diff --git a/packages/kubernetes/_dev/benchmark/rally/container-benchmark.yml b/packages/kubernetes/_dev/benchmark/rally/container-benchmark.yml index df583883fde..1a606694724 100644 --- a/packages/kubernetes/_dev/benchmark/rally/container-benchmark.yml +++ b/packages/kubernetes/_dev/benchmark/rally/container-benchmark.yml @@ -11,4 +11,4 @@ corpora: config: path: ./container-benchmark/config.yml fields: - path: ./container-benchmark/fields.yml \ No newline at end of file + path: ./container-benchmark/fields.yml diff --git a/packages/kubernetes/_dev/benchmark/rally/container-benchmark/fields.yml b/packages/kubernetes/_dev/benchmark/rally/container-benchmark/fields.yml index f01034b7999..cd8bc3e997d 100644 --- a/packages/kubernetes/_dev/benchmark/rally/container-benchmark/fields.yml +++ b/packages/kubernetes/_dev/benchmark/rally/container-benchmark/fields.yml @@ -29,4 +29,4 @@ - name: agent.snapshot type: boolean - name: container.name - type: keyword \ No newline at end of file + type: keyword diff --git a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark.yml b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark.yml index 1fda3aa92a2..e55a8d9e17c 100644 --- a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark.yml +++ b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark.yml @@ -11,4 +11,4 @@ corpora: config: path: ./pod-benchmark/config.yml fields: - path: ./pod-benchmark/fields.yml \ No newline at end of file + path: ./pod-benchmark/fields.yml diff --git a/packages/kubernetes/changelog.yml b/packages/kubernetes/changelog.yml index 4e3a4c84d71..40f8bd4cdea 100644 --- a/packages/kubernetes/changelog.yml +++ b/packages/kubernetes/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.55.1 + changes: + - description: Modify the field definitions to reference ECS. + type: enhancement + link: https://github.com/elastic/integrations/pull/8697 - version: 1.55.0 changes: - description: Remove extra base fields from state data streams. diff --git a/packages/kubernetes/data_stream/apiserver/fields/agent.yml b/packages/kubernetes/data_stream/apiserver/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/apiserver/fields/agent.yml +++ b/packages/kubernetes/data_stream/apiserver/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/apiserver/fields/base-fields.yml b/packages/kubernetes/data_stream/apiserver/fields/base-fields.yml index 7c798f4534c..14017be5fb2 100644 --- a/packages/kubernetes/data_stream/apiserver/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/apiserver/fields/base-fields.yml @@ -1,12 +1,8 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/kubernetes/data_stream/apiserver/fields/ecs.yml b/packages/kubernetes/data_stream/apiserver/fields/ecs.yml index 79e3b02a47b..c6b16d3099d 100644 --- a/packages/kubernetes/data_stream/apiserver/fields/ecs.yml +++ b/packages/kubernetes/data_stream/apiserver/fields/ecs.yml @@ -9,3 +9,6 @@ name: orchestrator.cluster.name - external: ecs name: orchestrator.cluster.url +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/apiserver/manifest.yml b/packages/kubernetes/data_stream/apiserver/manifest.yml index 060d5df6f6f..778cc8a637d 100644 --- a/packages/kubernetes/data_stream/apiserver/manifest.yml +++ b/packages/kubernetes/data_stream/apiserver/manifest.yml @@ -50,6 +50,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -57,6 +58,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes API Server metrics description: Collect Kubernetes API Server metrics diff --git a/packages/kubernetes/data_stream/audit_logs/fields/agent.yml b/packages/kubernetes/data_stream/audit_logs/fields/agent.yml index d56305f6596..42ebfd6da44 100644 --- a/packages/kubernetes/data_stream/audit_logs/fields/agent.yml +++ b/packages/kubernetes/data_stream/audit_logs/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,94 +33,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > diff --git a/packages/kubernetes/data_stream/audit_logs/fields/base-fields.yml b/packages/kubernetes/data_stream/audit_logs/fields/base-fields.yml index 10f2858cbe3..1203d75c811 100644 --- a/packages/kubernetes/data_stream/audit_logs/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/audit_logs/fields/base-fields.yml @@ -1,25 +1,18 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.dataset - type: constant_keyword - description: Event Dataset. - value: kubernetes.audit_logs + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: log.offset type: long description: Offset of the entry in the log file. - name: log.file.path - type: keyword - description: Path to the log file. + external: ecs - name: input.type description: Type of input. type: keyword diff --git a/packages/kubernetes/data_stream/container/fields/agent.yml b/packages/kubernetes/data_stream/container/fields/agent.yml index d16c8825520..81482cd75f8 100644 --- a/packages/kubernetes/data_stream/container/fields/agent.yml +++ b/packages/kubernetes/data_stream/container/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -64,25 +34,13 @@ fields: - name: id dimension: true - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -92,94 +50,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -194,6 +89,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/container/fields/base-fields.yml b/packages/kubernetes/data_stream/container/fields/base-fields.yml index 40aae082795..2ca66bab024 100644 --- a/packages/kubernetes/data_stream/container/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/container/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/container/fields/ecs.yml b/packages/kubernetes/data_stream/container/fields/ecs.yml index 7140fe614aa..f1de9af8da6 100644 --- a/packages/kubernetes/data_stream/container/fields/ecs.yml +++ b/packages/kubernetes/data_stream/container/fields/ecs.yml @@ -26,3 +26,6 @@ metric_type: gauge description: | Memory usage percentage. +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/container/manifest.yml b/packages/kubernetes/data_stream/container/manifest.yml index 1c15d39bb94..163742bf5a3 100644 --- a/packages/kubernetes/data_stream/container/manifest.yml +++ b/packages/kubernetes/data_stream/container/manifest.yml @@ -68,6 +68,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: stream_condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -75,6 +76,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes Container metrics description: Collect Kubernetes Container metrics diff --git a/packages/kubernetes/data_stream/container_logs/fields/agent.yml b/packages/kubernetes/data_stream/container_logs/fields/agent.yml index 521bec88ec3..