From f9bd1d3483f9ec3fdfbdf58804d10d64fcd4e431 Mon Sep 17 00:00:00 2001 From: Nicolas Ruflin Date: Thu, 3 Nov 2016 14:21:05 +0100 Subject: [PATCH] Move fields under each protocol in packetbeat (#2898) This should simplify the extension of packetbeat with further protocols and make it more modular. This change requires https://github.com/elastic/beats/pull/2897 --- packetbeat/Makefile | 7 +- packetbeat/docs/fields.asciidoc | 2 +- packetbeat/etc/fields.yml | 1008 ++++++++--------- packetbeat/etc/fields_base.yml | 471 ++++++++ .../etc/kibana/index-pattern/packetbeat.json | 2 +- packetbeat/protos/amqp/_meta/fields.yml | 209 ++++ packetbeat/protos/cassandra/_meta/fields.yml | 310 +++++ packetbeat/protos/dns/_meta/fields.yml | 209 ++++ packetbeat/protos/http/_meta/fields.yml | 51 + packetbeat/protos/icmp/_meta/fields.yml | 38 + packetbeat/protos/memcache/_meta/fields.yml | 244 ++++ packetbeat/protos/mongodb/_meta/fields.yml | 104 ++ packetbeat/protos/mysql/_meta/fields.yml | 47 + packetbeat/protos/nfs/_meta/fields.yml | 27 + packetbeat/protos/pgsql/_meta/fields.yml | 41 + packetbeat/protos/redis/_meta/fields.yml | 17 + packetbeat/protos/thrift/_meta/fields.yml | 28 + 17 files changed, 2307 insertions(+), 508 deletions(-) create mode 100644 packetbeat/etc/fields_base.yml create mode 100644 packetbeat/protos/amqp/_meta/fields.yml create mode 100644 packetbeat/protos/cassandra/_meta/fields.yml create mode 100644 packetbeat/protos/dns/_meta/fields.yml create mode 100644 packetbeat/protos/http/_meta/fields.yml create mode 100644 packetbeat/protos/icmp/_meta/fields.yml create mode 100644 packetbeat/protos/memcache/_meta/fields.yml create mode 100644 packetbeat/protos/mongodb/_meta/fields.yml create mode 100644 packetbeat/protos/mysql/_meta/fields.yml create mode 100644 packetbeat/protos/nfs/_meta/fields.yml create mode 100644 packetbeat/protos/pgsql/_meta/fields.yml create mode 100644 packetbeat/protos/redis/_meta/fields.yml create mode 100644 packetbeat/protos/thrift/_meta/fields.yml diff --git a/packetbeat/Makefile b/packetbeat/Makefile index 2c4e97dc8ef..f5d86cd1825 100644 --- a/packetbeat/Makefile +++ b/packetbeat/Makefile @@ -28,7 +28,12 @@ before-build: # Collects all dependencies and then calls update .PHONY: collect -collect: update +collect: fields update + +.PHONY: fields +fields: + cat etc/fields_base.yml > etc/fields.yml + cat protos/*/_meta/fields.yml >> etc/fields.yml .PHONY: benchmark benchmark: diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index 507c8fafd5e..ab4f693233a 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -1121,7 +1121,7 @@ type: geo_point example: 40.715, -74.011 -DEPRECATED. Please use `client_geoip` instead. The GeoIP location of the `real_ip` IP address or of the `client_ip` address if the `real_ip` is disabled. The field is a string containing the latitude and longitude separated by a comma. +DEPRECATED. Please use `client_geoip` instead. The GeoIP location of the `real_ip` IP address or of the `client_ip` address if the `real_ip` is disabled. The field is a string containing the latitude and longitude separated by a comma. [float] diff --git a/packetbeat/etc/fields.yml b/packetbeat/etc/fields.yml index 77c76c8d6b0..ee3bc91ac78 100644 --- a/packetbeat/etc/fields.yml +++ b/packetbeat/etc/fields.yml @@ -45,9 +45,9 @@ type: geo_point example: 40.715, -74.011 description: > - DEPRECATED. Please use `client_geoip` instead. + DEPRECATED. Please use `client_geoip` instead. The GeoIP location of the `real_ip` IP address or of the `client_ip` address if the `real_ip` is - disabled. The field is a string containing the latitude and longitude separated by a comma. + disabled. The field is a string containing the latitude and longitude separated by a comma. - name: client_geoip description: The GeoIP information of the client. @@ -388,252 +388,86 @@ Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting. -- key: icmp - title: "ICMP" - description: > - ICMP specific event fields. +- key: raw + title: Raw + description: These fields contain the raw transaction data. fields: - - name: icmp - type: group - fields: - - name: version - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - - name: request.message - type: keyword - description: A human readable form of the request. - - - name: request.type - type: long - description: The request type. - - - name: request.code - type: long - description: The request code. - - - name: response.message - type: keyword - description: A human readable form of the response. - - - name: response.type - type: long - description: The response type. + - name: request + type: text + description: > + For text protocols, this is the request as seen on the wire + (application layer only). For binary protocols this is our + representation of the request. - - name: response.code - type: long - description: The response code. + - name: response + type: text + description: > + For text protocols, this is the response as seen on the wire + (application layer only). For binary protocols this is our + representation of the request. -- key: dns - title: "DNS" - description: DNS-specific event fields. +- key: trans_measurements + title: "Measurements (Transactions)" + description: > + These fields contain measurements related to the transaction. fields: - - name: dns - type: group - fields: - - name: id - type: long - description: > - The DNS packet identifier assigned by the program that generated the - query. The identifier is copied to the response. - - - name: op_code - description: > - The DNS operation code that specifies the kind of query in the message. - This value is set by the originator of a query and copied into the - response. - example: QUERY - - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for - the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the - name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a - query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response - authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server - signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were - returned. - - - name: response_code - description: The DNS status code. - example: NOERROR - - - name: question.name - description: > - The domain name being queried. If the name field contains non-printable - characters (below 32 or above 126), then those characters are represented - as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. - Tabs, carriage returns, and line feeds are converted to \t, \r, and - \n respectively. - example: www.google.com. - - - name: question.type - description: The type of records being queried. - example: AAAA - - - name: question.class - description: The class of of records being queried. - example: IN - - - name: question.etld_plus_one - description: The effective top-level domain (eTLD) plus one more label. - For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". - The data for determining the eTLD comes from an embedded copy of the - data from http://publicsuffix.org. - example: amazon.co.uk. - - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: answers.name - description: The domain name to which this resource record pertains. - example: example.com. - - - name: answers.type - description: The type of data contained in this resource record. - example: MX - - - name: answers.class - description: The class of DNS data contained in this resource record. - example: IN - - - name: answers.ttl - description: > - The time interval in seconds that this resource record may be cached - before it should be discarded. Zero values mean that the data should - not be cached. - type: long - - - name: answers.data - description: > - The data describing the resource. The meaning of this data depends - on the type and class of the resource record. - - - name: authorities - type: dict - description: > - An array containing a dictionary for each authority section from the - answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. - The `dns.authorities` field may or may not be included depending on the - configuration of Packetbeat. - - - name: authorities.name - description: The domain name to which this resource record pertains. - example: example.com. - - - name: authorities.type - description: The type of data contained in this resource record. - example: NS - - - name: authorities.class - description: The class of DNS data contained in this resource record. - example: IN - - - name: answers - type: dict - description: > - An array containing a dictionary about each answer section returned by - the server. - - - name: answers.ttl - description: > - The time interval in seconds that this resource record may be cached - before it should be discarded. Zero values mean that the data should - not be cached. - type: long - - - name: answers.data - description: > - The data describing the resource. The meaning of this data depends - on the type and class of the resource record. - - - name: additionals - type: dict - description: > - An array containing a dictionary for each additional section from the - answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. - The `dns.additionals` field may or may not be included depending on the - configuration of Packetbeat. - - - name: additionals.name - description: The domain name to which this resource record pertains. - example: example.com. - - - name: additionals.type - description: The type of data contained in this resource record. - example: NS + - name: responsetime + description: > + The wall clock time it took to complete the transaction. + The precision is in milliseconds. + type: long - - name: additionals.class - description: The class of DNS data contained in this resource record. - example: IN + - name: cpu_time + description: The CPU time it took to complete the transaction. + type: long - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached - before it should be discarded. Zero values mean that the data should - not be cached. - type: long + - name: bytes_in + description: > + The number of bytes of the request. Note that this size is + the application layer message length, without the length of the IP or + TCP headers. + type: long + format: bytes - - name: additionals.data - description: > - The data describing the resource. The meaning of this data depends - on the type and class of the resource record. + - name: bytes_out + description: > + The number of bytes of the response. Note that this size is + the application layer message length, without the length of the IP or + TCP headers. + type: long + format: bytes - - name: opt.version - description: The EDNS version. - example: "0" + - name: dnstime + type: long + description: > + The time it takes to query the name server for a given request. + This is typically used for RUM (real-user-monitoring) but can + also have values for server-to-server communication when DNS + is used for service discovery. + The precision is in microseconds. - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. + - name: connecttime + type: long + description: > + The time it takes for the TCP connection to be established for + the given transaction. + The precision is in microseconds. - - name: opt.ext_rcode - description: Extended response code field. - example: "BADVERS" + - name: loadtime + type: long + description: > + The time it takes for the content to be loaded. This is typically + used for RUM (real-user-monitoring) but it can make sense in other + cases as well. + The precision is in microseconds. - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). + - name: domloadtime + type: long + description: > + In RUM (real-user-monitoring), the total time it takes for the + DOM to be loaded. In terms of the W3 Navigation Timing API, this is + the difference between `domContentLoadedEnd` and + `domContentLoadedStart`. - key: amqp title: "AMQP" @@ -844,7 +678,6 @@ description: > Creating application id. - - key: cassandra title: "Cassandra" description: Cassandra v4/3 specific event fields. @@ -1106,55 +939,263 @@ type: keyword description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. + - name: required + type: long + description: Representing the number of nodes that should be alive to respect consistency level. + + - name: alive + type: long + description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). + + - name: received + type: long + description: Representing the number of nodes having acknowledged the request. + + - name: blockfor + type: long + description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. + + - name: write_type + type: keyword + description: Describe the type of the write that timed out. + + - name: data_present + type: boolean + description: It means the replica that was asked for data had responded. + + - name: keyspace + type: keyword + description: The keyspace of the failed function. + + - name: table + type: keyword + description: The keyspace of the failed function. + + - name: stmt_id + type: keyword + description: Representing the unknown ID. + + - name: num_failures + type: keyword + description: Representing the number of nodes that experience a failure while executing the request. + + - name: function + type: keyword + description: The name of the failed function. + + - name: arg_types + type: keyword + description: One string for each argument type (as CQL type) of the failed function. + + +- key: dns + title: "DNS" + description: DNS-specific event fields. + fields: + - name: dns + type: group + fields: + - name: id + type: long + description: > + The DNS packet identifier assigned by the program that generated the + query. The identifier is copied to the response. + + - name: op_code + description: > + The DNS operation code that specifies the kind of query in the message. + This value is set by the originator of a query and copied into the + response. + example: QUERY + + - name: flags.authoritative + type: boolean + description: > + A DNS flag specifying that the responding server is an authority for + the domain name used in the question. + + - name: flags.recursion_available + type: boolean + description: > + A DNS flag specifying whether recursive query support is available in the + name server. + + - name: flags.recursion_desired + type: boolean + description: > + A DNS flag specifying that the client directs the server to pursue a + query recursively. Recursive query support is optional. + + - name: flags.authentic_data + type: boolean + description: > + A DNS flag specifying that the recursive server considers the response + authentic. + + - name: flags.checking_disabled + type: boolean + description: > + A DNS