app was run.
file (string)	The name of the file.
proc_uid (integer)	The user ID of the user who started the scoped app. Example: 0
proc_gid (integer)	The group ID of the user who started the scoped app. Example: 0
proc_cgroup (string)	The control group used in container creation. Example: 0::/user.slice/user-1000.slice/session-3.scope
file_perms (integer)	The permissions of the file, in octal format. Example: 777
file_owner (number)	The user ID of the file owner. Example: 0
file_group (number)	The group ID of the file owner. Example: 0
op (string)	The open operation that was executed on the filesystem. Possible values: open openat opendir creat fopen freopen open64 openat64 __open64_2 __open_2 __openat_2 creat64 fopen64 freopen64 recvmsg console output console input

---

fs.read ^

Structure of the fs.read event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091215105",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455076,
    "source": "fs.read",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "fs.read",
      "_metric_type": "histogram",
      "_value": 4096,
      "proc": "accept01",
      "pid": 1933,
      "fd": 3,
      "op": "fgets_unlocked",
      "file": "/etc/passwd",
      "numops": 1,
      "unit": "byte"
    }
  }
}

fs.read properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.read.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File Read operation. Value must be fs.read.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.read.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a File Read operation. Value must be fs.read.
_metric_type (string)	Indicates that the metric from the scoped app is a histogram. Value must be histogram.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
op (string)	The read operation that was executed on the filesystem. Possible values: go_read go_getdents readdir pread64 __pread64_chk preadv preadv2 preadv64v2 __pread_chk __read_chk __fread_unlocked_chk read readv pread fread __fread_chk fread_unlocked fgets __fgets_chk fgets_unlocked __fgetws_chk fgetws fgetwc fgetc fscanf getline getdelim __getdelim
file (string)	The name of the file.
numops (number)	Count of individual operations aggregated.
unit (string)	Indicates that the metric's value is in bytes. Value must be byte.

---

fs.seek ^

Structure of the fs.seek event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-sh-/bin/sh ./file_x",
  "_channel": "5891441789884",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735836.805196,
    "source": "fs.seek",
    "host": "8bc1398c19f3",
    "proc": "sh",
    "cmd": "/bin/sh ./file_x",
    "pid": 2061,
    "data": {
      "_metric": "fs.seek",
      "_metric_type": "counter",
      "_value": 1,
      "proc": "sh",
      "pid": 2061,
      "fd": 3,
      "op": "lseek",
      "file": "./file_x",
      "unit": "operation"
    }
  }
}

fs.seek properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.seek.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File Seek operation. Value must be fs.seek.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.seek.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a File Seek operation. Value must be fs.seek.
_metric_type (string)	Indicates that the metric is a counter. Value must be counter.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
op (string)	The seek operation that was executed on the filesystem. Possible values: lseek64 fseek64 ftello64 fsetpos64 lseek fseek fseeko ftell ftello rewind fsetpos fgetpos fgetpos64
file (string)	The name of the file.
unit (string)	Indicates that the metric's value is a number of operations. Value must be operation.

---

fs.stat ^

Structure of the fs.stat event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091777333",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.454905,
    "source": "fs.stat",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "fs.stat",
      "_metric_type": "counter",
      "_value": 1,
      "proc": "accept01",
      "pid": 1933,
      "op": "access",
      "file": "/dev/shm",
      "unit": "operation"
    }
  }
}

fs.stat properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.stat.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File Stat operation. Value must be fs.stat.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.stat.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a File Stat operation. Value must be fs.stat.
_metric_type (string)	Indicates that the metric is a counter. Value must be counter.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
op (string)	The stat operation that was executed on the filesystem. Possible values: statfs64 __xstat __xstat64 __lxstat __lxstat64 __fxstat __fxstatat __fxstatat64 statx statfs statvfs statvfs64 access faccessat stat lstat fstatfs64 __fxstat __fxstat64 fstatfs fstatvfs fstatvfs64 fstat fstatat
file (string)	The name of the file.
unit (string)	Indicates that the metric's value is a number of operations. Value must be operation.

---

fs.write ^

Structure of the fs.write event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-access02-/kernel/syscalls/access/access02",
  "_channel": "5891407740765",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735836.773249,
    "source": "fs.write",
    "host": "8bc1398c19f3",
    "proc": "access02",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/access/access02",
    "pid": 2058,
    "data": {
      "_metric": "fs.write",
      "_metric_type": "histogram",
      "_value": 10,
      "proc": "access02",
      "pid": 2058,
      "fd": 3,
      "op": "__write_libc",
      "file": "file_x",
      "numops": 1,
      "unit": "byte"
    }
  }
}

fs.write properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

fs.write.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a File Write operation. Value must be fs.write.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

fs.write.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a File Write operation. Value must be fs.write.
_metric_type (string)	Indicates that the metric from the scoped app is a histogram. Value must be histogram.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
op (string)	The write operation that was executed on the filesystem. Possible values: go_write pwrite64 pwritev pwritev64 pwritev2 pwritev64v2 __overflow __write_libc __write_pthread fwrite_unlocked __stdio_write write pwrite writev fwrite puts putchar fputs fputs_unlocked fputc fputc_unlocked putwc fputwc
file (string)	The name of the file.
numops (number)	Count of individual operations aggregated.
unit (string)	Indicates that the metric's value is in bytes. Value must be byte.

---

http.req ^

Structure of the http.req event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470846442500",
  "body": {
    "sourcetype": "http",
    "_time": 1643735942.588626,
    "source": "http.req",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "http_method": "GET",
      "http_target": "/canonical.html",
      "http_flavor": "1.1",
      "http_scheme": "http",
      "http_host": "detectportal.firefox.com",
      "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
      "net_transport": "IP.TCP",
      "net_peer_ip": "34.107.221.82",
      "net_peer_port": 80,
      "net_host_ip": "172.16.198.210",
      "net_host_port": 33712
    }
  }
}

http.req properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

http.req.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is HTTP. Value must be http.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the event Source is an HTTP request. Value must be http.req.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

http.req.body.data properties

Property	Description
http_method (string)	Specifies the method of an HTTP request in the data; e.g., GET, POST, PATCH, etc.
http_frame (string)	Type of the HTTP/2 frame as described in RFC 7540. Possible values: HEADERS PUSH_PROMISE
http_target (string)	In a URL, the path or file after the FQDN.
http_flavor (string)	Specifies whether an HTTP request or response is in HTTP/1.1 or HTTP/2.0.
http_stream (integer)	HTTP/2 Stream Identifier.
http_scheme (string)	Specifies whether data was unencrypted (HTTP) or encrypted (HTTPS). Possible values: http https
http_host (string)	Hostname of the host to which an HTTP request was sent; or, from which a response was received.
http_user_agent (string)	HTTP header property describing the web client.
http_client_ip (string)	IP address of the host that issued an HTTP request or received the response.
net_transport (string)	Network layer used (before the dot) and transport layer used (after the dot). Possible values: IP.TCP IP.UDP IP.RAW IP.RDM IP.SEQPACKET Unix.TCP Unix.UDP Unix.RAW Unix.RDM Unix.SEQPACKET
net_peer_ip (string)	The IP address portion of the remote side of a network connection.
net_peer_port (integer)	The port portion of the remote side of a network connection.
net_host_ip (string)	The IP address portion of the local side of a network connection.
net_host_port (integer)	The port portion of the local side of a network connection.
x_appscope (string)	Value of the x-appscope HTTP header (if present). Value must be x-appscope.

