IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Kubernetes fields logstash fields »
Elastic Docs Filebeat Reference [6.4] Exported fields

Log file content fields

edit

Log file content fields

edit

Contains log file lines.

source

type: keyword

required: True

The file from which the line was read. This field contains the absolute path to the file. For example: /var/log/system.log.

offset

type: long

required: False

The file offset the reported line starts at.

message

type: text

required: True

The content of the line read from the log file.

stream

type: keyword

required: False

Log stream when reading container logs, can be stdout or stderr

prospector.type

required: True

The input type from which the event was generated. This field is set to the value specified for the type option in the input section of the Filebeat config file. (DEPRECATED: see input.type)

input.type

required: True

The input type from which the event was generated. This field is set to the value specified for the type option in the input section of the Filebeat config file.

read_timestamp

In case the ingest pipeline parses the timestamp from the log contents, it stores the original @timestamp (representing the time when the log line was read) in this field.

fileset.module

The Filebeat module that generated this event.

fileset.name

The Filebeat fileset that generated this event.

syslog.facility

type: long

required: False

The facility extracted from the priority.

syslog.priority

type: long

required: False

The priority of the syslog event.

syslog.severity_label

type: keyword

required: False

The human readable severity.

syslog.facility_label

type: keyword

required: False

The human readable facility.

process.program

type: keyword

required: False

The name of the program.

process.pid

type: long

required: False

The pid of the process.

event.severity

type: long

required: False

The severity of the event.

service.name

type: keyword

Service name.

log.level

type: keyword

Logging level.

event.created

type: date

event.created contains the date on which the event was created. In case of log events this is when the log line was read by Filebeat. In comparison @timestamp is the processed timestamp from the log line. If both are identical only @timestamp should be used.

http.response.status_code

type: long

example: 404

HTTP response status_code.

http.response.elapsed_time

type: long

Elapsed time between request and response in milli seconds.

http.response.content_length

type: long

Content length of the HTTP response body.

http.request.method

type: keyword

Request method.

« Kubernetes fields logstash fields »