flag specifying that the client disables the server + signature validation of the query. + + - name: flags.truncated_response + type: boolean + description: > + A DNS flag specifying that only the first 512 bytes of the reply were + returned. + + - name: response_code + description: The DNS status code. + example: NOERROR + + - name: question.name + description: > + The domain name being queried. If the name field contains non-printable + characters (below 32 or above 126), then those characters are represented + as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. + Tabs, carriage returns, and line feeds are converted to \t, \r, and + \n respectively. + example: www.google.com. + + - name: question.type + description: The type of records being queried. + example: AAAA + + - name: question.class + description: The class of of records being queried. + example: IN + + - name: question.etld_plus_one + description: The effective top-level domain (eTLD) plus one more label. + For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". + The data for determining the eTLD comes from an embedded copy of the + data from http://publicsuffix.org. + example: amazon.co.uk. + + - name: answers_count + type: long + description: > + The number of resource records contained in the `dns.answers` field. + + - name: answers.name + description: The domain name to which this resource record pertains. + example: example.com. + + - name: answers.type + description: The type of data contained in this resource record. + example: MX + + - name: answers.class + description: The class of DNS data contained in this resource record. + example: IN + + - name: answers.ttl + description: > + The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should + not be cached. + type: long + + - name: answers.data + description: > + The data describing the resource. The meaning of this data depends + on the type and class of the resource record. + + - name: authorities + type: dict + description: > + An array containing a dictionary for each authority section from the + answer. + + - name: authorities_count + type: long + description: > + The number of resource records contained in the `dns.authorities` field. + The `dns.authorities` field may or may not be included depending on the + configuration of Packetbeat. + + - name: authorities.name + description: The domain name to which this resource record pertains. + example: example.com. + + - name: authorities.type + description: The type of data contained in this resource record. + example: NS + + - name: authorities.class + description: The class of DNS data contained in this resource record. + example: IN + + - name: answers + type: dict + description: > + An array containing a dictionary about each answer section returned by + the server. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). + - name: answers.ttl + description: > + The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should + not be cached. + type: long - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. + - name: answers.data + description: > + The data describing the resource. The meaning of this data depends + on the type and class of the resource record. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. + - name: additionals + type: dict + description: > + An array containing a dictionary for each additional section from the + answer. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. + - name: additionals_count + type: long + description: > + The number of resource records contained in the `dns.additionals` field. + The `dns.additionals` field may or may not be included depending on the + configuration of Packetbeat. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. + - name: additionals.name + description: The domain name to which this resource record pertains. + example: example.com. - - name: keyspace - type: keyword - description: The keyspace of the failed function. + - name: additionals.type + description: The type of data contained in this resource record. + example: NS - - name: table - type: keyword - description: The keyspace of the failed function. + - name: additionals.class + description: The class of DNS data contained in this resource record. + example: IN - - name: stmt_id - type: keyword - description: Representing the unknown ID. + - name: additionals.ttl + description: > + The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should + not be cached. + type: long - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. + - name: additionals.data + description: > + The data describing the resource. The meaning of this data depends + on the type and class of the resource record. - - name: function - type: keyword - description: The name of the failed function. + - name: opt.version + description: The EDNS version. + example: "0" - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. + - name: opt.do + type: boolean + description: If set, the transaction uses DNSSEC. + - name: opt.ext_rcode + description: Extended response code field. + example: "BADVERS" + - name: opt.udp_size + type: long + description: Requestor's UDP payload size (in bytes). - key: http title: "HTTP" @@ -1207,6 +1248,44 @@ - name: body description: The body of the HTTP response. +- key: icmp + title: "ICMP" + description: > + ICMP specific event fields. + fields: + - name: icmp + type: group + fields: + - name: version + description: The version of the ICMP protocol. + possible_values: + - 4 + - 6 + + - name: request.message + type: keyword + description: A human readable form of the request. + + - name: request.type + type: long + description: The request type. + + - name: request.code + type: long + description: The request code. + + - name: response.message + type: keyword + description: A human readable form of the response. + + - name: response.type + type: long + description: The response type. + + - name: response.code + type: long + description: The response code. + - key: memcache title: "Memcache" description: Memcached-specific event fields @@ -1408,181 +1487,48 @@ If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. - The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates - (if present). - - - name: response.stats - type: list - description: > - The list of statistic values returned. Each entry is a dictionary with the - fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - -- key: mysql - title: "MySQL" - description: > - MySQL-specific event fields. - fields: - - name: mysql - type: group - fields: - - name: iserror - type: boolean - description: > - If the MySQL query returns an error, this field is set to true. - - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected - number of rows of the last statement. - - - name: insert_id - description: > - If the INSERT query is successful, this field contains the id of the - newly inserted row. - - - name: num_fields - description: > - If the SELECT query is successful, this field is set to the number - of fields returned. - - - name: num_rows - description: > - If the SELECT query is successful, this field is set to the number - of rows returned. - - - name: query - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - description: > - The error info message returned by MySQL. -- key: pgsql - title: "PostgreSQL" - description: > - PostgreSQL-specific event fields. - fields: - - name: pgsql - type: group - fields: - - name: query - description: > - The row pgsql query as read from the transaction's request. - - - name: iserror - type: boolean - description: > - If the PgSQL query returns an error, this field is set to true. - - - name: error_code - description: The PostgreSQL error code. - type: long - - - name: error_message - description: The PostgreSQL error message. - - - name: error_severity - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - - name: num_fields - description: > - If the SELECT query if successful, this field is set to the number - of fields returned. - - - name: num_rows + - name: request.sleep_us + type: long description: > - If the SELECT query if successful, this field is set to the number - of rows returned. + The sleep setting in microseconds for the 'lru_crawler sleep' command. + - name: response.value + type: long + description: > + The counter value returned by a counter operation. -- key: thrift - title: "Thrift-RPC" - description: > - Thrift-RPC specific event fields. - fields: - - name: thrift - type: group - fields: - - name: params + - name: request.noreply + type: boolean description: > - The RPC method call parameters in a human readable format. If the IDL - files are available, the parameters use names whenever possible. - Otherwise, the IDs from the message are used. + Set to true if noreply was set in the request. + The `memcache.response` field will be missing. - - name: service + - name: request.quiet + type: boolean description: > - The name of the Thrift-RPC service as defined in the IDL files. + Set to true if the binary protocol message is to be treated as a quiet message. - - name: return_value + - name: request.cas_unique + type: long description: > - The value returned by the Thrift-RPC call. This is encoded in a human - readable format. + The CAS (compare-and-swap) identifier if present. - - name: exceptions + - name: response.cas_unique + type: long description: > - If the call resulted in exceptions, this field contains the exceptions in a human - readable format. + The CAS (compare-and-swap) identifier to be used with CAS-based updates + (if present). -- key: redis - title: "Redis" - description: > - Redis-specific event fields. - fields: - - name: redis - type: group - fields: - - name: return_value + - name: response.stats + type: list description: > - The return value of the Redis command in a human readable format. + The list of statistic values returned. Each entry is a dictionary with the + fields "name" and "value". - - name: error + - name: response.version + type: keyword description: > - If the Redis command has resulted in an error, this field contains the - error message returned by the Redis server. + The returned memcache version string. - key: mongodb title: "MongoDb" @@ -1688,6 +1634,53 @@ - name: cred.machinename description: The name of the caller's machine. +- key: mysql + title: "MySQL" + description: > + MySQL-specific event fields. + fields: + - name: mysql + type: group + fields: + - name: iserror + type: boolean + description: > + If the MySQL query returns an error, this field is set to true. + + - name: affected_rows + type: long + description: > + If the MySQL command is successful, this field contains the affected + number of rows of the last statement. + + - name: insert_id + description: > + If the INSERT query is successful, this field contains the id of the + newly inserted row. + + - name: num_fields + description: > + If the SELECT query is successful, this field is set to the number + of fields returned. + + - name: num_rows + description: > + If the SELECT query is successful, this field is set to the number + of rows returned. + + - name: query + description: > + The row mysql query as read from the transaction's request. + + - name: error_code + type: long + description: > + The error code returned by MySQL. + + - name: error_message + description: > + The error info message returned by MySQL. + - key: nfs title: "NFS" description: NFS v4/3 specific event fields. @@ -1715,84 +1708,89 @@ description: NFS operation reply status. - -- key: raw - title: Raw - description: These fields contain the raw transaction data. +- key: pgsql + title: "PostgreSQL" + description: > + PostgreSQL-specific event fields. fields: - - name: request - type: text - description: > - For text protocols, this is the request as seen on the wire - (application layer only). For binary protocols this is our - representation of the request. + - name: pgsql + type: group + fields: + - name: query + description: > + The row pgsql query as read from the transaction's request. - - name: response - type: text - description: > - For text protocols, this is the response as seen on the wire - (application layer only). For binary protocols this is our - representation of the request. + - name: iserror + type: boolean + description: > + If the PgSQL query returns an error, this field is set to true. -- key: trans_measurements - title: "Measurements (Transactions)" + - name: error_code + description: The PostgreSQL error code. + type: long + + - name: error_message + description: The PostgreSQL error message. + + - name: error_severity + description: The PostgreSQL error severity. + possible_values: + - ERROR + - FATAL + - PANIC + + - name: num_fields + description: > + If the SELECT query if successful, this field is set to the number + of fields returned. + + - name: num_rows + description: > + If the SELECT query if successful, this field is set to the number + of rows returned. + +- key: redis + title: "Redis" description: > - These fields contain measurements related to the transaction. + Redis-specific event fields. fields: - - name: responsetime - description: > - The wall clock time it took to complete the transaction. - The precision is in milliseconds. - type: long - - - name: cpu_time - description: The CPU time it took to complete the transaction. - type: long + - name: redis + type: group + fields: + - name: return_value + description: > + The return value of the Redis command in a human readable format. - - name: bytes_in - description: > - The number of bytes of the request. Note that this size is - the application layer message length, without the length of the IP or - TCP headers. - type: long - format: bytes + - name: error + description: > + If the Redis command has resulted in an error, this field contains the + error message returned by the Redis server. - - name: bytes_out - description: > - The number of bytes of the response. Note that this size is - the application layer message length, without the length of the IP or - TCP headers. - type: long - format: bytes +- key: thrift + title: "Thrift-RPC" + description: > + Thrift-RPC specific event fields. + fields: + - name: thrift + type: group + fields: + - name: params + description: > + The RPC method call parameters in a human readable format. If the IDL + files are available, the parameters use names whenever possible. + Otherwise, the IDs from the message are used. - - name: dnstime - type: long - description: > - The time it takes to query the name server for a given request. - This is typically used for RUM (real-user-monitoring) but can - also have values for server-to-server communication