HTTP Fields

edit

Fields related to HTTP activity. Use the url field set to store the url of the request.

HTTP Field Details

edit
Field Description Level

http.request.body.bytes

Size in bytes of the request body.

type: long

example: 887

extended

http.request.body.content

[beta] Use of wildcard as the primary type and match_only_type as the .text multi-field type are both currently beta.

The full HTTP request body.

type: wildcard

Multi-fields:

* http.request.body.content.text (type: match_only_text)

example: Hello world

extended

http.request.bytes

Total size in bytes of the request (body and headers).

type: long

example: 1437

extended

http.request.id

A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.

The id may be contained in a non-standard HTTP header, such as X-Request-ID or X-Correlation-ID.

type: keyword

example: 123e4567-e89b-12d3-a456-426614174000

extended

http.request.method

HTTP request method.

Prior to ECS 1.6.0 the following guidance was provided:

"The field value must be normalized to lowercase for querying."

As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0

type: keyword

example: GET, POST, PUT, PoST

extended

http.request.mime_type

Mime type of the body of the request.

This value must only be populated based on the content of the request body, not on the Content-Type header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients.

type: keyword

example: image/gif

extended

http.request.referrer

Referrer for this HTTP request.

type: keyword

example: https://blog.example.com/

extended

http.response.body.bytes

Size in bytes of the response body.

type: long

example: 887

extended

http.response.body.content

[beta] Use of wildcard as the primary type and match_only_type as the .text multi-field type are both currently beta.

The full HTTP response body.

type: wildcard

Multi-fields:

* http.response.body.content.text (type: match_only_text)

example: Hello world

extended

http.response.bytes

Total size in bytes of the response (body and headers).

type: long

example: 1437

extended

http.response.mime_type

Mime type of the body of the response.

This value must only be populated based on the content of the response body, not on the Content-Type header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers.

type: keyword

example: image/gif

extended

http.response.status_code

HTTP response status code.

type: long

example: 404

extended

http.version

HTTP version.

type: keyword

example: 1.1

extended