The Search AI Company

Build tailored experiences with Elastic.

Elastic Search AI Platform overview

Scale your business with Elastic Partners

Partner overview

ELK Stack

Search and analytics, data ingestion, and visualization – all at your fingertips.

ELK Stack overview

By developers, for developers

Elastic Cloud

Unlock the power of real-time insights with Elastic on your preferred cloud provider.

Elastic Cloud overview

Generative AI

Prototype and integrate with LLMs faster using search AI.

Generative AI overview

Search

Discover a world of AI possibilities — built with the power of search.

Search Labs

Search overview

Security

Protect, investigate, and respond to cyber threats with AI-driven security analytics.

Security Labs

Security overview

Observability

Unify app and infrastructure visibility to proactively resolve issues.

Observability Labs

Observability overview

By solution

See how customers search, solve, and succeed — all on one Search AI Platform.

All customer stories

Industries

Exceed customer expectations and go to market faster.

Industries overview

Customer spotlight

Cisco saves 5,000 support engineer hours per month

Sitecore automates 96 percent of security workflows with Elastic

Comcast transforms customer experiences with Elastic Observability

Research

Stay at the forefront of innovation with technical tips from the experts.

Build

Code with other developers to create a better Elastic, together.

Learn

Unleash the possibilities of your data and grow your skill set.

Connect

Keep informed about the latest tech and news from Elastic.

Have questions?

New

The executive guide to generative AI

About us Partners Support|Login

User fields

Elastic Stack Serverless

The user fields describe information about the user that is relevant to the event.

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

User field details

Field	Description	Level
user.domain	Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. type: keyword	extended
user.email	User email address. type: keyword user.email	extended
user.full_name	User's full name, if available. type: keyword Multi-fields: * user.full_name.text (type: match_only_text) example: `Albert Einstein` user.full_name	extended
user.hash	Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword user.hash	extended
user.id	Unique identifier of the user. type: keyword example: `S-1-5-21-202424912787-2692429404-2351956786-1000` user.id	core
user.name	Short name or login of the user. type: keyword Multi-fields: * user.name.text (type: match_only_text) example: `a.einstein` user.name	core
user.roles	Array of user roles at the time of the event. type: keyword Note: This field should contain an array of values. example: `["kibana_admin", "reporting_user"]` user.roles	extended

Field reuse

The user fields are expected to be nested at:

client.user
destination.user
process.attested_user
process.real_user
process.saved_user
process.user
server.user
source.user
user.changes
user.effective
user.target

Note also that the user fields may be used directly at the root of the events.

Field sets that can be nested under User

Location	Field Set	Description
`user.changes.*`	user	Captures changes made to a user.
`user.effective.*`	user	User whose privileges were assumed.
`user.group.*`	group	User's group relevant to the event.
`user.risk.*`	risk	Fields for describing risk score and level.
`user.target.*`	user	Targeted user of action taken.

User field usage

For usage and examples of the user fields, please see the User fields usage and examples section.