when DNS - is used for service discovery. - The precision is in microseconds. + - name: service + description: > + The name of the Thrift-RPC service as defined in the IDL files. - - name: connecttime - type: long - description: > - The time it takes for the TCP connection to be established for - the given transaction. - The precision is in microseconds. + - name: return_value + description: > + The value returned by the Thrift-RPC call. This is encoded in a human + readable format. - - name: loadtime - type: long - description: > - The time it takes for the content to be loaded. This is typically - used for RUM (real-user-monitoring) but it can make sense in other - cases as well. - The precision is in microseconds. + - name: exceptions + description: > + If the call resulted in exceptions, this field contains the exceptions in a human + readable format. - - name: domloadtime - type: long - description: > - In RUM (real-user-monitoring), the total time it takes for the - DOM to be loaded. In terms of the W3 Navigation Timing API, this is - the difference between `domContentLoadedEnd` and - `domContentLoadedStart`. diff --git a/packetbeat/etc/fields_base.yml b/packetbeat/etc/fields_base.yml new file mode 100644 index 00000000000..8d748953684 --- /dev/null +++ b/packetbeat/etc/fields_base.yml @@ -0,0 +1,471 @@ +- key: common + title: Common + description: > + These fields contain data about the environment in which the + transaction or flow was captured. + fields: + - name: server + description: > + The name of the server that served the transaction. + + - name: client_server + description: > + The name of the server that initiated the transaction. + + - name: service + description: > + The name of the logical service that served the transaction. + + - name: client_service + description: > + The name of the logical service that initiated the transaction. + + - name: ip + description: > + The IP address of the server that served the transaction. + format: dotted notation. + + - name: client_ip + description: > + The IP address of the server that initiated the transaction. + format: dotted notation. + + - name: real_ip + description: > + If the server initiating the transaction is a proxy, this field + contains the original client IP address. + For HTTP, for example, the IP address extracted from a configurable + HTTP header, by default `X-Forwarded-For`. + + Unless this field is disabled, it always has a value, and it matches + the `client_ip` for non proxy clients. + format: Dotted notation. + + - name: client_location + type: geo_point + example: 40.715, -74.011 + description: > + DEPRECATED. Please use `client_geoip` instead. + The GeoIP location of the `real_ip` IP address or of the `client_ip` address if the `real_ip` is + disabled. The field is a string containing the latitude and longitude separated by a comma. + + - name: client_geoip + description: The GeoIP information of the client. + type: group + fields: + - name: location + type: geo_point + example: {lat: 51, lon: 9} + description: > + The GeoIP location of the `client_ip` address. This field is available + only if you define a + https://www.elastic.co/guide/en/elasticsearch/plugins/master/using-ingest-geoip.html[GeoIP Processor] as a pipeline in the + https://www.elastic.co/guide/en/elasticsearch/plugins/master/ingest-geoip.html[Ingest GeoIP processor plugin] or using Logstash. + + - name: client_port + description: > + The layer 4 port of the process that initiated the transaction. + format: dotted notation. + + - name: transport + description: > + The transport protocol used for the transaction. If not specified, then + tcp is assumed. + example: udp + + - name: port + description: > + The layer 4 port of the process that served the transaction. + format: dotted notation. + + - name: proc + description: > + The name of the process that served the transaction. + + - name: client_proc + description: > + The name of the process that initiated the transaction. + + - name: release + description: > + The software release of the service serving the transaction. + This can be the commit id or a semantic version. + +- key: flows_event + title: "Flow Event" + description: > + These fields contain data about the flow itself. + fields: + - name: "@timestamp" + type: date + required: true + format: YYYY-MM-DDTHH:MM:SS.milliZ + example: 2015-01-24T14:06:05.071Z + description: > + The timestamp of the event, as measured by the Beat. The precision is in + milliseconds. The timezone is UTC. + + - name: "start_time" + type: date + required: true + format: YYYY-MM-DDTHH:MM:SS.milliZ + example: 2015-01-24T14:06:05.071Z + description: > + The time, the first packet for the flow has been seen. + + - name: "last_time" + type: date + required: true + format: YYYY-MM-DDTHH:MM:SS.milliZ + example: 2015-01-24T14:06:05.071Z + description: > + The time, the most recent processed packet for the flow has been seen. + + - name: type + description: > + Indicates the event to be a flow event. This field is always set to "flow". + required: true + + - name: final + description: > + Indicates if event is last event in flow. If final is false, the event + reports an intermediate flow state only. + + - name: flow_id + description: > + Internal flow id based on connection meta data and address. + + - name: vlan + description: > + Innermost VLAN address used in network packets. + + - name: outer_vlan + description: > + Second innermost VLAN address used in network packets. + + + - name: source + type: group + description: > + Properties of the source host + fields: + - name: mac + description: > + Source MAC address as indicated by first packet seen for the current flow. + + - name: ip + description: > + Innermost IPv4 source address as indicated by first packet seen for the + current flow. + + - name: ip_location + type: geo_point + example: "40.715, -74.011" + description: > + The GeoIP location of the `ip_source` IP address. The field is a string + containing the latitude and longitude separated by a comma. + + - name: outer_ip + description: > + Second innermost IPv4 source address as indicated by first packet seen + for the current flow. + + - name: outer_ip_location + type: geo_point + example: "40.715, -74.011" + description: > + The GeoIP location of the `outer_ip_source` IP address. The field is a + string containing the latitude and longitude separated by a comma. + + - name: ipv6 + description: > + Innermost IPv6 source address as indicated by first packet seen for the + current flow. + + - name: ipv6_location + type: geo_point + example: "60.715, -76.011" + description: > + The GeoIP location of the `ipv6_source` IP address. The field is a string + containing the latitude and longitude separated by a comma. + + - name: outer_ipv6 + description: > + Second innermost IPv6 source address as indicated by first packet seen + for the current flow. + + - name: outer_ipv6_location + type: geo_point + example: "60.715, -76.011" + description: > + The GeoIP location of the `outer_ipv6_source` IP address. The field is a + string containing the latitude and longitude separated by a comma. + + - name: port + description: > + Source port number as indicated by first packet seen for the current flow. + + - name: stats + type: group + description: > + Object with source to destination flow measurements. + fields: + - name: net_packets_total + type: long + description: > + Total number of packets + + - name: net_bytes_total + type: long + description: > + Total number of bytes + + + + - name: dest + type: group + description: > + Properties of the destination host + fields: + - name: mac + description: > + Destination MAC address as indicated by first packet seen for the current flow. + + - name: ip + description: > + Innermost IPv4 destination address as indicated by first packet seen for the + current flow. + + - name: ip_location + type: geo_point + example: "40.715, -74.011" + description: > + The GeoIP location of the `ip_dest` IP address. The field is a string + containing the latitude and longitude separated by a comma. + + - name: outer_ip + description: > + Second innermost IPv4 destination address as indicated by first packet + seen for the current flow. + + - name: outer_ip_location + type: geo_point + example: "40.715, -74.011" + description: > + The GeoIP location of the `outer_ip_dest` IP address. The field is a + string containing the latitude and longitude separated by a comma. + + - name: ipv6 + description: > + Innermost IPv6 destination address as indicated by first packet seen for the + current flow. + + - name: ipv6_location + type: geo_point + example: "60.715, -76.011" + description: > + The GeoIP location of the `ipv6_dest` IP address. The field is a string + containing the latitude and longitude separated by a comma. + + - name: outer_ipv6 + description: > + Second innermost IPv6 destination address as indicated by first packet + seen for the current flow. + + - name: outer_ipv6_location + type: geo_point + example: "60.715, -76.011" + description: > + The GeoIP location of the `outer_ipv6_dest` IP address. The field is a + string containing the latitude and longitude separated by a comma. + + - name: port + description: > + Destination port number as indicated by first packet seen for the current flow. + + - name: stats + type: group + description: > + Object with destination to source flow measurements. + fields: + - name: net_packets_total + type: long + description: > + Total number of packets + + - name: net_bytes_total + type: long + description: > + Total number of bytes + - name: icmp_id + description: > + ICMP id used in ICMP based flow. + + - name: transport + description: > + The transport protocol used by the flow. If known, one of "udp" or "tcp". + + - name: connection_id + description: > + optional TCP connection id + +- key: trans_event + title: "Transaction Event" + description: > + These fields contain data about the transaction itself. + fields: + - name: "@timestamp" + type: date + required: true + format: YYYY-MM-DDTHH:MM:SS.milliZ + example: 2015-01-24T14:06:05.071Z + description: > + The timestamp of the event, as measured either by the Beat or + by a common collector point. The precision is in milliseconds. + The timezone is UTC. + + - name: type + description: > + The type of the transaction (for example, HTTP, MySQL, Redis, or RUM). + required: true + + - name: direction + required: true + description: > + Indicates whether the transaction is inbound (emitted by server) + or outbound (emitted by the client). Values can be in or out. No defaults. + possible_values: + - in + - out + + - name: status + description: > + The high level status of the transaction. The way to compute this + value depends on the protocol, but the result has a meaning + independent of the protocol. + required: true + possible_values: + - OK + - Error + - Server Error + - Client Error + + - name: method + description: > + The command/verb/method of the transaction. For HTTP, this is the + method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, + UPDATE, DELETE, and so on). + + - name: resource + description: > + The logical resource that this transaction refers to. For HTTP, this is + the URL path up to the last slash (/). For example, if the URL is `/users/1`, + the resource is `/users`. For databases, the resource is typically the + table name. The field is not filled for all transaction types. + + - name: path + required: true + description: > + The path the transaction refers to. For HTTP, this is the URL. + For SQL databases, this is the table name. For key-value stores, this + is the key. + + - name: query + type: keyword + description: > + The query in a human readable format. For HTTP, it will typically be + something like `GET /users/_search?name=test`. For MySQL, it is + something like `SELECT id from users where name=test`. + + - name: params + type: text + description: > + The request parameters. For HTTP, these are the POST or GET parameters. + For Thrift-RPC, these are the parameters from the request. + + - name: notes + description: > + Messages from Packetbeat itself. This field usually contains error messages for + interpreting the raw data. This information can be helpful for troubleshooting. + +- key: raw + title: Raw + description: These fields contain the raw transaction data. + fields: + - name: request + type: text + description: > + For text protocols, this is the request as seen on the wire + (application layer only). For binary protocols this is our + representation of the request. + + - name: response + type: text + description: > + For text protocols, this is the response as seen on the wire + (application layer only). For binary protocols this is our + representation of the request. + +- key: trans_measurements + title: "Measurements (Transactions)" + description: > + These fields contain measurements related to the transaction. + fields: + - name: responsetime + description: > + The wall clock time it took to complete the transaction. + The precision is in milliseconds. + type: long + + - name: cpu_time + description: The CPU time it took to complete the transaction. + type: long + + - name: bytes_in + description: > + The number of bytes of the request. Note that this size is + the application layer message length, without the length of the IP or + TCP headers. + type: long + format: bytes + + - name: bytes_out + description: > + The number of bytes of the response. Note that this size is + the application layer message length, without the length of the IP or + TCP headers. + type: long + format: bytes + + - name: dnstime + type: long + description: > + The time it takes to query the name server for a given request. + This is typically used for RUM (real-user-monitoring) but can + also have values for server-to-server communication when DNS + is used for service discovery. + The precision is in microseconds. + + - name: connecttime + type: long + description: > + The time it takes for the TCP connection to be established for + the given transaction. + The precision is in microseconds. + + - name: loadtime + type: long + description: > + The time it takes for the content to be loaded. This is typically + used for RUM (real-user-monitoring) but it can make sense in other + cases as well. + The precision is in microseconds. + + - name: domloadtime + type: long + description: > + In RUM (real-user-monitoring), the total time it takes for the + DOM to be loaded. In terms of the W3 Navigation Timing API, this is + the difference between `domContentLoadedEnd` and + `domContentLoadedStart`. + diff --git a/packetbeat/etc/kibana/index-pattern/packetbeat.json b/packetbeat/etc/kibana/index-pattern/packetbeat.json index 0fead122c1d..9009b684f52 100644 --- a/packetbeat/etc/kibana/index-pattern/packetbeat.json +++ b/packetbeat/etc/kibana/index-pattern/packetbeat.json @@ -1,5 +1,5 @@ { - "fields": "[{\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"beat.