---

http.resp ^

Structure of the http.resp event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470846442500",
  "body": {
    "sourcetype": "http",
    "_time": 1643735942.613892,
    "source": "http.resp",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "http_method": "GET",
      "http_target": "/canonical.html",
      "http_scheme": "http",
      "http_flavor": "1.1",
      "http_status_code": 200,
      "http_status_text": "OK",
      "http_server_duration": 26,
      "http_host": "detectportal.firefox.com",
      "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
      "net_transport": "IP.TCP",
      "net_peer_ip": "34.107.221.82",
      "net_peer_port": 80,
      "net_host_ip": "172.16.198.210",
      "net_host_port": 33712,
      "http_response_content_length": 90
    }
  }
}

http.resp properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

http.resp.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is HTTP. Value must be http.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is an HTTP response. Value must be http.resp.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

http.resp.body.data properties

Property	Description
http_method (string)	Specifies the method of an HTTP request in the data; e.g., GET, POST, PATCH, etc.
http_target (string)	In a URL, the path or file after the FQDN.
http_stream (integer)	HTTP/2 Stream Identifier.
http_scheme (string)	Specifies whether data was unencrypted (HTTP) or encrypted (HTTPS). Possible values: http https
http_flavor (string)	Specifies whether an HTTP request or response is in HTTP/1.1 or HTTP/2.0.
http_status_code (integer)	Specifies the status code of an HTTP response. Possible values: 100 101 102 200 201 202 203 204 205 206 207 208 226 300 301 302 303 304 305 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 426 428 429 431 444 451 499 500 501 502 503 504 505 506 507
http_status_text (string)	The standard text that accompanies an HTTP response status code. Possible values: Continue Switching Protocols Processing OK Created Accepted Non-authoritative Information No Content Reset Content Partial Content Multi-Status Already Reported IM Used Multiple Choices Moved Permanently Found See Other Not Modified Use Proxy Temporary Redirect Permanent Redirect Bad Request Unauthorized Payment Required Forbidden Not Found Method Not Allowed Not Acceptable Proxy Authentication Required Request Timeout Conflict Gone Length Required Precondition Failed Payload Too Large Request-URI Too Long Unsupported Media Type Requested Range Not Satisfiable Expectation Failed I'm a teapot Misdirected Request Unprocessable Entity Locked Failed Dependency Upgrade Required Precondition Required Too Many Requests Request Header Fields Too Large Connection Closed Without Response Unavailable For Legal Reasons Client Closed Request Internal Server Error Not Implemented Bad Gateway Service Unavailable Gateway Timeout HTTP Version Not Supported Variant Also Negotiates Insufficient Storage
http_client_duration (number)	Time elapsed between when a request was issued and when the response was received, in milliseconds.
http_server_duration (number)	Time elapsed between when a request was received and when the response was issued, in milliseconds.
http_host (string)	Hostname of the host to which an HTTP request was sent; or, from which a response was received.
http_user_agent (string)	HTTP header property describing the web client.
net_transport (string)	Network layer used (before the dot) and transport layer used (after the dot). Possible values: IP.TCP IP.UDP IP.RAW IP.RDM IP.SEQPACKET Unix.TCP Unix.UDP Unix.RAW Unix.RDM Unix.SEQPACKET
net_peer_ip (string)	The IP address portion of the remote side of a network connection.
net_peer_port (integer)	The port portion of the remote side of a network connection.
net_host_ip (string)	The IP address portion of the local side of a network connection.
net_host_port (integer)	The port portion of the local side of a network connection.
http_response_content_length (number)	Specifies the length in bytes of the HTTP response body.

---

net.app ^

Structure of the net.app event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470846442500",
  "body": {
    "sourcetype": "net",
    "_time": 1643735942.588594,
    "source": "net.app",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "proc": "firefox",
      "pid": 6544,
      "fd": 91,
      "host": "ubuntu",
      "protocol": "HTTP"
    }
  }
}

net.app properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.app.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is net (meaning network). Value must be net.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a Network App (protocol detection) operation. Value must be net.app.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.app.body.data properties

Property	Description
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host (string)	Hostname for the host on which the scoped app was run.
protocol (string)	Protocol detected in data transmitted over a network connection. Possible values: HTTP

---

net.close ^

Structure of the net.close event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
  "_channel": "5912618970557",
  "body": {
    "sourcetype": "net",
    "_time": 1643735857.983449,
    "source": "net.close",
    "host": "8bc1398c19f3",
    "proc": "recvfrom01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
    "pid": 3793,
    "data": {
      "net_transport": "IP.TCP",
      "net_peer_ip": "0.0.0.0",
      "net_peer_port": 35533,
      "net_host_ip": "127.0.0.1",
      "net_host_port": 40184,
      "duration": 0,
      "net_bytes_sent": 0,
      "net_bytes_recv": 6,
      "net_close_reason": "local"
    }
  }
}

net.close properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.close.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is net (meaning network). Value must be net.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a Network Close operation. Value must be net.close.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.close.body.data properties

Property	Description
net_transport (string)	Network layer used (before the dot) and transport layer used (after the dot). Possible values: IP.TCP IP.UDP IP.RAW IP.RDM IP.SEQPACKET Unix.TCP Unix.UDP Unix.RAW Unix.RDM Unix.SEQPACKET
net_peer_ip (string)	The IP address portion of the remote side of a network connection.
net_peer_port (integer)	The port portion of the remote side of a network connection.
net_host_ip (string)	The IP address portion of the local side of a network connection.
net_host_port (integer)	The port portion of the local side of a network connection.
net_protocol (string)	First network protocol detected from data sent or received. Value must be http.
unix_peer_inode (number)	Inode number for the remote end of a UNIX domain socket.
unix_local_inode (number)	Inode number for the local end of a UNIX domain socket.
duration (number)	Duration in milliseconds. Example: 55
net_bytes_sent (number)	The number of bytes of data sent over a network connection.
net_bytes_recv (number)	The number of bytes of data received over a network connection.
net_close_reason (string)	Specifies which end of a network connection initiated the closing of the connection. Possible values: local remote

---

net.duration ^

Structure of the net.duration event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-recvmsg01-ernel/syscalls/recvmsg/recvmsg01",
  "_channel": "5912681876432",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735858.046756,
    "source": "net.duration",
    "host": "8bc1398c19f3",
    "proc": "recvmsg01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvmsg/recvmsg01",
    "pid": 3798,
    "data": {
      "_metric": "net.duration",
      "_metric_type": "timer",
      "_value": 1,
      "proc": "recvmsg01",
      "pid": 3798,
      "fd": 4,
      "proto": "TCP",
      "port": 41482,
      "numops": 1,
      "unit": "millisecond"
    }
  }
}

net.duration properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.duration.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a counter that measures Network duration. Value must be net.duration.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.duration.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a counter that measures Network duration. Value must be net.duration.
_metric_type (string)	Indicates that the metric is a timer. Value must be timer.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
numops (number)	Count of individual operations aggregated.
unit (string)	Indicates that the metric's value is in milliseconds. Value must be millisecond.

---

net.error ^

Structure of the net.error event

Example

{
  "type": "evt",
  "id": "90aac4bb0722-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "2745569202700291",
  "body": {
    "sourcetype": "metric",
    "_time": 1643972258.00885,
    "source": "net.error",
    "host": "90aac4bb0722",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1934,
    "data": {
      "_metric": "net.error",
      "_metric_type": "counter",
      "_value": 1,
      "proc": "accept01",
      "pid": 1934,
      "op": "accept",
      "class": "connection",
      "unit": "operation"
    }
  }
}

net.error properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.error.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a Network Error operation. Value must be net.error.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.error.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a Network Error operation. Value must be net.error.
_metric_type (string)	Indicates that the metric is a counter. Value must be counter.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
op (string)	The function that was executed.
class (string)	Subcategory of network error. Value must be connection.
unit (string)	Indicates that the metric's value is a number of operations. Value must be operation.

