Process Fields

edit

These fields contain information about a process.

These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.

Process Field Details

edit
Field Description Level

process.args

Array of process arguments.

May be filtered to protect sensitive information.

type: keyword

example: ['ssh', '-l', 'user', '10.0.0.16']

extended

process.executable

Absolute path to the process executable.

type: keyword

example: /usr/bin/ssh

extended

process.name

Process name.

Sometimes called program name or similar.

type: keyword

example: ssh

extended

process.pgid

Identifier of the group of processes the process belongs to.

type: long

extended

process.pid

Process id.

type: long

example: 4242

core

process.ppid

Parent process' pid.

type: long

example: 4241

extended

process.start

The time the process started.

type: date

example: 2016-05-23T08:05:34.853Z

extended

process.thread.id

Thread ID.

type: long

example: 4242

extended

process.thread.name

Thread name.

type: keyword

example: thread-0

extended

process.title

Process title.

The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

type: keyword

extended

process.uptime

Seconds the process has been up.

type: long

example: 1325

extended

process.working_directory

The working directory of the process.

type: keyword

example: /home/alice

extended

Field Reuse

edit
Field sets that can be nested under Process
edit
Nested fields Description

process.hash.*

Hashes, usually file hashes.