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"beat.hostname\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"beat.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"@timestamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"tags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"fields\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.provider\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.instance_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.machine_type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.availability_zone\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.project_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.region\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"server\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_server\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"service\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_service\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"real_ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_geoip.location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_port\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"transport\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"port\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"proc\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_proc\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"release\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"@timestamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"start_time\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"last_time\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"final\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"flow_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"vlan\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"outer_vlan\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.mac\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.ip_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.outer_ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.outer_ip_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.ipv6\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.ipv6_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.outer_ipv6\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.outer_ipv6_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.port\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.stats.net_packets_total\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.stats.net_bytes_total\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.mac\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.ip_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.outer_ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.outer_ip_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.ipv6\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.ipv6_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.outer_ipv6\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.outer_ipv6_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.port\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.stats.net_packets_total\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.stats.net_bytes_total\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"transport\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"connection_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"@timestamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"direction\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"status\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"method\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"resource\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"path\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": false, \"name\": \"params\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"notes\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.request.message\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.request.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.request.code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.response.message\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.response.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.response.code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.op_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.authoritative\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.recursion_available\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.recursion_desired\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.authentic_data\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.checking_disabled\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.truncated_response\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.response_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.question.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.question.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.question.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.question.etld_plus_one\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.ttl\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.data\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.ttl\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.data\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.ttl\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.data\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.opt.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.opt.do\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.opt.ext_rcode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.opt.udp_size\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.reply-code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.reply-text\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.class-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.method-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.exchange\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.exchange-type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.passive\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.durable\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.exclusive\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.auto-delete\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.no-wait\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.consumer-tag\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.delivery-tag\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.message-count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.consumer-count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.routing-key\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.no-ack\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.no-local\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.if-unused\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.if-empty\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.queue\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.redelivered\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.multiple\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.arguments\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.mandatory\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.immediate\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.content-type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.content-encoding\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.headers\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.delivery-mode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.priority\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.correlation-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.reply-to\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.expiration\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.message-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.timestamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.user-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.app-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.stream\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.op\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.length\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.stream\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.op\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.length\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.num_rows\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.col_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.pkey_columns\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.paging_state\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.change\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.object\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.target\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.args\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.prepared_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.col_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.pkey_columns\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.paging_state\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.col_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.pkey_columns\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.paging_state\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.supported\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.authentication.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.warnings\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.change\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.host\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.host\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.change\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.object\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.target\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.args\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.msg\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.read_consistency\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.required\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.alive\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.received\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.blockfor\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.write_type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.data_present\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.stmt_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.num_failures\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.function\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.arg_types\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.request.params\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.request.headers\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": false, \"name\": \"http.request.body\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.response.code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.response.phrase\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.response.headers\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.response.body\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.protocol_type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.line\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.command\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.command\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.error_msg\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.opcode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.opcode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.opcode_value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.opcode_value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.opaque\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.opaque\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.vbucket\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.status\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.status_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.keys\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.keys\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.count_values\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.count_values\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.values\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.values\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.bytes\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.bytes\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.delta\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.initial\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.verbosity\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.raw_args\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.source_class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.dest_class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.automove\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.exptime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.sleep_us\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.noreply\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.quiet\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.cas_unique\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.cas_unique\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.stats\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.iserror\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.affected_rows\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.insert_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.num_fields\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.num_rows\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.error_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.error_message\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.iserror\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.error_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.error_message\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.error_severity\