---

net.open ^

Structure of the net.open event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept02-/kernel/syscalls/accept/accept02",
  "_channel": "5890157346952",
  "body": {
    "sourcetype": "net",
    "_time": 1643735835.521928,
    "source": "net.open",
    "host": "8bc1398c19f3",
    "proc": "accept02",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept02",
    "pid": 1936,
    "data": {
      "net_transport": "IP.TCP",
      "net_peer_ip": "127.0.0.1",
      "net_peer_port": 58625,
      "net_host_ip": "0.0.0.0",
      "net_host_port": 0
    }
  }
}

net.open properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.open.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is net (meaning network). Value must be net.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a Network Open operation. Value must be net.open.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.open.body.data properties

Property	Description
net_transport (string)	Network layer used (before the dot) and transport layer used (after the dot). Possible values: IP.TCP IP.UDP IP.RAW IP.RDM IP.SEQPACKET Unix.TCP Unix.UDP Unix.RAW Unix.RDM Unix.SEQPACKET
net_peer_ip (string)	The IP address portion of the remote side of a network connection.
net_peer_port (integer)	The port portion of the remote side of a network connection.
net_host_ip (string)	The IP address portion of the local side of a network connection.
net_host_port (integer)	The port portion of the local side of a network connection.
unix_peer_inode (number)	Inode number for the remote end of a UNIX domain socket.
unix_local_inode (number)	Inode number for the local end of a UNIX domain socket.
net_protocol (string)	First network protocol detected from data sent or received. Value must be http.

---

net.other ^

Structure of the net.other event

Example

{
  "type": "evt",
  "id": "test_user-server_seqpacket-./server_seqpacket",
  "_channel": "11977632602680",
  "body": {
    "sourcetype": "metric",
    "_time": 1643886739.820863,
    "source": "net.other",
    "host": "test_user",
    "proc": "server_seqpacket",
    "cmd": "./server_seqpacket",
    "pid": 232570,
    "data": {
      "_metric": "net.other",
      "_metric_type": "gauge",
      "_value": 1,
      "proc": "server_seqpacket",
      "pid": 232570,
      "fd": 3,
      "proto": "SEQPACKET",
      "port": 0,
      "unit": "connection"
    }
  }
}

net.other properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.other.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.other.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other.
_metric_type (string)	Indicates that the metric is a gauge. Value must be gauge.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit (string)	Indicates that the metric's value is a number of connections. Value must be connection.

---

net.port ^

Structure of the net.port event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091645261",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455222,
    "source": "net.port",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "net.port",
      "_metric_type": "gauge",
      "_value": 1,
      "proc": "accept01",
      "pid": 1933,
      "fd": 4,
      "proto": "TCP",
      "port": 0,
      "unit": "instance"
    }
  }
}

net.port properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.port.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a gauge that identifies open ports. Value must be net.port.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.port.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a gauge that identifies open ports. Value must be net.port.
_metric_type (string)	Indicates that the metric is a gauge. Value must be gauge.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit (string)	Indicates that the metric's value is a number of instances. Value must be instance.

---

net.rx ^

Structure of the net.rx event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
  "_channel": "5912618970557",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735857.983368,
    "source": "net.rx",
    "host": "8bc1398c19f3",
    "proc": "recvfrom01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
    "pid": 3793,
    "data": {
      "_metric": "net.rx",
      "_metric_type": "counter",
      "_value": 6,
      "proc": "recvfrom01",
      "pid": 3793,
      "fd": 4,
      "domain": "AF_INET",
      "proto": "TCP",
      "localip": "127.0.0.1",
      "localp": 40184,
      "remoteip": "0.0.0.0",
      "remotep": 35533,
      "data": "clear",
      "numops": 1,
      "unit": "byte"
    }
  }
}

net.rx properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.rx.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a Network receive operation. Value must be net.rx.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.rx.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a Network receive operation. Value must be net.rx.
_metric_type (string)	Indicates that the metric is a counter. Value must be counter.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
domain (string)	The domain for which the scoped app made a DNS request.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
localip (string)	The IP address portion of the local end of a network connection. Example: 127.0.0.1
localp (number)	The port portion of the local end of a network connection. Example: 9109
localn (number)	Inode number for the local end of a UNIX domain socket.
remoteip (string)	IP address for the remote end of a network socket. Example: 192.158.1.38
remotep (number)	Port for the remote end of a network socket. Example: 9108
remoten (number)	Inode number for the remote end of a UNIX domain socket.
data (string)	Specifies whether data was unencrypted (clear) or encrypted (SSL). Possible values: ssl clear
numops (number)	Count of individual operations aggregated.
unit (string)	Indicates that the metric's value is in bytes. Value must be byte.

---

net.tcp ^

Structure of the net.tcp event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091645261",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455387,
    "source": "net.tcp",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "net.tcp",
      "_metric_type": "gauge",
      "_value": 0,
      "proc": "accept01",
      "pid": 1933,
      "fd": 4,
      "proto": "TCP",
      "port": 0,
      "unit": "connection"
    }
  }
}

net.tcp properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.tcp.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.tcp.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp.
_metric_type (string)	Indicates that the metric is a gauge. Value must be gauge.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
proto (string)	The transmission protocol that the scoped app used to send data. Value must be TCP.
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit (string)	Indicates that the metric's value is a number of connections. Value must be connection.

---

net.tx ^

Structure of the net.tx event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
  "_channel": "5912618642035",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735857.983059,
    "source": "net.tx",
    "host": "8bc1398c19f3",
    "proc": "recvfrom01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
    "pid": 3795,
    "data": {
      "_metric": "net.tx",
      "_metric_type": "counter",
      "_value": 6,
      "proc": "recvfrom01",
      "pid": 3795,
      "fd": 4,
      "domain": "AF_INET",
      "proto": "TCP",
      "localip": "0.0.0.0",
      "localp": 0,
      "remoteip": "127.0.0.1",
      "remotep": 40184,
      "data": "clear",
      "numops": 1,
      "unit": "byte"
    }
  }
}

net.tx properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.tx.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a Network transmit operation. Value must be net.tx.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.tx.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a Network transmit operation. Value must be net.tx.
_metric_type (string)	Indicates that the metric is a counter. Value must be counter.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
domain (string)	The domain for which the scoped app made a DNS request.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
localip (string)	The IP address portion of the local end of a network connection. Example: 127.0.0.1
localp (number)	The port portion of the local end of a network connection. Example: 9109
localn (number)	Inode number for the local end of a UNIX domain socket.
remoteip (string)	IP address for the remote end of a network socket. Example: 192.158.1.38
remotep (number)	Port for the remote end of a network socket. Example: 9108
remoten (number)	Inode number for the remote end of a UNIX domain socket.
data (string)	Specifies whether data was unencrypted (clear) or encrypted (SSL). Possible values: ssl clear
numops (number)	Count of individual operations aggregated.
unit (string)	Indicates that the metric's value is in bytes. Value must be byte.

---

net.udp ^

Structure of the net.udp event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091656419",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455419,
    "source": "net.udp",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "net.udp",
      "_metric_type": "gauge",
      "_value": 0,
      "proc": "accept01",
      "pid": 1933,
      "fd": 5,
      "proto": "UDP",
      "port": 0,
      "unit": "connection"
    }
  }
}

net.udp properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

net.udp.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (object)	data Details below.

net.udp.body.data properties

Property	Description
_metric (string)	Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp.
_metric_type (string)	Indicates that the metric is a gauge. Value must be gauge.
_value (number)	The value reported by the event or metric. Example: 1
proc (string)	The name of the scoped app's process.
pid (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
proto (string)	The transmission protocol that the scoped app used to send data. Value must be UDP.
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit (string)	Indicates that the metric's value is a number of connections. Value must be connection.

---

notice ^

Structure of the notice event

Example

{
  "type": "evt",
  "id": "9a721a6ad0be-htop-htop",
  "_channel": "13544129471303",
  "body": {
    "sourcetype": "metric",
    "_time": 1643888296.317304,
    "source": "notice",
    "host": "9a721a6ad0be",
    "proc": "htop",
    "cmd": "htop",
    "pid": 302,
    "data": "Truncated metrics. Your rate exceeded 10000 metrics per second"
  }
}

notice properties

Property	Description
type required (string)	Distinguishes events from metrics. Value must be evt.
id required (string)	Identifies the application that the process is associated with.
_channel required (string)	Identifies the operation during whose lifetime the event or metric is emitted.
body required (object)	body Details below.

notice.body properties

Property	Description
sourcetype required (string)	Indicates that the Sourcetype is metric. Value must be metric.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777
source required (string)	Indicates that the Source is an AppScope notification. Value must be notice.
host required (string)	Hostname for the host on which the scoped app was run.
proc required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
pid required (integer)	The process ID of the scoped app. Example: 1000
data required (string)	The data that the scoped app emitted as output.

---

start.msg ^

Structure of the start message

Example

{
  "format": "ndjson",
  "info": {
    "process": {
      "libscopever": "v1.1.0",
      "pid": 35673,
      "ppid": 3390,
      "gid": 1000,
      "groupname": "test_user",
      "uid": 1000,
      "username": "test_user",
      "hostname": "test_user",
      "procname": "ls",
      "cmd": "ls --color=auto",
      "id": "test_user-ls-ls --color=auto",
      "machine_id": "a1e2ada5a5b1b273b4b5c0c2c1c4f5d1",
      "uuid": "da845a9b-a55d-4c42-893d-08b54ee6e999"
    },
    "configuration": {
      "current": {
        "metric": {
          "enable": "true",
          "transport": {
            "type": "udp",
            "host": "127.0.0.1",
            "port": "8125",
            "tls": {
              "enable": "false",
              "validateserver": "true",
              "cacertpath": ""
            }
          },
          "format": {
            "type": "statsd",
            "statsdprefix": "",
            "statsdmaxlen": 512,
            "verbosity": 4
          },
          "watch": [
            {
              "type": "fs"
            },
            {
              "type": "net"
            },
            {
              "type": "http"
            },
            {
              "type": "dns"
            },
            {
              "type": "process"
            },
            {
              "type": "statsd"
            }
          ]
        },
        "libscope": {
          "log": {
            "level": "info",
            "transport": {
              "type": "file",
              "path": "/tmp/scope.log",
              "buffering": "line"
            }
          },
          "configevent": "true",
          "summaryperiod": 10,
          "commanddir": "/tmp"
        },
        "event": {
          "enable": "true",
          "transport": {
            "type": "tcp",
            "host": "127.0.0.1",
            "port": "9109",
            "tls": {
              "enable": "false",
              "validateserver": "true",
              "cacertpath": ""
            }
          },
          "format": {
            "type": "ndjson",
            "maxeventpersec": 10000,
            "enhancefs": "true"
          },
          "watch": [
            {
              "type": "file",
              "name": "(\\/logs?\\/)|(\\.log$)|(\\.log[.\\d])",
              "field": ".*",
              "value": ".*"
            },
            {
              "type": "console",
              "name": "(stdout)|(stderr)",
              "field": ".*",
              "value": ".*",
              "allowbinary": "true"
            },
            {
              "type": "http",
              "name": ".*",
              "field": ".*",
              "value": ".*",
              "headers": []
            },
            {
              "type": "net",
              "name": ".*",
              "field": ".*",
              "value": ".*"
            },
            {
              "type": "fs",
              "name": ".*",
              "field": ".*",
              "value": ".*"
            },
            {
              "type": "dns",
              "name": ".*",
              "field": ".*",
              "value": ".*"
            }
          ]
        },
        "payload": {
          "enable": "false",
          "dir": "/tmp"
        },
        "tags": {},
        "protocol": [],
        "cribl": {
          "enable": "false",
          "transport": {
            "type": "edge"
          },
          "authtoken": ""
        }
      }
    },
    "environment": {}
  }
}

start.msg properties

Property	Description
authtoken (string)	Token used for authenticating to Cribl Edge or Stream.
format required (string)	Specifies the format for output of events and metrics from AppScope. See scope.yml. Possible values: scope ndjson
breaker (string)	Specifies an Event Breaker for Cribl Edge or Stream to use. Value must be Cribl - Do Not Break Ruleset.
info required (object)	The principal container for start-message information, in the form of nested process, configuration, and environment objects. Details below.

start.msg.info properties

Property	Description
process required (object)	Describes the process associated with the scoped app. Details below.
configuration required (object)	Container for configurations. For now, describes current configuration only. Details below.
environment required (object)	Environment variables present when the current configuration was loaded. Details below.

start.msg.info.process properties

Property	Description
libscopever required (string)	Version of the AppScope library that is currently loaded. Example: v1.0.0
pid required (integer)	The process ID of the scoped app. Example: 1000
ppid required (integer)	The process ID of the parent process of the scoped app.
gid required (integer)	Group ID of the user who created the process. Example: 0
groupname required (string)	Groupname of the user who created the process. Example: root
uid required (integer)	User ID of the user who created the process. Example: 0
username required (string)	Username of the user who created the process. Example: root
hostname required (string)	Hostname for the host on which the scoped app was run.
procname required (string)	The name of the scoped app's process.
cmd required (string)	The command that was run to start the scoped app. Example: top
id required (string)	An ID that concatenates (possibly truncated) the scoped app's hostname, procname, and command, to facilitate correlation of similar processes when searching, graphing, or aggregating.
machine_id required (string)	A unique identifier for a machine.
uuid required (string)	A unique identifier for a process.

start.msg.info.configuration properties

Property	Description
current (object)	Describes the current configuration. Details below.

start.msg.info.environment properties

Property	Description

start.msg.info.configuration.current properties

Property	Description
metric (object)	Settings for metrics. See scope.yml. Details below.
libscope (object)	Specifies how to set up the AppScope library. See scope.yml. Details below.
event (object)	Settings for events. See scope.yml. Details below.
payload (object)	Settings for enabling and storing payloads. See scope.yml. Details below.
tags (object)	User-defined tags which become fields in generated events and metrics. See scope.yml. Details below.
protocol (array)	List whose entries define protocols that AppScope should detect in network payloads, and how to handle matches. See scope.yml.
cribl (object)	Settings for the cribl backend. See scope.yml. Details below.

start.msg.info.configuration.current.metric properties

Property	Description
enable (string)	Specifies whether a feature or some functionality is enabled or disabled overall. Possible values: true false
transport (object)	Backend connection for metrics or events. See scope.yml. Details below.
format (object)	Settings for the format of metric data. See scope.yml. Details below.
watch (array)	Array containing objects that enable different categories of metrics. See scope.yml.

start.msg.info.configuration.current.libscope properties

Property	Description
log (object)	Logging settings for the AppScope library. See scope.yml. Details below.

start.msg.info.configuration.current.event properties

Property	Description
enable (string)	Specifies whether a feature or some functionality is enabled or disabled overall. Possible values: true false
transport (object)	Backend connection for events. See scope.yml. Details below.
format (object)	Settings for the format of event data. See scope.yml. Details below.
watch (array)	Array containing objects that enable different categories of events. See scope.yml.

start.msg.info.configuration.current.payload properties

Property	Description
enable (string)	Specifies whether a feature or some functionality is enabled or disabled overall. Possible values: true false
dir (string)	Specifies director where payload data should be written. Applies only when payloads are enabled and a backend other than cribl is used. See scope.yml.

start.msg.info.configuration.current.tags properties

Property	Description

start.msg.info.configuration.current.cribl properties

Property	Description
enable (string)	Specifies whether a feature or some functionality is enabled or disabled overall. Possible values: true false
transport (object)	Backend connection to Cribl Edge or Stream. See scope.yml. Details below.
authtoken (string)	Token used for authenticating to Cribl Edge or Stream.

start.msg.info.configuration.current.metric.transport properties

Property	Description
type (string)	Specifies the transport mechanism on which to send and/or receive data. See scope.yml. Possible values: tcp udp unix file edge
host (string)	Hostname for the host on which the scoped app was run.
port (string)	Connection port. See scope.yml.
path (string)	File or UNIX domain socket path. See scope.yml. Example: /tmp/scope.log
buffering (string)	File buffering. See scope.yml. Possible values: line full
tls (object)	TLS connection settings. See scope.yml. Details below.

start.msg.info.configuration.current.metric.format properties

Property	Description
type (string)	Specifies the format of metric data. See scope.yml. Possible values: statsd ndjson
statsdprefix (string)	Specifies a prefix to prepend the metric name. See scope.yml.
statsdmaxlen (integer)	Specifies the maximum length for a string that expresses a StatsD metric. See scope.yml.
verbosity (integer)	Controls the tag cardinality and aggregation of a metric. See scope.yml.

start.msg.info.configuration.current.libscope.log properties

Property	Description
level (string)	Specifies log level. See scope.yml. Possible values: debug info warning error none
transport (object)	Backend connection for AppScope library logging. See scope.yml. Details below.
configevent (string)	When enabled, AppScope guarantees that a process start message is the first event sent over the current connection. Possible values: true false
summaryperiod (integer)	Time interval over which to perform aggregation. See scope.yml.
commanddir (string)	The directory in which the command that launched the scoped app was run.

start.msg.info.configuration.current.event.transport properties

Property	Description
type (string)	Specifies the transport mechanism on which to send and/or receive data. See scope.yml. Possible values: tcp udp unix file edge
host (string)	Hostname for the host on which the scoped app was run.
port (string)	Connection port. See scope.yml.
path (string)	File or UNIX domain socket path. See scope.yml. Example: /tmp/scope.log
buffering (string)	File buffering. See scope.yml. Possible values: line full
tls (object)	Specifies whether to enable TLS for the metrics backend. See scope.yml. Details below.

start.msg.info.configuration.current.event.format properties

Property	Description
type (string)	Specifies the format of metric data. See scope.yml. Possible values: statsd ndjson
maxeventpersec (integer)	Specifies a rate limit for events. See scope.yml.
enhancefs (string)	Specifies whether to display full information about fs events. Possible values: true false

start.msg.info.configuration.current.cribl.transport properties

Property	Description
type (string)	Specifies the transport mechanism on which to send and/or receive data. See scope.yml. Possible values: tcp udp unix file edge
host (string)	Hostname for the host on which the scoped app was run.
port (string)	Connection port. See scope.yml.
path (string)	File or UNIX domain socket path. See scope.yml. Example: /tmp/scope.log
buffering (string)	File buffering. See scope.yml. Possible values: line full
tls (object)	TLS settings for the Cribl backend. See scope.yml. Details below.

start.msg.info.configuration.current.metric.transport.tls properties

Property	Description
enable (string)	Specifies whether a feature or some functionality is enabled or disabled overall. Possible values: true false
validateserver (string)	Specifies whether to validate the TLS server certificate. See scope.yml. Possible values: true false
cacertpath (string)	CA Certificate Path. See scope.yml.

start.msg.info.configuration.current.libscope.log.transport properties

Property	Description
type (string)	Specifies the transport mechanism on which to send and/or receive data. See scope.yml. Possible values: tcp udp unix file edge
host (string)	Hostname for the host on which the scoped app was run.
port (string)	Connection port. See scope.yml.
path (string)	File or UNIX domain socket path. See scope.yml. Example: /tmp/scope.log
buffering (string)	File buffering. See scope.yml. Possible values: line full
tls (object)	TLS settings for backend used by the AppScope library. See scope.yml. Details below.

start.msg.info.configuration.current.event.transport.tls properties

Property	Description
enable (string)	Specifies whether a feature or some functionality is enabled or disabled overall. Possible values: true false
validateserver (string)	Specifies whether to validate the TLS server certificate. See scope.yml. Possible values: true false
cacertpath (string)	CA Certificate Path. See scope.yml.

start.msg.info.configuration.current.cribl.transport.tls properties

Property	Description
enable (string)	Specifies whether a feature or some functionality is enabled or disabled overall. Possible values: true false
validateserver (string)	Specifies whether to validate the TLS server certificate. See scope.yml. Possible values: true false
cacertpath (string)	CA Certificate Path. See scope.yml.

start.msg.info.configuration.current.libscope.log.transport.tls properties

Property	Description
enable (string)	Specifies whether a feature or some functionality is enabled or disabled overall. Possible values: true false
validateserver (string)	Specifies whether to validate the TLS server certificate. See scope.yml. Possible values: true false
cacertpath (string)	CA Certificate Path. See scope.yml.

dns.req ^

Structure of the dns.req metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "dns.req",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "lt-curl",
    "pid": 31,
    "host": "2a6bc132b07a",
    "unit": "request",
    "summary": "true",
    "_time": 1643832467.795134
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "dns.req",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "lt-curl",
    "pid": 2485,
    "host": "2a6bc132b07a",
    "domain": "cribl.io",
    "duration": 0,
    "unit": "request",
    "_time": 1643832569.764219
  }
}

dns.req properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

dns.req.body properties

Property	Description
_metric required (string)	Indicates that the Source is a Network DNS operation. Value must be dns.req.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
domain (string)	The domain for which the scoped app made a DNS request.
duration (number)	Duration in milliseconds. Example: 55
unit required (string)	Indicates that the metric's value is a number of a requests. Value must be request.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

fs.close ^

Structure of the fs.close metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.close",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13687,
    "host": "1f0ec6c8a7bc",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826403.121424
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "fs.close",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "close",
    "file": "/dev/shm/ltp_accept01_9870",
    "unit": "operation",
    "_time": 1643826292.07658
  }
}

fs.close properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

fs.close.body properties

Property	Description
_metric required (string)	Indicates that the Source is a File Close operation. Value must be fs.close.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The close operation that was executed on the filesystem. Possible values: go_close closedir freopen freopen64 close fclose close$NOCANCEL guarded_close_np close_nocancel
file (string)	The name of the file.
unit required (string)	Indicates that the metric's value is a number of operations. Value must be operation.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

fs.duration ^

Structure of the fs.duration metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.duration",
    "_metric_type": "histogram",
    "_value": 1,
    "proc": "access01",
    "pid": 13697,
    "host": "1f0ec6c8a7bc",
    "unit": "microsecond",
    "summary": "true",
    "_time": 1643826404.006442
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "fs.duration",
    "_metric_type": "histogram",
    "_value": 16,
    "proc": "accept01",
    "pid": 9871,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "fgets_unlocked",
    "file": "/etc/passwd",
    "numops": 1,
    "unit": "microsecond",
    "_time": 1643826292.076675
  }
}

fs.duration properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

fs.duration.body properties

Property	Description
_metric required (string)	Indicates that the Source is a File Duration operation. Value must be fs.duration.
_metric_type required (string)	Indicates that the metric from the scoped app is a histogram. Value must be histogram.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The function that was executed.
file (string)	The name of the file.
numops (number)	Count of individual operations aggregated.
unit required (string)	Indicates that the metric's value is in microseconds. Value must be microsecond.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

fs.error ^

Structure of the fs.error metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.error",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13686,
    "host": "1f0ec6c8a7bc",
    "class": "stat",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826403.123802
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "fs.error",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept02",
    "pid": 9872,
    "host": "1f0ec6c8a7bc",
    "op": "readdir",
    "file": "/tmp/QxbCjC",
    "class": "read_write",
    "unit": "operation",
    "_time": 1643826292.14466
  }
}