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/container_logs/fields/agent.yml +++ b/packages/kubernetes/data_stream/container_logs/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,27 +33,13 @@ type: group fields: - name: id - dimension: true - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - dimension: true - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -93,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -195,27 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - -- name: log.file - type: group - fields: - - name: device_id - type: keyword - description: ID of the device containing the filesystem where the file resides. - - name: fingerprint - type: keyword - description: The sha256 fingerprint identity of the file when fingerprinting is enabled. - - name: inode - type: keyword - description: Inode number of the log file. - - name: idxhi - type: keyword - description: The high-order part of a unique identifier that is associated with a file. (Windows-only) - - name: idxlo - type: keyword - description: The low-order part of a unique identifier that is associated with a file. (Windows-only) - - name: vol - type: keyword - description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/kubernetes/data_stream/container_logs/fields/base-fields.yml b/packages/kubernetes/data_stream/container_logs/fields/base-fields.yml index 393dff1e806..d3cf65f7235 100644 --- a/packages/kubernetes/data_stream/container_logs/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/container_logs/fields/base-fields.yml @@ -1,21 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: log.offset type: long description: Offset of the entry in the log file. - name: log.file.path - type: keyword - description: Path to the log file. + external: ecs - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/kubernetes/data_stream/controllermanager/fields/agent.yml b/packages/kubernetes/data_stream/controllermanager/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/controllermanager/fields/agent.yml +++ b/packages/kubernetes/data_stream/controllermanager/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/controllermanager/fields/base-fields.yml b/packages/kubernetes/data_stream/controllermanager/fields/base-fields.yml index d43ffd79646..8b623275c85 100644 --- a/packages/kubernetes/data_stream/controllermanager/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/controllermanager/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/controllermanager/fields/ecs.yml b/packages/kubernetes/data_stream/controllermanager/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/controllermanager/fields/ecs.yml +++ b/packages/kubernetes/data_stream/controllermanager/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/controllermanager/manifest.yml b/packages/kubernetes/data_stream/controllermanager/manifest.yml index ef97629c5a3..6196b12af3f 100644 --- a/packages/kubernetes/data_stream/controllermanager/manifest.yml +++ b/packages/kubernetes/data_stream/controllermanager/manifest.yml @@ -57,6 +57,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -64,6 +65,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes Controller Manager metrics description: Collect Kubernetes Controller Manager metrics diff --git a/packages/kubernetes/data_stream/event/fields/agent.yml b/packages/kubernetes/data_stream/event/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/event/fields/agent.yml +++ b/packages/kubernetes/data_stream/event/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/event/fields/base-fields.yml b/packages/kubernetes/data_stream/event/fields/base-fields.yml index d43ffd79646..8b623275c85 100644 --- a/packages/kubernetes/data_stream/event/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/event/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/event/fields/ecs.yml b/packages/kubernetes/data_stream/event/fields/ecs.yml index 32165e66a44..c8a2f90db73 100644 --- a/packages/kubernetes/data_stream/event/fields/ecs.yml +++ b/packages/kubernetes/data_stream/event/fields/ecs.yml @@ -6,3 +6,6 @@ name: orchestrator.cluster.name - external: ecs name: orchestrator.cluster.url +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/event/manifest.yml b/packages/kubernetes/data_stream/event/manifest.yml index 36bb84ff58b..613d481e879 100644 --- a/packages/kubernetes/data_stream/event/manifest.yml +++ b/packages/kubernetes/data_stream/event/manifest.yml @@ -39,6 +39,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -46,6 +47,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes Event metrics description: Collect Kubernetes Event metrics diff --git a/packages/kubernetes/data_stream/node/fields/agent.yml b/packages/kubernetes/data_stream/node/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/node/fields/agent.yml +++ b/packages/kubernetes/data_stream/node/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/node/fields/base-fields.yml b/packages/kubernetes/data_stream/node/fields/base-fields.yml index d43ffd79646..8b623275c85 100644 --- a/packages/kubernetes/data_stream/node/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/node/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/node/fields/ecs.yml b/packages/kubernetes/data_stream/node/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/node/fields/ecs.yml +++ b/packages/kubernetes/data_stream/node/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/node/manifest.yml b/packages/kubernetes/data_stream/node/manifest.yml index 53572e677a8..f53b401f7b5 100644 --- a/packages/kubernetes/data_stream/node/manifest.yml +++ b/packages/kubernetes/data_stream/node/manifest.yml @@ -55,6 +55,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: stream_condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -62,6 +63,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes Node metrics description: Collect Kubernetes Node metrics diff --git a/packages/kubernetes/data_stream/pod/fields/agent.yml b/packages/kubernetes/data_stream/pod/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/pod/fields/agent.yml +++ b/packages/kubernetes/data_stream/pod/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/pod/fields/base-fields.yml b/packages/kubernetes/data_stream/pod/fields/base-fields.yml index 40aae082795..2ca66bab024 100644 --- a/packages/kubernetes/data_stream/pod/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/pod/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/pod/fields/ecs.yml b/packages/kubernetes/data_stream/pod/fields/ecs.yml index b1443228a90..91e9871fbce 100644 --- a/packages/kubernetes/data_stream/pod/fields/ecs.yml +++ b/packages/kubernetes/data_stream/pod/fields/ecs.yml @@ -22,3 +22,6 @@ metric_type: counter description: | Total number of incoming bytes. +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/pod/manifest.yml b/packages/kubernetes/data_stream/pod/manifest.yml index d6cca23fa64..771936eec4e 100644 --- a/packages/kubernetes/data_stream/pod/manifest.yml +++ b/packages/kubernetes/data_stream/pod/manifest.yml @@ -68,6 +68,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: stream_condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -75,6 +76,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes Pod metrics description: Collect Kubernetes Pod metrics diff --git a/packages/kubernetes/data_stream/proxy/fields/agent.yml b/packages/kubernetes/data_stream/proxy/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/proxy/fields/agent.yml +++ b/packages/kubernetes/data_stream/proxy/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/proxy/fields/base-fields.yml b/packages/kubernetes/data_stream/proxy/fields/base-fields.yml index 7c798f4534c..14017be5fb2 100644 --- a/packages/kubernetes/data_stream/proxy/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/proxy/fields/base-fields.yml @@ -1,12 +1,8 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/kubernetes/data_stream/proxy/fields/ecs.yml b/packages/kubernetes/data_stream/proxy/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/proxy/fields/ecs.yml +++ b/packages/kubernetes/data_stream/proxy/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/proxy/manifest.yml b/packages/kubernetes/data_stream/proxy/manifest.yml index 24f3905c00b..8fdc2b489c1 100644 --- a/packages/kubernetes/data_stream/proxy/manifest.yml +++ b/packages/kubernetes/data_stream/proxy/manifest.yml @@ -28,6 +28,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -35,6 +36,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes Proxy metrics description: Collect Kubernetes Proxy metrics diff --git a/packages/kubernetes/data_stream/scheduler/fields/agent.yml b/packages/kubernetes/data_stream/scheduler/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/scheduler/fields/agent.yml +++ b/packages/kubernetes/data_stream/scheduler/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/scheduler/fields/base-fields.yml b/packages/kubernetes/data_stream/scheduler/fields/base-fields.yml index d43ffd79646..8b623275c85 100644 --- a/packages/kubernetes/data_stream/scheduler/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/scheduler/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/scheduler/fields/ecs.yml b/packages/kubernetes/data_stream/scheduler/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/scheduler/fields/ecs.yml +++ b/packages/kubernetes/data_stream/scheduler/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/scheduler/manifest.yml b/packages/kubernetes/data_stream/scheduler/manifest.yml index 7757de8e77b..d50106c6bd2 100644 --- a/packages/kubernetes/data_stream/scheduler/manifest.yml +++ b/packages/kubernetes/data_stream/scheduler/manifest.yml @@ -57,6 +57,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -64,6 +65,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes Scheduler metrics description: Collect Kubernetes Scheduler metrics diff --git a/packages/kubernetes/data_stream/state_container/fields/agent.yml b/packages/kubernetes/data_stream/state_container/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_container/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_container/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_container/fields/base-fields.yml b/packages/kubernetes/data_stream/state_container/fields/base-fields.yml index ebc085f78eb..45d7e194448 100644 --- a/packages/kubernetes/data_stream/state_container/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_container/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: @@ -130,3 +126,4 @@ type: keyword description: > Kubernetes container name + diff --git a/packages/kubernetes/data_stream/state_container/fields/ecs.yml b/packages/kubernetes/data_stream/state_container/fields/ecs.yml index ebc0fbd86e4..0c25976aa5f 100644 --- a/packages/kubernetes/data_stream/state_container/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_container/fields/ecs.yml @@ -12,3 +12,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_cronjob/fields/agent.yml b/packages/kubernetes/data_stream/state_cronjob/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_cronjob/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_cronjob/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_cronjob/fields/base-fields.yml b/packages/kubernetes/data_stream/state_cronjob/fields/base-fields.yml index 4fa6e2f1b77..a75567e19a2 100644 --- a/packages/kubernetes/data_stream/state_cronjob/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_cronjob/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword description: > @@ -45,3 +40,4 @@ object_type_mapping_type: "*" description: > Kubernetes annotations map + diff --git a/packages/kubernetes/data_stream/state_cronjob/fields/ecs.yml b/packages/kubernetes/data_stream/state_cronjob/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_cronjob/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_cronjob/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_daemonset/fields/agent.yml b/packages/kubernetes/data_stream/state_daemonset/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_daemonset/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_daemonset/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_daemonset/fields/base-fields.yml b/packages/kubernetes/data_stream/state_daemonset/fields/base-fields.yml index 4fa6e2f1b77..a75567e19a2 100644 --- a/packages/kubernetes/data_stream/state_daemonset/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_daemonset/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword description: > @@ -45,3 +40,4 @@ object_type_mapping_type: "*" description: > Kubernetes annotations map + diff --git a/packages/kubernetes/data_stream/state_daemonset/fields/ecs.yml b/packages/kubernetes/data_stream/state_daemonset/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_daemonset/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_daemonset/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_deployment/fields/agent.yml b/packages/kubernetes/data_stream/state_deployment/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_deployment/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_deployment/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_deployment/fields/base-fields.yml b/packages/kubernetes/data_stream/state_deployment/fields/base-fields.yml index 2ecd14a725d..33d29579a32 100644 --- a/packages/kubernetes/data_stream/state_deployment/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_deployment/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword description: > @@ -51,3 +46,4 @@ type: keyword description: > Kubernetes deployment name + diff --git a/packages/kubernetes/data_stream/state_deployment/fields/ecs.yml b/packages/kubernetes/data_stream/state_deployment/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_deployment/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_deployment/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_job/fields/agent.yml b/packages/kubernetes/data_stream/state_job/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_job/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_job/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_job/fields/base-fields.yml b/packages/kubernetes/data_stream/state_job/fields/base-fields.yml index 35f8ea3ec56..487811100e9 100644 --- a/packages/kubernetes/data_stream/state_job/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_job/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword description: > @@ -56,3 +51,4 @@ type: keyword description: > Name of the CronJob to which the Pod belongs + diff --git a/packages/kubernetes/data_stream/state_job/fields/ecs.yml b/packages/kubernetes/data_stream/state_job/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_job/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_job/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_namespace/fields/agent.yml b/packages/kubernetes/data_stream/state_namespace/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_namespace/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_namespace/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_namespace/fields/base-fields.yml b/packages/kubernetes/data_stream/state_namespace/fields/base-fields.yml index dbadf80d59f..930faf85c2c 100644 --- a/packages/kubernetes/data_stream/state_namespace/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_namespace/fields/base-fields.yml @@ -1,21 +1,17 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword dimension: true description: > Kubernetes namespace + diff --git a/packages/kubernetes/data_stream/state_node/fields/agent.yml b/packages/kubernetes/data_stream/state_node/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_node/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_node/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_node/fields/base-fields.yml b/packages/kubernetes/data_stream/state_node/fields/base-fields.yml index ccb2ebef3d7..cd8e6755f25 100644 --- a/packages/kubernetes/data_stream/state_node/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_node/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: node.name dimension: true type: keyword @@ -36,5 +31,5 @@ type: object object_type: keyword object_type_mapping_type: "*" - description: > - Kubernetes annotations map \ No newline at end of file + description: >- + Kubernetes annotations map diff --git a/packages/kubernetes/data_stream/state_node/fields/ecs.yml b/packages/kubernetes/data_stream/state_node/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_node/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_node/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_persistentvolume/fields/agent.yml b/packages/kubernetes/data_stream/state_persistentvolume/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_persistentvolume/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_persistentvolume/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_persistentvolume/fields/base-fields.yml b/packages/kubernetes/data_stream/state_persistentvolume/fields/base-fields.yml index fb3d8dc362a..32453ca8ba5 100644 --- a/packages/kubernetes/data_stream/state_persistentvolume/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_persistentvolume/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: labels.* type: object object_type: keyword @@ -25,5 +20,5 @@ type: object object_type: keyword object_type_mapping_type: "*" - description: > - Kubernetes annotations map \ No newline at end of file + description: >- + Kubernetes annotations map diff --git a/packages/kubernetes/data_stream/state_persistentvolume/fields/ecs.yml b/packages/kubernetes/data_stream/state_persistentvolume/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_persistentvolume/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_persistentvolume/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/agent.yml b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/base-fields.yml b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/base-fields.yml index f5716076bef..dae9b3e5b41 100644 --- a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword description: > @@ -43,5 +38,5 @@ type: object object_type: keyword object_type_mapping_type: "*" - description: > - Kubernetes annotations map \ No newline at end of file + description: >- + Kubernetes annotations map diff --git a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/ecs.yml b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/ecs.yml index cd4e3a89b1a..420575e189f 100644 --- a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/ecs.yml @@ -8,3 +8,6 @@ name: orchestrator.cluster.name - external: ecs name: orchestrator.cluster.url +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_pod/fields/agent.yml