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.num_fields\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.num_rows\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"thrift.params\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"thrift.service\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"thrift.return_value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"thrift.exceptions\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"redis.return_value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"redis.error\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.error\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.fullCollectionName\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.numberToSkip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.numberToReturn\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.numberReturned\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.startingFrom\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.returnFieldsSelector\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.selector\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.update\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.cursorId\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.xid\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.call_size\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.reply_size\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.status\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.time\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.time_str\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.auth_flavor\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.uid\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.gid\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.gids\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.stamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.machinename\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.minor_version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.tag\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.opcode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.status\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": false, \"name\": \"request\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": false, \"name\": \"response\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"responsetime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cpu_time\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"bytes_in\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"bytes_out\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dnstime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"connecttime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"loadtime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"domloadtime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}]", + "fields": "[{\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"beat.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"beat.hostname\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"beat.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"@timestamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"tags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"fields\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.provider\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.instance_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.machine_type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.availability_zone\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.project_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"meta.cloud.region\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"server\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_server\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"service\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_service\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"real_ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_geoip.location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_port\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"transport\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"port\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"proc\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"client_proc\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"release\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"@timestamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"start_time\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"last_time\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"final\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"flow_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"vlan\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"outer_vlan\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.mac\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.ip_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.outer_ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.outer_ip_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.ipv6\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.ipv6_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.outer_ipv6\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.outer_ipv6_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.port\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.stats.net_packets_total\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"source.stats.net_bytes_total\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.mac\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.ip_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.outer_ip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.outer_ip_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.ipv6\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.ipv6_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.outer_ipv6\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.outer_ipv6_location\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.port\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.stats.net_packets_total\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dest.stats.net_bytes_total\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"transport\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"connection_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"@timestamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"date\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"direction\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"status\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"method\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"resource\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"path\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": false, \"name\": \"params\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"notes\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": false, \"name\": \"request\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": false, \"name\": \"response\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"responsetime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cpu_time\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"bytes_in\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"bytes_out\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dnstime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"connecttime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"loadtime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"domloadtime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.reply-code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.reply-text\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.class-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.method-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.exchange\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.exchange-type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.passive\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.durable\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.exclusive\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.auto-delete\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.no-wait\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.consumer-tag\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.delivery-tag\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.message-count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.consumer-count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.routing-key\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.no-ack\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.no-local\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.if-unused\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.if-empty\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.queue\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.redelivered\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.multiple\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.arguments\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.mandatory\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.immediate\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.content-type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.content-encoding\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.headers\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.delivery-mode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.priority\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.correlation-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.reply-to\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.expiration\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.message-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.timestamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.user-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"amqp.app-id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.stream\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.op\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.headers.length\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.request.query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.stream\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.op\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.headers.length\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.num_rows\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.col_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.pkey_columns\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.rows.meta.paging_state\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.change\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.object\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.target\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.schema_change.args\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.prepared_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.col_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.pkey_columns\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.req_meta.paging_state\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.col_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.pkey_columns\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.result.prepared.resp_meta.paging_state\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.supported\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.authentication.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.warnings\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.change\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.host\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.host\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.change\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.object\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.target\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.event.schema_change.args\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.msg\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.read_consistency\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.required\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.alive\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.received\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.blockfor\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.write_type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.data_present\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.keyspace\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.table\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.stmt_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.num_failures\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.function\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"cassandra.response.error.details.arg_types\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.op_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.authoritative\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.recursion_available\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.recursion_desired\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.authentic_data\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.checking_disabled\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.flags.truncated_response\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.response_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.question.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.question.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.question.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.question.etld_plus_one\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.ttl\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.data\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.authorities.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.ttl\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.answers.data\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals_count\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.name\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.ttl\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.additionals.data\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.opt.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.opt.do\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.opt.ext_rcode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"dns.opt.udp_size\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.request.params\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.request.headers\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": false, \"name\": \"http.request.body\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.response.code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.response.phrase\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.response.headers\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"http.response.body\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.request.message\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.request.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.request.code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.response.message\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.response.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"icmp.response.code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.protocol_type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.line\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.command\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.command\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.type\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.error_msg\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.opcode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.opcode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.opcode_value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.opcode_value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.opaque\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.opaque\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.vbucket\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.status\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.status_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.keys\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.keys\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.count_values\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.count_values\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.values\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.values\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.bytes\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.bytes\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.delta\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.initial\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.verbosity\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.raw_args\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.source_class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.dest_class\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.automove\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.flags\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.exptime\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.sleep_us\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.noreply\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.quiet\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.request.cas_unique\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.cas_unique\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.stats\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"memcache.response.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.error\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.fullCollectionName\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.numberToSkip\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.numberToReturn\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.numberReturned\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.startingFrom\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.returnFieldsSelector\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.selector\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.update\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mongodb.cursorId\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.xid\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.call_size\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.reply_size\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.status\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.time\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.time_str\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.auth_flavor\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.uid\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.gid\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.gids\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.stamp\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"rpc.cred.machinename\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.iserror\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.affected_rows\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.insert_id\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.num_fields\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.num_rows\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.error_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"mysql.error_message\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.minor_version\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.tag\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.opcode\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"nfs.status\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.query\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.iserror\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.error_code\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"number\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.error_message\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.error_severity\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.num_fields\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"pgsql.num_rows\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"redis.return_value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"redis.error\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"thrift.params\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"thrift.service\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"thrift.return_value\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}, {\"count\": 0, \"analyzed\": false, \"aggregatable\": true, \"name\": \"thrift.exceptions\", \"searchable\": true, \"indexed\": true, \"doc_values\": true, \"type\": \"string\", \"scripted\": false}]", "fieldFormatMap": "{\"client_ip\": {\"id\": \"dotted notation.\"}, \"memcache.request.bytes\": {\"id\": \"bytes\"}, \"start_time\": {\"id\": \"YYYY-MM-DDTHH:MM:SS.milliZ\"}, \"real_ip\": {\"id\": \"Dotted notation.\"}, \"ip\": {\"id\": \"dotted notation.\"}, \"@timestamp\": {\"id\": \"YYYY-MM-DDTHH:MM:SS.milliZ\"}, \"bytes_out\": {\"id\": \"bytes\"}, \"last_time\": {\"id\": \"YYYY-MM-DDTHH:MM:SS.milliZ\"}, \"client_port\": {\"id\": \"dotted notation.\"}, \"memcache.response.bytes\": {\"id\": \"bytes\"}, \"bytes_in\": {\"id\": \"bytes\"}, \"port\": {\"id\": \"dotted notation.\"}}", "timeFieldName": "@timestamp", "title": "packetbeat-*" diff --git a/packetbeat/protos/amqp/_meta/fields.yml b/packetbeat/protos/amqp/_meta/fields.yml new file mode 100644 index 00000000000..4833ed27838 --- /dev/null +++ b/packetbeat/protos/amqp/_meta/fields.yml @@ -0,0 +1,209 @@ +- key: amqp + title: "AMQP" + description: AMQP specific event fields. + fields: + - name: amqp + type: group + fields: + - name: reply-code + type: long + description: > + AMQP reply code to an error, similar to http reply-code + example: 404 + + - name: reply-text + type: keyword + description: > + Text explaining the error. + + - name: class-id + type: long + description: > + Failing method class. + + - name: method-id + type: long + description: > + Failing method ID. + + - name: exchange + type: keyword + description: > + Name of the exchange. + + - name: exchange-type + type: keyword + description: > + Exchange type. + example: fanout + + - name: passive + type: boolean + description: > + If set, do not create exchange/queue. + + - name: durable + type: boolean + description: > + If set, request a durable exchange/queue. + + - name: exclusive + type: boolean + description: > + If set, request an exclusive queue. + + - name: auto-delete + type: boolean + description: > + If set, auto-delete queue when unused. + + - name: no-wait + type: boolean + description: > + If set, the server will not respond to the method. + + - name: consumer-tag + description: > + Identifier for the consumer, valid within the current channel. + + - name: delivery-tag + type: long + description: > + The server-assigned and channel-specific delivery tag. + + - name: message-count + type: long + description: > + The number of messages in the queue, which will be zero for + newly-declared queues. + + - name: consumer-count + type: long + description: > + The number of consumers of a queue. + + - name: routing-key + type: keyword + description: > + Message routing key. + + - name: no-ack + type: boolean + description: > + If set, the server does not expect acknowledgements for messages. + + - name: no-local + type: boolean + description: > + If set, the server will not send messages to the connection that + published them. + + - name: if-unused + type: boolean + description: > + Delete only if unused. + + - name: if-empty + type: boolean + description: > + Delete only if empty. + + - name: queue + type: keyword + description: > + The queue name identifies the queue within the vhost. + + - name: redelivered + type: boolean + description: > + Indicates that the message has been previously delivered to this + or another client. + + - name: multiple + type: boolean + description: > + Acknowledge multiple messages. + + - name: arguments + type: dict + description: > + Optional additional arguments passed to some methods. Can be of + various types. + + - name: mandatory + type: boolean + description: > + Indicates mandatory routing. + + - name: immediate + type: boolean + description: > + Request immediate delivery. + + - name: content-type + type: keyword + description: > + MIME content type. + example: text/plain + + - name: content-encoding + type: keyword + description: > + MIME content encoding. + + - name: headers + type: dict + dict-type: keyword + description: > + Message header field table. + + - name: delivery-mode + type: keyword + description: > + Non-persistent (1) or persistent (2). + + - name: priority + type: long + description: > + Message priority, 0 to 9. + + - name: correlation-id + type: keyword + description: > + Application correlation identifier. + + - name: reply-to + type: keyword + description: > + Address to reply to. + + - name: expiration + type: keyword + description: > + Message expiration specification. + + - name: message-id + type: keyword + description: > + Application message identifier. + + - name: timestamp + type: keyword + description: > + Message timestamp. + + - name: type + type: keyword + description: > + Message type name. + + - name: user-id + type: keyword + description: > + Creating user id. + + - name: app-id + type: keyword + description: > + Creating application id. + diff --git a/packetbeat/protos/cassandra/_meta/fields.yml b/packetbeat/protos/cassandra/_meta/fields.yml new file mode 100644 index 00000000000..f92e310f454 --- /dev/null +++ b/packetbeat/protos/cassandra/_meta/fields.yml @@ -0,0 +1,310 @@ +- key: cassandra + title: "Cassandra" + description: Cassandra v4/3 specific event fields. + fields: + - name: cassandra + type: group + description: Information about the Cassandra request and response. + fields: + - name: request + type: group + description: Cassandra request. + fields: + - name: headers + type: group + description: Cassandra request headers. + fields: + - name: version + type: long + description: The version of the protocol. + - name: flags + type: keyword + description: Flags applying to this frame. + - name: stream + type: keyword + description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. + - name: op + type: keyword + description: An operation type that distinguishes the actual message. + - name: length + type: long + description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). + - name: query + type: keyword + description: The CQL query which client send to cassandra. + + - name: response + type: group + description: Cassandra response. + fields: + - name: headers + type: group + description: Cassandra response headers, the structure is as same as request's header. + fields: + - name: version + type: long + description: The version of the protocol. + - name: flags + type: keyword + description: Flags applying to this frame. + - name: stream + type: keyword + description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. + - name: op + type: keyword + description: An operation type that distinguishes the actual message. + - name: length + type: long + description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). + + + - name: result + type: group + description: Details about the returned result. + fields: + - name: type + type: keyword + description: Cassandra result type. + - name: rows + type: group + description: Details about the rows. + fields: + - name: num_rows + type: long + description: Representing the number of rows present in this result. + - name: meta + type: group + description: Composed of result metadata. + fields: + - name: keyspace + type: keyword + description: Only present after set Global_tables_spec, the keyspace name. + - name: table + type: keyword + description: Only present after set Global_tables_spec, the table name. + - name: flags + type: keyword + description: Provides information on the formatting of the remaining information. + - name: col_count + type: long + description: Representing the number of columns selected by the query that produced this result. + - name: pkey_columns + type: long + description: Representing the PK columns index and counts. + - name: paging_state + type: keyword + description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. + - name: keyspace + type: keyword + description: Indicating the name of the keyspace that has been set. + - name: schema_change + type: group + description: The result to a schema_change message. + fields: + - name: change + type: keyword + description: Representing the type of changed involved. + - name: keyspace + type: keyword + description: This describes which keyspace has changed. + - name: table + type: keyword + description: This describes which table has changed. + - name: object + type: keyword + description: This describes the name of said affected object (either the table, user type, function, or aggregate name). + - name: target + type: keyword + description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. + - name: name + type: keyword + description: The function/aggregate name. + - name: args + type: keyword + description: One string for each argument type (as CQL type). + - name: prepared + type: group + description: The result to a PREPARE message. + fields: + - name: prepared_id + type: keyword + description: Representing the prepared query ID. + - name: req_meta + type: group + description: This describes the request metadata. + fields: + - name: keyspace + type: keyword + description: Only present after set Global_tables_spec, the keyspace name. + - name: table + type: keyword + description: Only present after set Global_tables_spec, the table name. + - name: flags + type: keyword + description: Provides information on the formatting of the remaining information. + - name: col_count + type: long + description: Representing the number of columns selected by the query that produced this result. + - name: pkey_columns + type: long + description: Representing the PK columns index and counts. + - name: paging_state + type: keyword + description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. + - name: resp_meta + type: group + description: This describes the metadata for the result set. + fields: + - name: keyspace + type: keyword + description: Only present after set Global_tables_spec, the keyspace name. + - name: table + type: keyword + description: Only present after set Global_tables_spec, the table name. + - name: flags + type: keyword + description: Provides information on the formatting of the remaining information. + - name: col_count + type: long + description: Representing the number of columns selected by the query that produced this result. + - name: pkey_columns + type: long + description: Representing the PK columns index and counts. + - name: paging_state + type: keyword + description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. + + - name: supported + type: dict + dict-type: keyword + description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. + + - name: authentication + type: group + description: Indicates that the server requires authentication, and which authentication mechanism to use. + fields: + - name: class + type: keyword + description: Indicates the full class name of the IAuthenticator in use + + + - name: warnings + type: keyword + description: The text of the warnings, only occur when Warning flag was set. + + - name: event + type: group + description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. + fields: + - name: type + type: keyword + description: Representing the event type. + - name: change + type: keyword + description: The message corresponding respectively to the type of change followed by the address of the new/removed node. + - name: host + type: keyword + description: Representing the node ip. + - name: host + type: keyword + description: Representing the node port. + - name: schema_change + type: group + description: The events details related to schema change. + fields: + - name: change + type: keyword + description: Representing the type of changed involved. + - name: keyspace + type: keyword + description: This describes which keyspace has changed. + - name: table + type: keyword + description: This describes which table has changed. + - name: object + type: keyword + description: This describes the name of said affected object (either the table, user type, function, or aggregate name). + - name: target + type: keyword + description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. + - name: name + type: keyword + description: The function/aggregate name. + - name: args + type: keyword + description: One string for each argument type (as CQL type). + + + - name: error + type: group + description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. + fields: + - name: code + type: long + description: The error code of the Cassandra response. + + - name: msg + type: keyword + description: The error message of the Cassandra response. + + - name: type + type: keyword + description: The error type of the Cassandra response. + + - name: details + type: group + description: The details of the error. + fields: + - name: read_consistency + type: keyword + description: Representing the consistency level of the query that triggered the exception. + + - name: required + type: long + description: Representing the number of nodes that should be alive to respect consistency level. + + - name: alive + type: long + description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). + + - name: received + type: long + description: Representing the number of nodes having acknowledged the request. + + - name: blockfor + type: long + description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. + + - name: write_type + type: keyword + description: Describe the type of the write that timed out. + + - name: data_present + type: boolean + description: It means the replica that was asked for data had responded. + + - name: keyspace + type: keyword + description: The keyspace of the failed function. + + - name: table + type: keyword + description: The keyspace of the failed function. + + - name: stmt_id + type: keyword + description: Representing the unknown ID. + + - name: num_failures + type: keyword + description: Representing the number of nodes that experience a failure while executing the request. + + - name: function + type: keyword + description: The name of the failed function. + + - name: arg_types + type: keyword + description: One string for each argument type (as CQL type) of the failed function. + + diff --git a/packetbeat/protos/dns/_meta/fields.yml b/packetbeat/protos/dns/_meta/fields.yml new file mode 100644 index 00000000000..4f14a8ab890 --- /dev/null +++ b/packetbeat/protos/dns/_meta/fields.yml @@ -0,0 +1,209 @@ +- key: dns + title: "DNS" + description: DNS-specific event fields. + fields: + - name: dns + type: group + fields: + - name: id + type: long + description: > + The DNS packet identifier assigned by the program that generated the + query. The identifier is copied to the response. + + - name: op_code + description: > + The DNS operation code that specifies the kind of query in the message. + This value is set by the originator of a query and copied into the + response. + example: QUERY + + - name: flags.authoritative + type: boolean + description: > + A DNS flag specifying that the responding server is an authority for + the domain name used in the question. + + - name: flags.recursion_available + type: boolean + description: > + A DNS flag specifying whether recursive query support is available in the + name server. + + - name: flags.recursion_desired + type: boolean + description: > + A DNS flag specifying that the client directs the server to pursue a + query recursively. Recursive query support is optional. + + - name: flags.authentic_data + type: boolean + description: > + A DNS flag specifying that the recursive server considers the response + authentic. + + - name: flags.checking_disabled + type: boolean + description: > + A DNS flag specifying that the client disables the server + signature validation of the query. + + - name: flags.truncated_response + type: boolean + description: > + A DNS flag specifying that only the first 512 bytes of the reply were + returned. + + - name: response_code + description: The DNS status code. + example: NOERROR + + - name: question.name + description: > + The domain name being queried. If the name field contains non-printable + characters (below 32 or above 126), then those characters are represented + as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. + Tabs, carriage returns, and line feeds are converted to \t, \r, and + \n respectively. + example: www.google.com. + + - name: question.type + description: The type of records being queried. + example: AAAA + + - name: question.class + description: The class of of records being queried. + example: IN + + - name: question.etld_plus_one + description: The effective top-level domain (eTLD) plus one more label. + For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". + The data for determining the eTLD comes from an embedded copy of the + data from http://publicsuffix.org. + example: amazon.co.uk. + + - name: answers_count + type: long + description: > + The number of resource records contained in the `dns.answers` field. + + - name: answers.name + description: The domain name to which this resource record pertains. + example: example.com. + + - name: answers.type + description: The type of data contained in this resource record. + example: MX + + - name: answers.class + description: The class of DNS data contained in this resource record. + example: IN + + - name: answers.ttl + description: > + The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should + not be cached. + type: long + + - name: answers.data + description: > + The data describing the resource. The meaning of this data depends + on the type and class of the resource record. + + - name: authorities + type: dict + description: > + An array containing a dictionary for each authority section from the + answer. + + - name: authorities_count + type: long + description: > + The number of resource records contained in the `dns.authorities` field. + The `dns.authorities` field may or may not be included depending on the + configuration of Packetbeat. + + - name: authorities.name + description: The domain name to which this resource record pertains. + example: example.com. + + - name: authorities.type + description: The type of data contained in this resource record. + example: NS + + - name: authorities.class + description: The class of DNS data contained in this resource record. + example: IN + + - name: answers + type: dict + description: > + An array containing a dictionary about each answer section returned by + the server. + + - name: answers.ttl + description: > + The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should + not be cached. + type: long + + - name: answers.data + description: > + The data describing the resource. The meaning of this data depends + on the type and class of the resource record. + + - name: additionals + type: dict + description: > + An array containing a dictionary for each additional section from the + answer. + + - name: additionals_count + type: long + description: > + The number of resource records contained in the `dns.additionals` field. + The `dns.additionals` field may or may not be included depending on the + configuration of Packetbeat. + + - name: additionals.name + description: The domain name to which this resource record pertains. + example: example.com. + + - name: additionals.type + description: The type of data contained in this resource record. + example: NS + + - name: additionals.class + description: The class of DNS data contained in this resource record. + example: IN + + - name: additionals.ttl + description: > + The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should + not be cached. + type: long + + - name: additionals.data + description: > + The data describing the resource. The meaning of this data depends + on the type and class of the resource record. + + - name: opt.version + description: The EDNS version. + example: "0" + + - name: opt.do + type: boolean + description: If set, the transaction uses DNSSEC. + + - name: opt.ext_rcode + description: Extended response code field. + example: "BADVERS" + + - name: opt.udp_size + type: long + description: Requestor's UDP payload size (in bytes). + diff --git a/packetbeat/protos/http/_meta/fields.yml b/packetbeat/protos/http/_meta/fields.yml new file mode 100644 index 00000000000..9310bd27de2 --- /dev/null +++ b/packetbeat/protos/http/_meta/fields.yml @@ -0,0 +1,51 @@ +- key: http + title: "HTTP" + description: HTTP-specific event fields. + fields: + - name: http + type: group + description: Information about the HTTP request and response. + fields: + - name: request + description: HTTP request + type: group + fields: + - name: params + description: > + The query parameters or form values. The query parameters are available in the Request-URI + and the form values are set in the HTTP body when the content-type is set to `x-www-form-urlencoded`. + - name: headers + type: dict + dict-type: keyword + description: > + A map containing the captured header fields from the request. + Which headers to capture is configurable. If headers with the same + header name are present in the message, they will be separated by + commas. + - name: body + type: text + description: The body of the HTTP request. + + - name: response + description: HTTP response + type: group + fields: + - name: code + description: The HTTP status code. + example: 404 + + - name: phrase + description: The HTTP status phrase. + example: Not found. + + - name: headers + type: dict + dict-type: keyword + description: > + A map containing the captured header fields from the response. + Which headers to capture is configurable. If headers with the + same header name are present in the message, they will be separated + by commas. + - name: body + description: The body of the HTTP response. + diff --git a/packetbeat/protos/icmp/_meta/fields.yml b/packetbeat/protos/icmp/_meta/fields.yml new file mode 100644 index 00000000000..7cd4990696b --- /dev/null +++ b/packetbeat/protos/icmp/_meta/fields.yml @@ -0,0 +1,38 @@ +- key: icmp + title: "ICMP" + description: > + ICMP specific event fields. + fields: + - name: icmp + type: group + fields: + - name: version + description: The version of the ICMP protocol. + possible_values: + - 4 + - 6 + + - name: request.message + type: keyword + description: A human readable form of the request. + + - name: request.type + type: long + description: The request type. + + - name: request.code + type: long + description: The request code. + + - name: response.message + type: keyword + description: A human readable form of the response. + + - name: response.type + type: long + description: The response type. + + - name: response.code + type: long + description: The response code. + diff --git a/packetbeat/protos/memcache/_meta/fields.yml b/packetbeat/protos/memcache/_meta/fields.yml new file mode 100644 index 00000000000..1d42fe9e231 --- /dev/null +++ b/packetbeat/protos/memcache/_meta/fields.yml @@ -0,0 +1,244 @@ +- key: memcache + title: "Memcache" + description: Memcached-specific event fields + fields: + - name: memcache + type: group + fields: + - name: protocol_type + type: keyword + description: > + The memcache protocol implementation. The value can be "binary" + for binary-based, "text" for text-based, or "unknown" for an unknown + memcache protocol type. + + - name: request.line + type: keyword + description: > + The raw command line for unknown commands ONLY. + + - name: request.command + type: keyword + description: > + The memcache command being requested in the memcache text protocol. + For example "set" or "get". + The binary protocol opcodes are translated into memcache text protocol + commands. + + - name: response.command + type: keyword + description: > + Either the text based protocol response message type + or the name of the originating request if binary protocol is used. + + - name: request.type + type: keyword + description: > + The memcache command classification. This value can be "UNKNOWN", "Load", + "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", + "Stats", "Success", "Fail", or "Auth". + + - name: response.type + type: keyword + description: > + The memcache command classification. This value can be "UNKNOWN", "Load", + "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", + "Stats", "Success", "Fail", or "Auth". + The text based protocol will employ any of these, whereas the + binary based protocol will mirror the request commands only (see + `memcache.response.status` for binary protocol). + + - name: response.error_msg + type: keyword + description: > + The optional error message in the memcache response (text based protocol only). + + - name: request.opcode + type: keyword + description: > + The binary protocol message opcode name. + + - name: response.opcode + type: keyword + description: > + The binary protocol message opcode name. + + - name: request.opcode_value + type: long + description: > + The binary protocol message opcode value. + + - name: response.opcode_value + type: long + description: > + The binary protocol message opcode value. + + - name: request.opaque + type: long + description: > + The binary protocol opaque header value used for correlating request + with response messages. + + - name: response.opaque + type: long + description: > + The binary protocol opaque header value used for correlating request + with response messages. + + - name: request.vbucket + type: long + description: > + The vbucket index sent in the binary message. + + - name: response.status + type: keyword + description: > + The textual representation of the response error code + (binary protocol only). + + - name: response.status_code + type: long + description: > + The status code value returned in the response (binary protocol only). + + - name: request.keys + type: list + description: > + The list of keys sent in the store or load commands. + + - name: response.keys + type: list + description: > + The list of keys returned for the load command (if present). + + - name: request.count_values + type: long + description: > + The number of values found in the memcache request message. + If the command does not send any data, this field is missing. + + - name: response.count_values + type: long + description: > + The number of values found in the memcache response message. + If the command does not send any data, this field is missing. + + - name: request.values + type: list + description: > + The list of base64 encoded values sent with the request (if present). + + - name: response.values + type: list + description: > + The list of base64 encoded values sent with the response (if present). + + - name: request.bytes + type: long + format: bytes + description: > + The byte count of the values being transfered. + + - name: response.bytes + type: long + format: bytes + description: > + The byte count of the values being transfered. + + - name: request.delta + type: long + description: > + The counter increment/decrement delta value. + + - name: request.initial + type: long + description: > + The counter increment/decrement initial value parameter (binary protocol only). + + - name: request.verbosity + type: long + description: > + The value of the memcache "verbosity" command. + + - name: request.raw_args + type: keyword + description: > + The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. + + - name: request.source_class + type: long + description: > + The source class id in 'slab reassign' command. + + - name: request.dest_class + type: long + description: > + The destination class id in 'slab reassign' command. + + - name: request.automove + type: keyword + description: > + The automove mode in the 'slab automove' command expressed as a string. + This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if + the value is unknown. + + - name: request.flags + type: long + description: > + The memcache command flags sent in the request (if present). + + - name: response.flags + type: long + description: > + The memcache message flags sent in the response (if present). + + - name: request.exptime + type: long + description: > + The data expiry time in seconds sent with the memcache command (if present). + If the value is <30 days, the expiry time is relative to "now", or else it + is an absolute Unix time in seconds (32-bit). + + - name: request.sleep_us + type: long + description: > + The sleep setting in microseconds for the 'lru_crawler sleep' command. + + - name: response.value + type: long + description: > + The counter value returned by a counter operation. + + - name: request.noreply + type: boolean + description: > + Set to true if noreply was set in the request. + The `memcache.response` field will be missing. + + - name: request.quiet + type: boolean + description: > + Set to true if the binary protocol message is to be treated as a quiet message. + + - name: request.cas_unique + type: long + description: > + The CAS (compare-and-swap) identifier if present. + + - name: response.cas_unique + type: long + description: > + The CAS (compare-and-swap) identifier to be used with CAS-based updates + (if present). + + - name: response.stats + type: list + description: > + The list of statistic values returned. Each entry is a dictionary with the + fields "name" and "value". + + - name: response.version + type: keyword + description: > + The returned memcache version string. + diff --git a/packetbeat/protos/mongodb/_meta/fields.yml b/packetbeat/protos/mongodb/_meta/fields.yml new file mode 100644 index 00000000000..9b6d6784103 --- /dev/null +++ b/packetbeat/protos/mongodb/_meta/fields.yml @@ -0,0 +1,104 @@ +- key: mongodb + title: "MongoDb" + description: > + MongoDB-specific event fields. These fields mirror closely + the fields for the MongoDB wire protocol. The higher level fields + (for example, `query` and `resource`) apply to MongoDB events as well. + fields: + - name: mongodb + type: group + fields: + - name: error + description: > + If the MongoDB request has resulted in an error, this field contains the + error message returned by the server. + - name: fullCollectionName + description: > + The full collection name. + The full collection name is the concatenation of the database name with the collection name, + using a dot (.) for the concatenation. + For example, for the database foo and the collection bar, the full collection name is foo.bar. + - name: numberToSkip + type: long + description: > + Sets the number of documents to omit - starting from the first document in the resulting dataset - + when returning the result of the query. + - name: numberToReturn + type: long + description: > + The requested maximum number of documents to be returned. + - name: numberReturned + type: long + description: > + The number of documents in the reply. + - name: startingFrom + description: > + Where in the cursor this reply is starting. + - name: query + description: > + A JSON document that represents the query. + The query will contain one or more elements, all of which must match for a document + to be included in the result set. + Possible elements include $query, $orderby, $hint, $explain, and $snapshot. + - name: returnFieldsSelector + description: > + A JSON document that limits the fields in the returned documents. + The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, + and the integer value 1. + - name: selector + description: > + A BSON document that specifies the query for selecting the document to update or delete. + - name: update + description: > + A BSON document that specifies the update to be performed. + For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. + - name: cursorId + description: > + The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. + + - name: rpc + type: group + description: OncRPC specific event fields. + fields: + - name: xid + description: RPC message transaction identifier. + + - name: call_size + type: long + description: RPC call size with argument. + + - name: reply_size + type: long + description: RPC reply size with argument. + + - name: status + description: RPC message reply status. + + - name: time + type: long + description: RPC message processing time. + + - name: time_str + description: RPC message processing time in human readable form. + + - name: auth_flavor + description: RPC authentication flavor. + + - name: cred.uid + type: long + description: RPC caller's user id, in case of auth-unix. + + - name: cred.gid + type: long + description: RPC caller's group id, in case of auth-unix. + + - name: cred.gids + description: RPC caller's secondary group ids, in case of auth-unix. + + - name: cred.stamp + type: long + description: Arbitrary ID which the caller machine may generate. + + - name: cred.machinename + description: The name of the caller's machine. + diff --git a/packetbeat/protos/mysql/_meta/fields.yml b/packetbeat/protos/mysql/_meta/fields.yml new file mode 100644 index 00000000000..c5ed3795679 --- /dev/null +++ b/packetbeat/protos/mysql/_meta/fields.yml @@ -0,0 +1,47 @@ +- key: mysql + title: "MySQL" + description: > + MySQL-specific event fields. + fields: + - name: mysql + type: group + fields: + - name: iserror + type: boolean + description: > + If the MySQL query returns an error, this field is set to true. + + - name: affected_rows + type: long + description: > + If the MySQL command is successful, this field contains the affected + number of rows of the last statement. + + - name: insert_id + description: > + If the INSERT query is successful, this field contains the id of the + newly inserted row. + + - name: num_fields + description: > + If the SELECT query is successful, this field is set to the number + of fields returned. + + - name: num_rows + description: > + If the SELECT query is successful, this field is set to the number + of rows returned. + + - name: query + description: > + The row mysql query as read from the transaction's request. + + - name: error_code + type: long + description: > + The error code returned by MySQL. + + - name: error_message + description: > + The error info message returned by MySQL. + diff --git a/packetbeat/protos/nfs/_meta/fields.yml b/packetbeat/protos/nfs/_meta/fields.yml new file mode 100644 index 00000000000..4f4438a21cd --- /dev/null +++ b/packetbeat/protos/nfs/_meta/fields.yml @@ -0,0 +1,27 @@ +- key: nfs + title: "NFS" + description: NFS v4/3 specific event fields. + fields: + - name: nfs + type: group + fields: + - name: version + type: long + description: NFS protocol version number. + + - name: minor_version + type: long + description: NFS protocol minor version number. + + - name: tag + description: NFS v4 COMPOUND operation tag. + + - name: opcode + description: > + NFS operation name, or main operation name, in case of COMPOUND + calls. + + - name: status + description: NFS operation reply status. + + diff --git a/packetbeat/protos/pgsql/_meta/fields.yml b/packetbeat/protos/pgsql/_meta/fields.yml new file mode 100644 index 00000000000..3d50e6fd129 --- /dev/null +++ b/packetbeat/protos/pgsql/_meta/fields.yml @@ -0,0 +1,41 @@ +- key: pgsql + title: "PostgreSQL" + description: > + PostgreSQL-specific event fields. + fields: + - name: pgsql + type: group + fields: + - name: query + description: > + The row pgsql query as read from the transaction's request. + + - name: iserror + type: boolean + description: > + If the PgSQL query returns an error, this field is set to true. + + - name: error_code + description: The PostgreSQL error code. + type: long + + - name: error_message + description: The PostgreSQL error message. + + - name: error_severity + description: The PostgreSQL error severity. + possible_values: + - ERROR + - FATAL + - PANIC + + - name: num_fields + description: > + If the SELECT query if successful, this field is set to the number + of fields returned. + + - name: num_rows + description: > + If the SELECT query if successful, this field is set to the number + of rows returned. + diff --git a/packetbeat/protos/redis/_meta/fields.yml b/packetbeat/protos/redis/_meta/fields.yml new file mode 100644 index 00000000000..e0dbd852ea5 --- /dev/null +++ b/packetbeat/protos/redis/_meta/fields.yml @@ -0,0 +1,17 @@ +- key: redis + title: "Redis" + description: > + Redis-specific event fields. + fields: + - name: redis + type: group + fields: + - name: return_value + description: > + The return value of the Redis command in a human readable format. + + - name: error + description: > + If the Redis command has resulted in an error, this field contains the + error message returned by the Redis server. + diff --git a/packetbeat/protos/thrift/_meta/fields.yml b/packetbeat/protos/thrift/_meta/fields.yml new file mode 100644 index 00000000000..56a35371cf3 --- /dev/null +++ b/packetbeat/protos/thrift/_meta/fields.yml @@ -0,0 +1,28 @@ +- key: thrift + title: "Thrift-RPC" + description: > + Thrift-RPC specific event fields. + fields: + - name: thrift + type: group + fields: + - name: params + description: > + The RPC method call parameters in a human readable format. If the IDL + files are available, the parameters use names whenever possible. + Otherwise, the IDs from the message are used. + + - name: service + description: > + The name of the Thrift-RPC service as defined in the IDL files. + + - name: return_value + description: > + The value returned by the Thrift-RPC call. This is encoded in a human + readable format. + + - name: exceptions + description: > + If the call resulted in exceptions, this field contains the exceptions in a human + readable format. +