ECS fields used Metricbeat.
| Field | Description | Level | Type | Example |
|---|---|---|---|---|
| id | Unique id to describe the event. | (use case) | keyword | 8a4f500d |
| timestamp | Timestamp when the event was created. | (use case) | date | 2016-05-23T08:05:34.853Z |
| agent.version | Beat version. | core | keyword | 6.0.0-rc2 |
| agent.name | Beat name. | core | keyword | filebeat |
| agent.id | Unique beat identifier. | core | keyword | 8a4f500d |
| service.* | The service fields describe the service for / from which the data was collected. If logs or metrics are collected from Redis, service.name would be redis. This allows to find and correlate logs for a specicic service or even version with service.version. |
|||
| service.id | Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. For example in case of issues with one redis instance, it's possible to filter on the id to see metrics and logs for this single instance. |
core | keyword | d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 |
| service.name | Name of the service data is collected from. The name is normally the same as the module name. |
core | keyword | elasticsearch |
| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. |
core | keyword | 3.2.4 |
| service.host | Host address that is used to connect to the service. This normally contains hostname + port. REVIEW: Should this be service.uri instead, sometimes it's more then just the host? It could also include a path or the protocol. |
(use case) | keyword | elasticsearch:9200 |
| request.rtt | Request round trip time. How long did the request take to fetch metrics from the service. REVIEW: THIS DOES NOT EXIST YET IN ECS. |
(use case) | long | 115 |
| error.* | Error namespace Use for errors which can happen during fetching information for a service. |
|||
| error.message | Error message returned by the service during fetching metrics. | core | text | |
| error.code | Error code returned by the service during fetching metrics. | core | keyword | |
| host.hostname | Hostname of the system metricbeat is running on or user defined name. | core | keyword | |
| host.timezone.offset.sec | Timezone offset of the host in seconds. | (use case) | long | |
| host.id | Unique host id. | core | keyword | |
| event.module | Name of the module this data is coming from. | core | keyword | mysql |
| event.dataset | Name of the dataset. This contains the information which is currently stored in metricset.name and metricset.module. |
core | keyword | stats |