- Observability: other versions:
- Get started
- What is Elastic Observability?
- What’s new in 8.17
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Add data from Splunk
- Applications and services
- Application performance monitoring (APM)
- Get started
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Manage storage
- Configure APM Server
- Monitor APM Server
- APM APIs
- Troubleshooting
- Upgrade
- Release notes
- Known issues
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure projects
- Multi-factor Authentication
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Use Synthetics with traffic filters
- Migrate from the Elastic Synthetics integration
- Scale and architect a deployment
- Synthetics support matrix
- Synthetics Encryption and Security
- Troubleshooting
- Real user monitoring
- Uptime monitoring (deprecated)
- Tutorial: Monitor a Java application
- Application performance monitoring (APM)
- CI/CD
- Cloud
- Infrastructure and hosts
- Logs
- Troubleshooting
- Incident management
- Data set quality
- Observability AI Assistant
- Reference
Logs Explorer fields
editLogs Explorer fields
editThis section lists the required fields the Logs Explorer uses to display data. Please note that some of the fields listed are not ECS fields.
-
@timestamp
-
Date/time when the event originated.
This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
type: date
required: True
ECS field: True
example:
May 27, 2020 @ 15:22:27.982
-
_doc
-
This field is used to break ties between two entries with the same timestamp.
required: True
ECS field: False
-
container.id
-
Unique container id.
type: keyword
required: True
ECS field: True
example:
data
-
event.dataset
-
Name of the dataset.
If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.
It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
type: keyword
required: True, if you want to use the machine learning features.
ECS field: True
example:
apache.access
-
host.hostname
-
Name of the host.
It normally contains what the
hostname
command returns on the host machine.type: keyword
required: True, if you want to enable and use the View in Context feature.
ECS field: True
example:
Elastic.local
-
host.name
-
Name of the host.
It can contain what
hostname
returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.type: keyword
required: True
ECS field: True
example:
MacBook-Elastic.local
-
kubernetes.pod.uid
-
Kubernetes Pod UID.
type: keyword
required: True
ECS field: False
example:
8454328b-673d-11ea-7d80-21010a840123
-
log.file.path
-
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
If the event wasn’t read from a log file, do not populate this field.
type: keyword
required: True, if you want to use the View in Context feature.
ECS field: True
example:
/var/log/demo.log
-
message
-
For log events the message field contains the log message, optimized for viewing in a log viewer.
For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
If multiple messages exist, they can be combined into one message.
type: text
required: True
ECS field: True
example:
Hello World