fs.error properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

fs.error.body properties

Property	Description
_metric required (string)	Indicates that the Source is a File Error operation. Value must be fs.error.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The function that was executed.
file (string)	The name of the file.
class required (string)	Subcategory of filesystem error. Possible values: open_close read_write stat
unit required (string)	Indicates that the metric's value is a number of operations. Value must be operation.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

fs.open ^

Structure of the fs.open metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.open",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13687,
    "host": "1f0ec6c8a7bc",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826403.121411
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "fs.open",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "open",
    "file": "/dev/shm/ltp_accept01_9870",
    "unit": "operation",
    "_time": 1643826292.076503
  }
}

fs.open properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

fs.open.body properties

Property	Description
_metric required (string)	Indicates that the Source is a File open operation. Value must be fs.open.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The open operation that was executed on the filesystem. Possible values: open openat opendir creat fopen freopen open64 openat64 __open64_2 __open_2 __openat_2 creat64 fopen64 freopen64 recvmsg console output console input
file (string)	The name of the file.
unit required (string)	Indicates that the metric's value is a number of operations. Value must be operation.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

fs.read ^

Structure of the fs.read metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.read",
    "_metric_type": "counter",
    "_value": 13312,
    "proc": "access01",
    "pid": 13697,
    "host": "1f0ec6c8a7bc",
    "unit": "byte",
    "summary": "true",
    "_time": 1643826404.006381
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "fs.read",
    "_metric_type": "counter",
    "_value": 4096,
    "proc": "accept01",
    "pid": 9871,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "fgets_unlocked",
    "file": "/etc/passwd",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826292.076709
  }
}

fs.read properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

fs.read.body properties

Property	Description
_metric required (string)	Indicates that the Source is a File Read operation. Value must be fs.read.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The read operation that was executed on the filesystem. Possible values: go_read go_getdents readdir pread64 __pread64_chk preadv preadv2 preadv64v2 __pread_chk __read_chk __fread_unlocked_chk read readv pread fread __fread_chk fread_unlocked fgets __fgets_chk fgets_unlocked __fgetws_chk fgetws fgetwc fgetc fscanf getline getdelim __getdelim
file (string)	The name of the file.
numops (number)	Count of individual operations aggregated.
unit required (string)	Indicates that the metric's value is in bytes. Value must be byte.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

fs.seek ^

Structure of the fs.seek metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.seek",
    "_metric_type": "counter",
    "_value": 3,
    "proc": "sh",
    "pid": 13810,
    "host": "1f0ec6c8a7bc",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826404.175738
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "fs.seek",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "sh",
    "pid": 9994,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "lseek",
    "file": "./file_x",
    "unit": "operation",
    "_time": 1643826293.407508
  }
}

fs.seek properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

fs.seek.body properties

Property	Description
_metric required (string)	Indicates that the Source is a File Seek operation. Value must be fs.seek.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The function that was executed.
file (string)	The name of the file.
unit required (string)	Indicates that the metric's value is a number of operations. Value must be operation.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

fs.stat ^

Structure of the fs.stat metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.stat",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13686,
    "host": "1f0ec6c8a7bc",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826403.123752
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "fs.stat",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "host": "1f0ec6c8a7bc",
    "op": "access",
    "file": "/dev/shm",
    "unit": "operation",
    "_time": 1643826292.076446
  }
}

fs.stat properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

fs.stat.body properties

Property	Description
_metric required (string)	Indicates that the Source is a File Stat operation. Value must be fs.stat.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The function that was executed.
file (string)	The name of the file.
unit required (string)	Indicates that the metric's value is a number of operations. Value must be operation.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

fs.write ^

Structure of the fs.write metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.write",
    "_metric_type": "counter",
    "_value": 10,
    "proc": "access02",
    "pid": 13806,
    "host": "1f0ec6c8a7bc",
    "unit": "byte",
    "summary": "true",
    "_time": 1643826404.234963
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "fs.write",
    "_metric_type": "counter",
    "_value": 10,
    "proc": "access02",
    "pid": 9991,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "__write_libc",
    "file": "file_x",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826293.385378
  }
}

fs.write properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

fs.write.body properties

Property	Description
_metric required (string)	Indicates that the Source is a File Write operation. Value must be fs.write.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The write operation that was executed on the filesystem. Possible values: go_write pwrite64 pwritev pwritev64 pwritev2 pwritev64v2 __overflow __write_libc __write_pthread fwrite_unlocked __stdio_write write pwrite writev fwrite puts putchar fputs fputs_unlocked fputc fputc_unlocked putwc fputwc
file (string)	The name of the file.
numops (number)	Count of individual operations aggregated.
unit required (string)	Indicates that the metric's value is in bytes. Value must be byte.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

http.duration.client ^

Structure of the http.duration.client metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "http.duration.client",
    "_metric_type": "timer",
    "_value": 6,
    "http_target": "/",
    "numops": 1,
    "proc": "lt-curl",
    "pid": 788,
    "host": "c067d78736db",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643924553.681483
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "http.duration.client",
    "_metric_type": "timer",
    "_value": 7,
    "http_target": "/",
    "numops": 1,
    "proc": "lt-curl",
    "pid": 30,
    "host": "c067d78736db",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643924472.648148
  }
}

http.duration.client properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

http.duration.client.body properties

Property	Description
_metric required (string)	Indicates that the Source is a counter that measures HTTP client duration. Value must be http.duration.client.
_metric_type required (string)	Indicates that the metric is a timer. Value must be timer.
_value required (number)	The value reported by the event or metric. Example: 1
http_target required (string)	In a URL, the path or file after the FQDN.
numops required (number)	Count of individual operations aggregated.
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is in milliseconds. Value must be millisecond.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

http.duration.server ^

Structure of the http.duration.server metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "http.duration.server",
    "_metric_type": "timer",
    "_value": 0,
    "http_target": "/",
    "numops": 1,
    "proc": "httpd",
    "pid": 2260,
    "host": "c067d78736db",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643924563.450939
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "http.duration.server",
    "_metric_type": "timer",
    "_value": 1,
    "http_target": "/",
    "numops": 1,
    "proc": "httpd",
    "pid": 648,
    "host": "c067d78736db",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643924498.350866
  }
}

http.duration.server properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

http.duration.server.body properties

Property	Description
_metric required (string)	Indicates that the Source is a counter that measures HTTP server duration. Value must be http.duration.server.
_metric_type required (string)	Indicates that the metric is a timer. Value must be timer.
_value required (number)	The value reported by the event or metric. Example: 1
http_target required (string)	In a URL, the path or file after the FQDN.
numops required (number)	Count of individual operations aggregated.
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is in milliseconds. Value must be millisecond.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

http.req ^

Structure of the http.req metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "http.req",
    "_metric_type": "counter",
    "_value": 1,
    "http_target": "/",
    "http_status_code": 200,
    "proc": "lt-curl",
    "pid": 788,
    "host": "c067d78736db",
    "unit": "request",
    "summary": "true",
    "_time": 1643924553.681441
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "http.req",
    "_metric_type": "counter",
    "_value": 1,
    "http_target": "/",
    "http_status_code": 200,
    "proc": "lt-curl",
    "pid": 30,
    "host": "c067d78736db",
    "unit": "request",
    "summary": "true",
    "_time": 1643924472.64811
  }
}

http.req properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

http.req.body properties

Property	Description
_metric required (string)	Indicates that the metric Source aggregates HTTP requests and responses. Value must be http.req.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
http_target required (string)	In a URL, the path or file after the FQDN.
http_status_code required (integer)	Specifies the status code of an HTTP response. Possible values: 100 101 102 200 201 202 203 204 205 206 207 208 226 300 301 302 303 304 305 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 426 428 429 431 444 451 499 500 501 502 503 504 505 506 507
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is a number of a requests. Value must be request.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

http.req.content_length ^

Structure of the http.req.content_length metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "http.req.content_length",
    "_metric_type": "counter",
    "_value": 38,
    "http_target": "/echo/post/json",
    "numops": 1,
    "proc": "curl",
    "pid": 525,
    "host": "272cc69a120a",
    "unit": "byte",
    "summary": "true",
    "_time": 1644230452.63037
  }
}

http.req.content_length properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

http.req.content_length.body properties

Property	Description
_metric required (string)	Indicates that the Source is a counter that measures HTTP request content length. Value must be http.req.content_length.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
http_target required (string)	In a URL, the path or file after the FQDN.
numops required (number)	Count of individual operations aggregated.
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is in bytes. Value must be byte.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

http.resp.content_length ^

Structure of the http.resp.content_length metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "http.resp.content_length",
    "_metric_type": "counter",
    "_value": 58896,
    "http_target": "/",
    "numops": 1,
    "proc": "lt-curl",
    "pid": 788,
    "host": "c067d78736db",
    "unit": "byte",
    "summary": "true",
    "_time": 1643924553.6815
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "http.resp.content_length",
    "_metric_type": "counter",
    "_value": 58896,
    "http_target": "/",
    "numops": 1,
    "proc": "lt-curl",
    "pid": 30,
    "host": "c067d78736db",
    "unit": "byte",
    "summary": "true",
    "_time": 1643924472.648165
  }
}

http.resp.content_length properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

http.resp.content_length.body properties

Property	Description
_metric required (string)	Indicates that the Source is a counter that measures HTTP response content length. Value must be http.resp.content_length.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
http_target required (string)	In a URL, the path or file after the FQDN.
numops required (number)	Count of individual operations aggregated.
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is in bytes. Value must be byte.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.close ^

Structure of the net.close metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.close",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13687,
    "host": "1f0ec6c8a7bc",
    "unit": "connection",
    "summary": "true",
    "_time": 1643826403.12145
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.close",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "fd": 5,
    "host": "1f0ec6c8a7bc",
    "proto": "UDP",
    "port": 0,
    "unit": "connection",
    "_time": 1643826292.077388
  }
}

net.close properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.close.body properties

Property	Description
_metric required (string)	Indicates that the Source is a Network Close operation. Value must be net.close.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The function that was executed.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string)	Indicates that the metric's value is a number of connections. Value must be connection.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.duration ^

Structure of the net.duration metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.duration",
    "_metric_type": "timer",
    "_value": 1,
    "proc": "sendfile06_64",
    "pid": 15385,
    "host": "1f0ec6c8a7bc",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643826428.960074
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.duration",
    "_metric_type": "timer",
    "_value": 53,
    "proc": "send02",
    "pid": 11555,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "proto": "UDP",
    "port": 0,
    "numops": 1,
    "unit": "millisecond",
    "_time": 1643826318.65727
  }
}

net.duration properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.duration.body properties

Property	Description
_metric required (string)	Indicates that the Source is a counter that measures Network duration. Value must be net.duration.
_metric_type required (string)	Indicates that the metric is a timer. Value must be timer.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
numops (number)	Count of individual operations aggregated.
unit required (string)	Indicates that the metric's value is in milliseconds. Value must be millisecond.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.error ^

Structure of the net.error metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.error",
    "_metric_type": "counter",
    "_value": 6,
    "proc": "accept01",
    "pid": 5920,
    "host": "7cb66c7f77dd",
    "op": "summary",
    "class": "connection",
    "unit": "operation",
    "_time": 1643749774.573214
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.error",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "recv01",
    "pid": 3593,
    "host": "7cb66c7f77dd",
    "op": "recv",
    "class": "rx_tx",
    "unit": "operation",
    "_time": 1643749590.518109
  }
}

net.error properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.error.body properties

Property	Description
_metric required (string)	Indicates that the Source is a Network Error operation. Value must be net.error.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
op (string)	The function that was executed.
class required (string)	Subcategory of network error. Possible values: connection rx_tx
unit required (string)	Indicates that the metric's value is a number of operations. Value must be operation.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.open ^

Structure of the net.open metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.open",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13687,
    "host": "1f0ec6c8a7bc",
    "unit": "connection",
    "summary": "true",
    "_time": 1643826403.121437
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.open",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "lt-curl",
    "pid": 2485,
    "fd": 7,
    "host": "2a6bc132b07a",
    "proto": "UDP",
    "port": 0,
    "unit": "connection",
    "_time": 1643832569.764144
  }
}

net.open properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.open.body properties

Property	Description
_metric required (string)	Indicates that the Source is a Network Open operation. Value must be net.open.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string)	Indicates that the metric's value is a number of connections. Value must be connection.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.other ^

Structure of the net.other metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.other",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "server_seqpacket",
    "pid": 234979,
    "host": "test_user",
    "unit": "connection",
    "summary": "true",
    "_time": 1643887036.00144
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.other",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "server_seqpacket",
    "pid": 235293,
    "fd": 4,
    "host": "test_user",
    "proto": "SEQPACKET",
    "port": 0,
    "unit": "connection",
    "_time": 1643887122.646226
  }
}

net.other properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.other.body properties

Property	Description
_metric required (string)	Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string)	Indicates that the metric's value is a number of connections. Value must be connection.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.port ^

Structure of the net.port metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.port",
    "_metric_type": "gauge",
    "_value": 2,
    "proc": "accept02",
    "pid": 13689,
    "host": "1f0ec6c8a7bc",
    "unit": "instance",
    "summary": "true",
    "_time": 1643826403.184484
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.port",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "fd": 4,
    "host": "1f0ec6c8a7bc",
    "proto": "TCP",
    "port": 0,
    "unit": "instance",
    "_time": 1643826292.076967
  }
}

net.port properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.port.body properties

Property	Description
_metric required (string)	Indicates that the Source is a gauge that identifies open ports. Value must be net.port.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string)	Indicates that the metric's value is a number of instances. Value must be instance.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.rx ^

Structure of the net.rx metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.rx",
    "_metric_type": "counter",
    "_value": 99000,
    "proc": "send02",
    "pid": 15371,
    "host": "1f0ec6c8a7bc",
    "unit": "byte",
    "class": "inet_udp",
    "summary": "true",
    "_time": 1643826428.564141
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.rx",
    "_metric_type": "counter",
    "_value": 6,
    "proc": "recvfrom01",
    "pid": 11544,
    "fd": 4,
    "host": "1f0ec6c8a7bc",
    "domain": "AF_INET",
    "proto": "TCP",
    "localip": "127.0.0.1",
    "localp": 37432,
    "remoteip": "0.0.0.0",
    "remotep": 40765,
    "data": "clear",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826317.098972
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.rx",
    "_metric_type": "counter",
    "_value": 16,
    "proc": "send02",
    "pid": 11555,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "domain": "AF_INET",
    "proto": "UDP",
    "localip": "127.0.0.1",
    "localp": 0,
    "remoteip": " ",
    "remotep": 0,
    "data": "clear",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826318.241899
  }
}

net.rx properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.rx.body properties

Property	Description
_metric required (string)	Indicates that the Source is a Network receive operation. Value must be net.rx.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
domain (string)	The domain for which the scoped app made a DNS request.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
localn (number)	Inode number for the local end of a UNIX domain socket.
localip (string)	The IP address portion of the local end of a network connection. Example: 127.0.0.1
localp (number)	The port portion of the local end of a network connection. Example: 9109
remoten (number)	Inode number for the remote end of a UNIX domain socket.
remoteip (string)	IP address for the remote end of a network socket. Example: 192.158.1.38
remotep (number)	Port for the remote end of a network socket. Example: 9108
data (string)	The data that the scoped app emitted as output.
numops (number)	Count of individual operations aggregated.
unit required (string)	Indicates that the metric's value is in bytes. Value must be byte.
class (string)	Subcategory of send and receive operations. Possible values: inet_tcp inet_udp unix_tcp unix_udp other
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.tcp ^

