- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- Device Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Mach-O Header Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Volume Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
- Release Notes
Service Fields Usage and Examples
editService Fields Usage and Examples
editHere are the subjects covered in this page.
Field reuse
editThe service fields can be used to * describe the service for or from which the data was collected (i.e. observed service) * or to describe external services that have a direct invocation relationship to the observed service
Service fields at the Root of an Event
editUse the service fields at the root of an event to describe the service the event primarily relates to.
An example for this use case is a log entry being recorded for a particular service or appplication (e.g. MyService
):
{ "service": { "id": "d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6", "name": "MyService", "version": "1.0.0" }, ... }
Describing external services in an invocation relationship
editMultiple services can be in an invocation relationship. Where it is possible to apply distributed tracing on all the involved services describe the individual services using root-level service fields and use the tracing fields to represent the invocation relationship.
There are situations when distributed tracing cannot be applied on some external services that are in an invocation relationship to an observed service.
Let’s consider the example of a service MyService
being deployed on a cloud provider with an upstream API gateway that passes through requests to
MyService
(with additional context information about the API gateway itself).
To describe the API gateway as a service from the perspective of MyService
one can self-nest the service fields under service.origin
:
{ "service": { "id": "d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6", "name": "MyService", "version": "1.0.0", "origin": { "id": "api-gateway-46372994637e2b4567", "name": "SomeGateway", "version" "2.5.1", } }, ... }
Describes the observed service that receives the inbound request from an external service |
|
Describes the origin external service of the inbound request |
Similar to the usage of service.origin
fields the service fields can be self-nested under service.target.*
to describe an external target service for an outbound request:
{ "service": { "id": "d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6", "name": "MyService", "version": "1.0.0", "target": { "id": "sms-service-0xe6c4272dbeAf0134", "name": "ManagedSMSService", "version": "1.9.0", } }, ... }
Describes the observed service that emits the outbound request to an external service |
|
Describes the target external service of the outbound request |
Note that service.origin.*
and service.target.*
fields should only be used on events that represent an invocation relationship.
On this page