b/packages/kubernetes/data_stream/state_pod/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_pod/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_pod/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_pod/fields/base-fields.yml b/packages/kubernetes/data_stream/state_pod/fields/base-fields.yml index 622dee09a58..2568736b8fc 100644 --- a/packages/kubernetes/data_stream/state_pod/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_pod/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/state_pod/fields/ecs.yml b/packages/kubernetes/data_stream/state_pod/fields/ecs.yml index ebc0fbd86e4..0c25976aa5f 100644 --- a/packages/kubernetes/data_stream/state_pod/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_pod/fields/ecs.yml @@ -12,3 +12,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_replicaset/fields/agent.yml b/packages/kubernetes/data_stream/state_replicaset/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_replicaset/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_replicaset/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_replicaset/fields/base-fields.yml b/packages/kubernetes/data_stream/state_replicaset/fields/base-fields.yml index 84293c62adf..ea6ee3b4e43 100644 --- a/packages/kubernetes/data_stream/state_replicaset/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_replicaset/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword description: > @@ -56,3 +51,4 @@ type: keyword description: > Kubernetes deployment name + diff --git a/packages/kubernetes/data_stream/state_replicaset/fields/ecs.yml b/packages/kubernetes/data_stream/state_replicaset/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_replicaset/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_replicaset/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_resourcequota/fields/agent.yml b/packages/kubernetes/data_stream/state_resourcequota/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_resourcequota/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_resourcequota/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_resourcequota/fields/base-fields.yml b/packages/kubernetes/data_stream/state_resourcequota/fields/base-fields.yml index 46edb0454c3..7020d320982 100644 --- a/packages/kubernetes/data_stream/state_resourcequota/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_resourcequota/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace dimension: true type: keyword @@ -31,5 +26,5 @@ type: object object_type: keyword object_type_mapping_type: "*" - description: > - Kubernetes annotations map \ No newline at end of file + description: >- + Kubernetes annotations map diff --git a/packages/kubernetes/data_stream/state_resourcequota/fields/ecs.yml b/packages/kubernetes/data_stream/state_resourcequota/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_resourcequota/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_resourcequota/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_service/fields/agent.yml b/packages/kubernetes/data_stream/state_service/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_service/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_service/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_service/fields/base-fields.yml b/packages/kubernetes/data_stream/state_service/fields/base-fields.yml index fcf5d29e33e..1ab7bef7109 100644 --- a/packages/kubernetes/data_stream/state_service/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_service/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword description: > @@ -46,7 +41,6 @@ description: > Kubernetes labels map - - name: annotations.* type: object object_type: keyword @@ -60,3 +54,4 @@ object_type_mapping_type: "*" description: > Kubernetes Service selectors map + diff --git a/packages/kubernetes/data_stream/state_service/fields/ecs.yml b/packages/kubernetes/data_stream/state_service/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_service/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_service/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_statefulset/fields/agent.yml b/packages/kubernetes/data_stream/state_statefulset/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_statefulset/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_statefulset/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_statefulset/fields/base-fields.yml b/packages/kubernetes/data_stream/state_statefulset/fields/base-fields.yml index f0eaa445843..e62b2e6e33f 100644 --- a/packages/kubernetes/data_stream/state_statefulset/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_statefulset/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: namespace type: keyword description: > @@ -51,3 +46,4 @@ object_type_mapping_type: "*" description: > Kubernetes annotations map + diff --git a/packages/kubernetes/data_stream/state_statefulset/fields/ecs.yml b/packages/kubernetes/data_stream/state_statefulset/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_statefulset/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_statefulset/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/state_storageclass/fields/agent.yml b/packages/kubernetes/data_stream/state_storageclass/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/state_storageclass/fields/agent.yml +++ b/packages/kubernetes/data_stream/state_storageclass/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/state_storageclass/fields/base-fields.yml b/packages/kubernetes/data_stream/state_storageclass/fields/base-fields.yml index fb3d8dc362a..32453ca8ba5 100644 --- a/packages/kubernetes/data_stream/state_storageclass/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/state_storageclass/fields/base-fields.yml @@ -1,19 +1,14 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: - - name: labels.