- Packetbeat Reference: other versions:
- Overview
- Contributing to Beats
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Export GeoIP Information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DNS fields
- Docker fields
- Flow Event fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
WARNING: Version 6.2 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Common fields
editCommon fields
editThese fields contain data about the environment in which the transaction or flow was captured.
server
editThe name of the server that served the transaction.
client_server
editThe name of the server that initiated the transaction.
service
editThe name of the logical service that served the transaction.
client_service
editThe name of the logical service that initiated the transaction.
ip
editformat: dotted notation.
The IP address of the server that served the transaction.
client_ip
editformat: dotted notation.
The IP address of the server that initiated the transaction.
real_ip
editformat: Dotted notation.
If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default X-Forwarded-For
.
Unless this field is disabled, it always has a value, and it matches the client_ip
for non proxy clients.
client_geoip fields
editThe GeoIP information of the client.
client_geoip.location
edittype: geo_point
example: {lat: 51, lon: 9}
The GeoIP location of the client_ip
address. This field is available only if you define a GeoIP Processor as a pipeline in the Ingest GeoIP processor plugin or using Logstash.
client_port
editformat: dotted notation.
The layer 4 port of the process that initiated the transaction.
transport
editexample: udp
The transport protocol used for the transaction. If not specified, then tcp is assumed.
type
editrequired: True
The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.
port
editformat: dotted notation.
The layer 4 port of the process that served the transaction.
proc
editThe name of the process that served the transaction.
client_proc
editThe name of the process that initiated the transaction.
release
editThe software release of the service serving the transaction. This can be the commit id or a semantic version.
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now