Structure of the net.tcp metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.tcp",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "accept02",
    "pid": 13689,
    "host": "1f0ec6c8a7bc",
    "unit": "connection",
    "summary": "true",
    "_time": 1643826403.184497
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.tcp",
    "_metric_type": "gauge",
    "_value": 0,
    "proc": "accept01",
    "pid": 9871,
    "fd": 4,
    "host": "1f0ec6c8a7bc",
    "proto": "TCP",
    "port": 0,
    "unit": "connection",
    "_time": 1643826292.07731
  }
}

net.tcp properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.tcp.body properties

Property	Description
_metric required (string)	Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
proto (string)	The transmission protocol that the scoped app used to send data. Value must be TCP.
port (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string)	Indicates that the metric's value is a number of connections. Value must be connection.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.tx ^

Structure of the net.tx metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.tx",
    "_metric_type": "counter",
    "_value": 3,
    "proc": "recvmsg01",
    "pid": 15364,
    "host": "1f0ec6c8a7bc",
    "unit": "byte",
    "class": "unix_tcp",
    "summary": "true",
    "_time": 1643826427.279136
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.tx",
    "_metric_type": "counter",
    "_value": 16,
    "proc": "send02",
    "pid": 11555,
    "fd": 4,
    "host": "1f0ec6c8a7bc",
    "domain": "AF_INET",
    "proto": "UDP",
    "localip": "0.0.0.0",
    "localp": 0,
    "remoteip": "127.0.0.1",
    "remotep": 38725,
    "data": "clear",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826318.241855
  }
}

{
  "type": "metric",
  "body": {
    "_metric": "net.tx",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "recvmsg01",
    "pid": 11548,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "domain": "UNIX",
    "proto": "TCP",
    "localn": 48335,
    "remoten": 46396,
    "data": "clear",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826317.162209
  }
}

net.tx properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.tx.body properties

Property	Description
_metric required (string)	Indicates that the Source is a Network transmit operation. Value must be net.tx.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
domain (string)	The domain for which the scoped app made a DNS request.
proto (string)	The transmission protocol that the scoped app used to send data. Possible values: TCP UDP RAW RDM SEQPACKET OTHER
localn (number)	Inode number for the local end of a UNIX domain socket.
localip (string)	The IP address portion of the local end of a network connection. Example: 127.0.0.1
localp (number)	The port portion of the local end of a network connection. Example: 9109
remoten (number)	Inode number for the remote end of a UNIX domain socket.
remoteip (string)	IP address for the remote end of a network socket. Example: 192.158.1.38
remotep (number)	Port for the remote end of a network socket. Example: 9108
data (string)	The data that the scoped app emitted as output.
numops (number)	Count of individual operations aggregated.
unit required (string)	Indicates that the metric's value is in bytes. Value must be byte.
class (string)	Subcategory of send and receive operations. Possible values: inet_tcp inet_udp unix_tcp unix_udp other
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

net.udp ^

Structure of the net.udp metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "net.udp",
    "_metric_type": "gauge",
    "_value": 0,
    "proc": "accept01",
    "pid": 9871,
    "fd": 5,
    "host": "1f0ec6c8a7bc",
    "proto": "UDP",
    "port": 0,
    "unit": "connection",
    "_time": 1643826292.077372
  }
}

net.udp properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

net.udp.body properties

Property	Description
_metric required (string)	Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
fd required (integer)	The file descriptor for an operation. Example: 4
host required (string)	Hostname for the host on which the scoped app was run.
proto required (string)	The transmission protocol that the scoped app used to send data. Value must be UDP.
port required (number)	Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string)	Indicates that the metric's value is a number of connections. Value must be connection.
summary (string)	When true, indicates that the metric value is an aggregation. Value must be true.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

proc.child ^

Structure of the proc.child metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.child",
    "_metric_type": "gauge",
    "_value": 0,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "process",
    "_time": 1643749566.030543
  }
}

proc.child properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

proc.child.body properties

Property	Description
_metric required (string)	Indicates that the Source is a gauge of child processes spawned. Value must be proc.child.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is a number of processes. Value must be process.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

proc.cpu ^

Structure of the proc.cpu metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.cpu",
    "_metric_type": "counter",
    "_value": 2107,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "microsecond",
    "_time": 1643749566.030295
  }
}

proc.cpu properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

proc.cpu.body properties

Property	Description
_metric required (string)	Indicates that the Source is a counter of microseconds of the process's CPU were scheduled. Value must be proc.cpu.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is in microseconds. Value must be microsecond.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

proc.cpu.perc ^

Structure of the proc.cpu_perc metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.cpu_perc",
    "_metric_type": "gauge",
    "_value": 0.02107,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "percent",
    "_time": 1643749566.030327
  }
}

proc.cpu.perc properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

proc.cpu.perc.body properties

Property	Description
_metric required (string)	Indicates that the Source is a gauge that measures percentage of CPU used by the process. Value must be proc.cpu_perc.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is a percentage. Value must be percent.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

proc.fd ^

Structure of the proc.fd metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.fd",
    "_metric_type": "gauge",
    "_value": 5,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "file",
    "_time": 1643749566.030497
  }
}

proc.fd properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

proc.fd.body properties

Property	Description
_metric required (string)	Indicates that the Source is a gauge that reports how many file descriptors the process has opened. Value must be proc.fd.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is a number of files. Value must be file.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

proc.mem ^

Structure of the proc.mem metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.mem",
    "_metric_type": "gauge",
    "_value": 31284,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "kibibyte",
    "_time": 1643749566.030388
  }
}

proc.mem properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

proc.mem.body properties

Property	Description
_metric required (string)	Indicates that the Source is a gauge that reports process memory consumption. Value must be proc.mem.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is in kibibytes. Value must be kibibyte.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

proc.start ^

Structure of the proc.start metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.start",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 1945,
    "gid": 0,
    "groupname": "root",
    "uid": 0,
    "username": "root",
    "host": "7cb66c7f77dd",
    "args": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "unit": "process",
    "_time": 1643749566.026885
  }
}

proc.start properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

proc.start.body properties

Property	Description
_metric required (string)	Indicates that the Source is a counter which can only be 1, meaning that the process has started. Value must be proc.start.
_metric_type required (string)	Indicates that the metric is a counter. Value must be counter.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
gid required (integer)	Group ID of the user who created the process. Example: 0
groupname required (string)	Groupname of the user who created the process. Example: root
uid required (integer)	User ID of the user who created the process. Example: 0
username required (string)	Username of the user who created the process. Example: root
host required (string)	Hostname for the host on which the scoped app was run.
args required (string)	The arguments with which the scoped app was run.
unit required (string)	Indicates that the metric's value is a number of processes. Value must be process.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777

---

proc.thread ^

Structure of the proc.thread metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.thread",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "thread",
    "_time": 1643749566.030435
  }
}

proc.thread properties

Property	Description
type required (string)	Distinguishes metrics from events. Value must be metric.
body required (object)	body Details below.

proc.thread.body properties

Property	Description
_metric required (string)	Indicates that the Source is a gauge that reports how many threads are running in the process. Value must be proc.thread.
_metric_type required (string)	Indicates that the metric is a gauge. Value must be gauge.
_value required (number)	The value reported by the event or metric. Example: 1
proc required (string)	The name of the scoped app's process.
pid required (integer)	The process ID of the scoped app. Example: 1000
host required (string)	Hostname for the host on which the scoped app was run.
unit required (string)	Indicates that the metric's value is a number of threads. Value must be thread.
_time required (number)	The moment in time when AppScope reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777