* type: object object_type: keyword @@ -25,5 +20,5 @@ type: object object_type: keyword object_type_mapping_type: "*" - description: > - Kubernetes annotations map \ No newline at end of file + description: >- + Kubernetes annotations map diff --git a/packages/kubernetes/data_stream/state_storageclass/fields/ecs.yml b/packages/kubernetes/data_stream/state_storageclass/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/state_storageclass/fields/ecs.yml +++ b/packages/kubernetes/data_stream/state_storageclass/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/system/fields/agent.yml b/packages/kubernetes/data_stream/system/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/system/fields/agent.yml +++ b/packages/kubernetes/data_stream/system/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/system/fields/base-fields.yml b/packages/kubernetes/data_stream/system/fields/base-fields.yml index 3bc90479a89..aa6ac705ba3 100644 --- a/packages/kubernetes/data_stream/system/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/system/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/system/fields/ecs.yml b/packages/kubernetes/data_stream/system/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/system/fields/ecs.yml +++ b/packages/kubernetes/data_stream/system/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/system/manifest.yml b/packages/kubernetes/data_stream/system/manifest.yml index a3e12f44086..690f1adb9d7 100644 --- a/packages/kubernetes/data_stream/system/manifest.yml +++ b/packages/kubernetes/data_stream/system/manifest.yml @@ -55,6 +55,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: stream_condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -62,6 +63,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes System metrics description: Collect Kubernetes system metrics diff --git a/packages/kubernetes/data_stream/volume/fields/agent.yml b/packages/kubernetes/data_stream/volume/fields/agent.yml index da4e652c53b..f9f2aede260 100644 --- a/packages/kubernetes/data_stream/volume/fields/agent.yml +++ b/packages/kubernetes/data_stream/volume/fields/agent.yml @@ -6,51 +6,21 @@ type: group fields: - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 + external: ecs - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c + external: ecs - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 + external: ecs - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. + external: ecs - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium + external: ecs - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws + external: ecs - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 + external: ecs - name: project.id - type: keyword - description: Name of the project in Google Cloud. + external: ecs - name: image.id type: keyword description: Image ID for the cloud instance. @@ -63,25 +33,13 @@ type: group fields: - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. + external: ecs - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. + external: ecs - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. + external: ecs - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. + external: ecs - name: host title: Host group: 2 @@ -91,94 +49,31 @@ type: group fields: - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 + external: ecs - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false + external: ecs - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' + external: ecs - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' + external: ecs - name: ip - level: core - type: ip - description: Host ip addresses. + external: ecs - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. + external: ecs - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + external: ecs - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian + external: ecs - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic + external: ecs - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X + external: ecs - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin + external: ecs - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 + external: ecs - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + external: ecs - name: containerized type: boolean description: > @@ -193,6 +88,5 @@ - name: os.codename type: keyword example: "stretch" - description: > + description: >- OS codename, if any. - diff --git a/packages/kubernetes/data_stream/volume/fields/base-fields.yml b/packages/kubernetes/data_stream/volume/fields/base-fields.yml index 3bc90479a89..aa6ac705ba3 100644 --- a/packages/kubernetes/data_stream/volume/fields/base-fields.yml +++ b/packages/kubernetes/data_stream/volume/fields/base-fields.yml @@ -1,15 +1,11 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: kubernetes type: group fields: diff --git a/packages/kubernetes/data_stream/volume/fields/ecs.yml b/packages/kubernetes/data_stream/volume/fields/ecs.yml index b091fa9865a..e82d05731c9 100644 --- a/packages/kubernetes/data_stream/volume/fields/ecs.yml +++ b/packages/kubernetes/data_stream/volume/fields/ecs.yml @@ -10,3 +10,6 @@ - external: ecs name: orchestrator.cluster.url dimension: true +- name: agent.id + external: ecs + dimension: true diff --git a/packages/kubernetes/data_stream/volume/manifest.yml b/packages/kubernetes/data_stream/volume/manifest.yml index dfcaeef3972..1f5595c915b 100644 --- a/packages/kubernetes/data_stream/volume/manifest.yml +++ b/packages/kubernetes/data_stream/volume/manifest.yml @@ -55,6 +55,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: stream_condition title: Condition description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details. @@ -62,6 +63,5 @@ streams: multi: false required: false show_user: false - title: Kubernetes Volume metrics description: Collect Kubernetes Volume metrics diff --git a/packages/kubernetes/docs/audit-logs.md b/packages/kubernetes/docs/audit-logs.md index dbfbc413aa3..7d9974162bf 100644 --- a/packages/kubernetes/docs/audit-logs.md +++ b/packages/kubernetes/docs/audit-logs.md @@ -114,27 +114,27 @@ An example event for `audit` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | error.message | Error message. | match_only_text | -| event.dataset | Event Dataset. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | @@ -142,14 +142,14 @@ An example event for `audit` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -223,7 +223,7 @@ An example event for `audit` looks as following: | log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | | log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | | log.file.inode | Inode number of the log file. | keyword | -| log.file.path | Path to the log file. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Offset of the entry in the log file. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | diff --git a/packages/kubernetes/docs/events.md b/packages/kubernetes/docs/events.md index 384b4c2e9cd..4687fd023f2 100644 --- a/packages/kubernetes/docs/events.md +++ b/packages/kubernetes/docs/events.md @@ -98,23 +98,24 @@ An example event for `event` looks as following: | Field | Description | Type | Metric Type | |---|---|---|---| -| @timestamp | Event timestamp. | date | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | cloud.instance.name | Instance name of the host machine. | keyword | | | cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | container.id | Unique container id. | keyword | | | container.image.name | Name of the image the container was built on. | keyword | | | container.labels | Image labels. | object | | | container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | host.architecture | Operating system architecture. | keyword | | | host.containerized | If the host is a container. | boolean | | @@ -122,14 +123,14 @@ An example event for `event` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | diff --git a/packages/kubernetes/docs/kube-apiserver.md b/packages/kubernetes/docs/kube-apiserver.md index cf02078610d..3eee2928559 100644 --- a/packages/kubernetes/docs/kube-apiserver.md +++ b/packages/kubernetes/docs/kube-apiserver.md @@ -172,23 +172,24 @@ An example event for `apiserver` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -196,14 +197,14 @@ An example event for `apiserver` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | diff --git a/packages/kubernetes/docs/kube-controller-manager.md b/packages/kubernetes/docs/kube-controller-manager.md index c29044759a6..4aebac36455 100644 --- a/packages/kubernetes/docs/kube-controller-manager.md +++ b/packages/kubernetes/docs/kube-controller-manager.md @@ -134,23 +134,24 @@ An example event for `controllermanager` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -158,14 +159,14 @@ An example event for `controllermanager` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | diff --git a/packages/kubernetes/docs/kube-proxy.md b/packages/kubernetes/docs/kube-proxy.md index 7ba65518587..caa8546f344 100644 --- a/packages/kubernetes/docs/kube-proxy.md +++ b/packages/kubernetes/docs/kube-proxy.md @@ -240,23 +240,24 @@ An example event for `proxy` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -264,14 +265,14 @@ An example event for `proxy` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | diff --git a/packages/kubernetes/docs/kube-scheduler.md b/packages/kubernetes/docs/kube-scheduler.md index c7424a975d0..84646ff08cb 100644 --- a/packages/kubernetes/docs/kube-scheduler.md +++ b/packages/kubernetes/docs/kube-scheduler.md @@ -114,23 +114,24 @@ An example event for `scheduler` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -138,14 +139,14 @@ An example event for `scheduler` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | diff --git a/packages/kubernetes/docs/kube-state-metrics.md b/packages/kubernetes/docs/kube-state-metrics.md index 1f60fc4652b..d697931e2e8 100644 --- a/packages/kubernetes/docs/kube-state-metrics.md +++ b/packages/kubernetes/docs/kube-state-metrics.md @@ -154,24 +154,25 @@ An example event for `state_container` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | | container.runtime | Runtime managing this container. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -179,14 +180,14 @@ An example event for `state_container` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -371,23 +372,24 @@ An example event for `state_cronjob` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -395,14 +397,14 @@ An example event for `state_cronjob` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -553,23 +555,24 @@ An example event for `state_daemonset` looks as following: | Field | Description | Type | Metric Type | |---|---|---|---| -| @timestamp | Event timestamp. | date | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | cloud.instance.name | Instance name of the host machine. | keyword | | | cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | container.id | Unique container id. | keyword | | | container.image.name | Name of the image the container was built on. | keyword | | | container.labels | Image labels. | object | | | container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | host.architecture | Operating system architecture. | keyword | | | host.containerized | If the host is a container. | boolean | | @@ -577,14 +580,14 @@ An example event for `state_daemonset` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | @@ -732,23 +735,24 @@ An example event for `state_deployment` looks as following: | Field | Description | Type | Metric Type | |---|---|---|---| -| @timestamp | Event timestamp. | date | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | cloud.instance.name | Instance name of the host machine. | keyword | | | cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | container.id | Unique container id. | keyword | | | container.image.name | Name of the image the container was built on. | keyword | | | container.labels | Image labels. | object | | | container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | host.architecture | Operating system architecture. | keyword | | | host.containerized | If the host is a container. | boolean | | @@ -756,14 +760,14 @@ An example event for `state_deployment` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | @@ -940,23 +944,24 @@ An example event for `state_job` looks as following: | Field | Description | Type | Metric Type | |---|---|---|---| -| @timestamp | Event timestamp. | date | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | cloud.instance.name | Instance name of the host machine. | keyword | | | cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | container.id | Unique container id. | keyword | | | container.image.name | Name of the image the container was built on. | keyword | | | container.labels | Image labels. | object | | | container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | host.architecture | Operating system architecture. | keyword | | | host.containerized | If the host is a container. | boolean | | @@ -964,14 +969,14 @@ An example event for `state_job` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | @@ -1080,24 +1085,24 @@ An example event for `state_namespace` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -1105,14 +1110,14 @@ An example event for `state_namespace` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -1228,23 +1233,24 @@ An example event for `state_node` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -1252,14 +1258,14 @@ An example event for `state_node` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -1360,23 +1366,24 @@ An example event for `state_persistentvolume` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -1384,14 +1391,14 @@ An example event for `state_persistentvolume` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -1540,23 +1547,24 @@ An example event for `state_persistentvolumeclaim` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -1564,14 +1572,14 @@ An example event for `state_persistentvolumeclaim` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -1713,24 +1721,25 @@ An example event for `state_pod` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | | container.name | Container name. | keyword | | container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | @@ -1738,14 +1747,14 @@ An example event for `state_pod` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -1913,23 +1922,24 @@ An example event for `state_replicaset` looks as following: | Field | Description | Type | Metric Type | |---|---|---|---| -| @timestamp | Event timestamp. | date | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | cloud.instance.name | Instance name of the host machine. | keyword | | | cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | container.id | Unique container id. | keyword | | | container.image.name | Name of the image the container was built on. | keyword | | | container.labels | Image labels. | object | | | container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | host.architecture | Operating system architecture. | keyword | | | host.containerized | If the host is a container. | boolean | | @@ -1937,14 +1947,14 @@ An example event for `state_replicaset` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | @@ -2036,23 +2046,24 @@ An example event for `state_resourcequota` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -2060,14 +2071,14 @@ An example event for `state_resourcequota` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -2189,23 +2200,24 @@ An example event for `state_service` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | | container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | @@ -2213,14 +2225,14 @@ An example event for `state_service` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -2384,23 +2396,24 @@ An example event for `state_statefulset` looks as following: | Field | Description | Type | Metric Type | |---|---|---|---| -| @timestamp | Event timestamp. | date | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | cloud.instance.name | Instance name of the host machine. | keyword | | | cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | container.id | Unique container id. | keyword | | | container.image.name | Name of the image the container was built on. | keyword | | | container.labels | Image labels. | object | | | container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | host.architecture | Operating system architecture. | keyword | | | host.containerized | If the host is a container. | boolean | | @@ -2408,14 +2421,14 @@ An example event for `state_statefulset` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | @@ -2510,23 +2523,24 @@ An example event for `state_storageclass` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | | container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | @@ -2534,14 +2548,14 @@ An example event for `state_storageclass` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/kubernetes/docs/kubelet.md b/packages/kubernetes/docs/kubelet.md index cabf8c1018d..0529b0cf498 100644 --- a/packages/kubernetes/docs/kubelet.md +++ b/packages/kubernetes/docs/kubelet.md @@ -192,16 +192,17 @@ An example event for `container` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.cpu.usage | Total CPU usage normalized by the number of CPU cores. | scaled_float | percent | gauge | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | @@ -209,9 +210,9 @@ An example event for `container` looks as following: | container.memory.usage | Memory usage percentage. | scaled_float | percent | gauge | | container.name | Container name. | keyword | | | | container.runtime | Runtime managing this container. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -219,14 +220,14 @@ An example event for `container` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -445,23 +446,24 @@ An example event for `node` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -469,14 +471,14 @@ An example event for `node` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -680,25 +682,26 @@ An example event for `pod` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | | container.network.egress.bytes | Total number of outgoing bytes. | long | | counter | | container.network.ingress.bytes | Total number of incoming bytes. | long | | counter | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -706,14 +709,14 @@ An example event for `pod` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -878,23 +881,24 @@ An example event for `system` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -902,14 +906,14 @@ An example event for `system` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | @@ -1056,23 +1060,24 @@ An example event for `volume` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | | cloud.instance.id | Instance ID of the host machine. | keyword | | | | cloud.instance.name | Instance name of the host machine. | keyword | | | | cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | | container.id | Unique container id. | keyword | | | | container.image.name | Name of the image the container was built on. | keyword | | | | container.labels | Image labels. | object | | | | container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | @@ -1080,14 +1085,14 @@ An example event for `volume` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | diff --git a/packages/kubernetes/manifest.yml b/packages/kubernetes/manifest.yml index d8982fb2e3f..28637a79902 100644 --- a/packages/kubernetes/manifest.yml +++ b/packages/kubernetes/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.9.0 name: kubernetes title: Kubernetes -version: 1.55.0 +version: 1.55.1 description: Collect logs and metrics from Kubernetes clusters with Elastic Agent. type: integration categories: