APM Span fields

edit

Span-specific data for APM.

processor.name

Processor name.

type: keyword

processor.event

Processor event.

type: keyword

timestamp.us

Timestamp of the event in microseconds since Unix epoch.

type: long

labels

A flat mapping of user-defined labels with string, boolean or number values.

type: object

Yes ECS field.

service

edit

Service fields.

service.name

Immutable name of the service emitting this event.

type: keyword

Yes ECS field.

service.version

Version of the service emitting this event.

type: keyword

Yes ECS field.

service.environment

Service environment.

type: keyword

service.node.name

Unique meaningful name of the service node.

type: keyword

Yes ECS field.

service.language.name

Name of the programming language used.

type: keyword

service.language.version

Version of the programming language used.

type: keyword

service.runtime.name

Name of the runtime used.

type: keyword

service.runtime.version

Version of the runtime used.

type: keyword

service.framework.name

Name of the framework used.

type: keyword

service.framework.version

Version of the framework used.

type: keyword

transaction.id

The transaction ID.

type: keyword

Yes ECS field.

transaction.sampled

Transactions that are sampled will include all available information. Transactions that are not sampled will not have spans or context.

type: boolean

transaction.type

Keyword of specific relevance in the service’s domain (eg. request, backgroundjob, etc)

type: keyword

transaction.name

Generic designation of a transaction in the scope of a single service (eg. GET /users/:id).

type: keyword

transaction.name.text

type: text

trace.id

The ID of the trace to which the event belongs to.

type: keyword

Yes ECS field.

parent.id

The ID of the parent event.

type: keyword

agent.name

Name of the agent used.

type: keyword

Yes ECS field.

agent.version

Version of the agent used.

type: keyword

Yes ECS field.

agent.ephemeral_id

The Ephemeral ID identifies a running process.

type: keyword

Yes ECS field.

container

edit

Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.

container.id

Unique container id.

type: keyword

Yes ECS field.

kubernetes

edit

Kubernetes metadata reported by agents

kubernetes.namespace

Kubernetes namespace

type: keyword

kubernetes.node.name

Kubernetes node name

type: keyword

kubernetes.pod.name

Kubernetes pod name

type: keyword

kubernetes.pod.uid

Kubernetes Pod UID

type: keyword

host

edit

Optional host fields.

host.architecture

The architecture of the host the event was recorded on.

type: keyword

Yes ECS field.

host.hostname

The hostname of the host the event was recorded on.

type: keyword

Yes ECS field.

host.name

Name of the host the event was recorded on. It can contain same information as host.hostname or a name specified by the user.

type: keyword

Yes ECS field.

host.ip

IP of the host that records the event.

type: ip

Yes ECS field.

The OS fields contain information about the operating system.

host.os.platform

The platform of the host the event was recorded on.

type: keyword

Yes ECS field.

process

edit

Information pertaining to the running process where the data was collected

process.args

Process arguments. May be filtered to protect sensitive information.

type: keyword

Yes ECS field.

process.pid

Numeric process ID of the service process.

type: long

Yes ECS field.

process.ppid

Numeric ID of the service’s parent process.

type: long

Yes ECS field.

process.title

Service process title.

type: keyword

Yes ECS field.

observer.listening

Address the server is listening on.

type: keyword

observer.hostname

Hostname of the APM Server.

type: keyword

Yes ECS field.

observer.version

APM Server version.

type: keyword

Yes ECS field.

observer.version_major

Major version number of the observer

type: byte

observer.type

The type will be set to apm-server.

type: keyword

Yes ECS field.

user.name

The username of the logged in user.

type: keyword

Yes ECS field.

user.id

Identifier of the logged in user.

type: keyword

Yes ECS field.

user.email

Email of the logged in user.

type: keyword

Yes ECS field.

client.ip

IP address of the client of a recorded event. This is typically obtained from a request’s X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.

type: ip

Yes ECS field.

source.ip

IP address of the source of a recorded event. This is typically obtained from a request’s X-Forwarded-For or the X-Real-IP header or falls back to a given configuration for remote address.

type: ip

Yes ECS field.

destination

edit

Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields.

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

Yes ECS field.

destination.ip

IP addess of the destination. Can be one of multiple IPv4 or IPv6 addresses.

type: ip

Yes ECS field.

destination.port

Port of the destination.

type: long

format: string

Yes ECS field.

user_agent

edit

The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.

user_agent.original

Unparsed version of the user_agent.

type: keyword

example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1

Yes ECS field.

user_agent.original.text

Software agent acting in behalf of a user, eg. a web browser / OS combination.

type: text

user_agent.name

Name of the user agent.

type: keyword

example: Safari

Yes ECS field.

user_agent.version

Version of the user agent.

type: keyword

example: 12.0

Yes ECS field.

device

edit

Information concerning the device.

user_agent.device.name

Name of the device.

type: keyword

example: iPhone

Yes ECS field.

The OS fields contain information about the operating system.

user_agent.os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

Yes ECS field.

user_agent.os.name

Operating system name, without the version.

type: keyword

example: Mac OS X

Yes ECS field.

user_agent.os.full

Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave

Yes ECS field.

user_agent.os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

Yes ECS field.

user_agent.os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

Yes ECS field.

user_agent.os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

Yes ECS field.

experimental

Additional experimental data sent by the agents.

type: object

cloud

edit

Cloud metadata reported by agents

cloud.account.id

Cloud account ID

type: keyword

Yes ECS field.

cloud.account.name

Cloud account name

type: keyword

Yes ECS field.

cloud.availability_zone

Cloud availability zone name

type: keyword

example: us-east1-a

Yes ECS field.

cloud.instance.id

Cloud instance/machine ID

type: keyword

Yes ECS field.

cloud.instance.name

Cloud instance/machine name

type: keyword

Yes ECS field.

cloud.machine.type

Cloud instance/machine type

type: keyword

example: t2.medium

Yes ECS field.

cloud.project.id

Cloud project ID

type: keyword

Yes ECS field.

cloud.project.name

Cloud project name

type: keyword

Yes ECS field.

cloud.provider

Cloud provider name

type: keyword

example: gcp

Yes ECS field.

cloud.region

Cloud region name

type: keyword

example: us-east1

Yes ECS field.

cloud.service.name

Cloud service name, intended to distinguish services running on different platforms within a provider.

type: keyword

event.outcome

event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.

type: keyword

example: success

Yes ECS field.

child.id

The ID(s) of the child event(s).

type: keyword

span.type

Keyword of specific relevance in the service’s domain (eg: db.postgresql.query, template.erb, cache, etc).

type: keyword

span.subtype

A further sub-division of the type (e.g. postgresql, elasticsearch)

type: keyword

span.id

The ID of the span stored as hex encoded string.

type: keyword

Yes ECS field.

span.name

Generic designation of a span in the scope of a transaction.

type: keyword

span.action

The specific kind of event within the sub-type represented by the span (e.g. query, connect)

type: keyword

span.start.us

Offset relative to the transaction’s timestamp identifying the start of the span, in microseconds.

type: long

span.duration.us

Duration of the span, in microseconds.

type: long

span.sync

Indicates whether the span was executed synchronously or asynchronously.

type: boolean

span.db.link

Database link.

type: keyword

span.db.rows_affected

Number of rows affected by the database statement.

type: long

service

edit

Destination service context

span.destination.service.type

Type of the destination service (e.g. db, elasticsearch). Should typically be the same as span.type.

type: keyword

span.destination.service.name

Identifier for the destination service (e.g. http://elastic.co, elasticsearch, rabbitmq)

type: keyword

span.destination.service.resource

Identifier for the destination service resource being operated on (e.g. http://elastic.co:80, elasticsearch, rabbitmq/queue_name)

type: keyword

span.message.queue.name

Name of the message queue or topic where the message is published or received.

type: keyword

span.message.age.ms

Age of a message in milliseconds.

type: long