System fields

edit

System status metrics, like CPU and memory usage, that are collected from the operating system.

system

edit

system contains local system metrics.

core

edit

system-core contains CPU metrics for a single core of a multi-core system.

system.core.id

CPU Core number.

type: long

system.core.user.pct

The percentage of CPU time spent in user space.

type: scaled_float

format: percent

system.core.user.ticks

The amount of CPU time spent in user space.

type: long

system.core.system.pct

The percentage of CPU time spent in kernel space.

type: scaled_float

format: percent

system.core.system.ticks

The amount of CPU time spent in kernel space.

type: long

system.core.nice.pct

The percentage of CPU time spent on low-priority processes.

type: scaled_float

format: percent

system.core.nice.ticks

The amount of CPU time spent on low-priority processes.

type: long

system.core.idle.pct

The percentage of CPU time spent idle.

type: scaled_float

format: percent

system.core.idle.ticks

The amount of CPU time spent idle.

type: long

system.core.iowait.pct

The percentage of CPU time spent in wait (on disk).

type: scaled_float

format: percent

system.core.iowait.ticks

The amount of CPU time spent in wait (on disk).

type: long

system.core.irq.pct

The percentage of CPU time spent servicing and handling hardware interrupts.

type: scaled_float

format: percent

system.core.irq.ticks

The amount of CPU time spent servicing and handling hardware interrupts.

type: long

system.core.softirq.pct

The percentage of CPU time spent servicing and handling software interrupts.

type: scaled_float

format: percent

system.core.softirq.ticks

The amount of CPU time spent servicing and handling software interrupts.

type: long

system.core.steal.pct

The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

type: scaled_float

format: percent

system.core.steal.ticks

The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

type: long

cpu

edit

cpu contains local CPU stats.

system.cpu.cores

The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of 100% * cores. The normalized percentages already take this value into account and have a maximum value of 100%.

type: long

system.cpu.user.pct

The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the system.cpu.user.pct will be 180%.

type: scaled_float

format: percent

system.cpu.system.pct

The percentage of CPU time spent in kernel space.

type: scaled_float

format: percent

system.cpu.nice.pct

The percentage of CPU time spent on low-priority processes.

type: scaled_float

format: percent

system.cpu.idle.pct

The percentage of CPU time spent idle.

type: scaled_float

format: percent

system.cpu.iowait.pct

The percentage of CPU time spent in wait (on disk).

type: scaled_float

format: percent

system.cpu.irq.pct

The percentage of CPU time spent servicing and handling hardware interrupts.

type: scaled_float

format: percent

system.cpu.softirq.pct

The percentage of CPU time spent servicing and handling software interrupts.

type: scaled_float

format: percent

system.cpu.steal.pct

The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

type: scaled_float

format: percent

system.cpu.total.pct

The percentage of CPU time spent in states other than Idle and IOWait.

type: scaled_float

format: percent

system.cpu.user.norm.pct

The percentage of CPU time spent in user space.

type: scaled_float

format: percent

system.cpu.system.norm.pct

The percentage of CPU time spent in kernel space.

type: scaled_float

format: percent

system.cpu.nice.norm.pct

The percentage of CPU time spent on low-priority processes.

type: scaled_float

format: percent

system.cpu.idle.norm.pct

The percentage of CPU time spent idle.

type: scaled_float

format: percent

system.cpu.iowait.norm.pct

The percentage of CPU time spent in wait (on disk).

type: scaled_float

format: percent

system.cpu.irq.norm.pct

The percentage of CPU time spent servicing and handling hardware interrupts.

type: scaled_float

format: percent

system.cpu.softirq.norm.pct

The percentage of CPU time spent servicing and handling software interrupts.

type: scaled_float

format: percent

system.cpu.steal.norm.pct

The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

type: scaled_float

format: percent

system.cpu.total.norm.pct

The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores.

type: scaled_float

format: percent

system.cpu.user.ticks

The amount of CPU time spent in user space.

type: long

system.cpu.system.ticks

The amount of CPU time spent in kernel space.

type: long

system.cpu.nice.ticks

The amount of CPU time spent on low-priority processes.

type: long

system.cpu.idle.ticks

The amount of CPU time spent idle.

type: long

system.cpu.iowait.ticks

The amount of CPU time spent in wait (on disk).

type: long

system.cpu.irq.ticks

The amount of CPU time spent servicing and handling hardware interrupts.

type: long

system.cpu.softirq.ticks

The amount of CPU time spent servicing and handling software interrupts.

type: long

system.cpu.steal.ticks

The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

type: long

diskio

edit

disk contains disk IO metrics collected from the operating system.

system.diskio.name

The disk name.

type: keyword

example: sda1

system.diskio.serial_number

The disk’s serial number. This may not be provided by all operating systems.

type: keyword

system.diskio.read.count

The total number of reads completed successfully.

type: long

system.diskio.write.count

The total number of writes completed successfully.

type: long

system.diskio.read.bytes

The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512.

type: long

format: bytes

system.diskio.write.bytes

The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512.

type: long

format: bytes

system.diskio.read.time

The total number of milliseconds spent by all reads.

type: long

system.diskio.write.time

The total number of milliseconds spent by all writes.

type: long

system.diskio.io.time

The total number of of milliseconds spent doing I/Os.

type: long

system.diskio.iostat.read.request.merges_per_sec

The number of read requests merged per second that were queued to the device.

type: float

system.diskio.iostat.write.request.merges_per_sec

The number of write requests merged per second that were queued to the device.

type: float

system.diskio.iostat.read.request.per_sec

The number of read requests that were issued to the device per second

type: float

system.diskio.iostat.write.request.per_sec

The number of write requests that were issued to the device per second

type: float

system.diskio.iostat.read.per_sec.bytes

The number of Bytes read from the device per second.

type: float

format: bytes

system.diskio.iostat.read.await

The average time spent for read requests issued to the device to be served.

type: float

system.diskio.iostat.write.per_sec.bytes

The number of Bytes write from the device per second.

type: float

format: bytes

system.diskio.iostat.write.await

The average time spent for write requests issued to the device to be served.

type: float

system.diskio.iostat.request.avg_size

The average size (in bytes) of the requests that were issued to the device.

type: float

system.diskio.iostat.queue.avg_size

The average queue length of the requests that were issued to the device.

type: float

system.diskio.iostat.await

The average time spent for requests issued to the device to be served.

type: float

system.diskio.iostat.service_time

The average service time (in milliseconds) for I/O requests that were issued to the device.

type: float

system.diskio.iostat.busy

Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.

type: float

entropy

edit

Available system entropy

system.entropy.available_bits

The available bits of entropy

type: long

system.entropy.pct

The percentage of available entropy, relative to the pool size of 4096

type: scaled_float

format: percent

filesystem

edit

filesystem contains local filesystem stats.

system.filesystem.available

The disk space available to an unprivileged user in bytes.

type: long

format: bytes

system.filesystem.device_name

The disk name. For example: /dev/disk1

type: keyword

system.filesystem.type

The disk type. For example: ext4

type: keyword

system.filesystem.mount_point

The mounting point. For example: /

type: keyword

system.filesystem.files

The total number of file nodes in the file system.

type: long

system.filesystem.free

The disk space available in bytes.

type: long

format: bytes

system.filesystem.free_files

The number of free file nodes in the file system.

type: long

system.filesystem.total

The total disk space in bytes.

type: long

format: bytes

system.filesystem.used.bytes

The used disk space in bytes.

type: long

format: bytes

system.filesystem.used.pct

The percentage of used disk space.

type: scaled_float

format: percent

fsstat

edit

system.fsstat contains filesystem metrics aggregated from all mounted filesystems.

system.fsstat.count

Number of file systems found.

type: long

system.fsstat.total_files

Total number of files.

type: long

total_size

edit

Nested file system docs.

system.fsstat.total_size.free

Total free space.

type: long

format: bytes

system.fsstat.total_size.used

Total used space.

type: long

format: bytes

system.fsstat.total_size.total

Total space (used plus free).

type: long

format: bytes

load

edit

CPU load averages.

system.load.1

Load average for the last minute.

type: scaled_float

system.load.5

Load average for the last 5 minutes.

type: scaled_float

system.load.15

Load average for the last 15 minutes.

type: scaled_float

system.load.norm.1

Load for the last minute divided by the number of cores.

type: scaled_float

system.load.norm.5

Load for the last 5 minutes divided by the number of cores.

type: scaled_float

system.load.norm.15

Load for the last 15 minutes divided by the number of cores.

type: scaled_float

system.load.cores

The number of CPU cores present on the host.

type: long

memory

edit

memory contains local memory stats.

system.memory.total

Total memory.

type: long

format: bytes

system.memory.used.bytes

Used memory.

type: long

format: bytes

system.memory.free

The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free).

type: long

format: bytes

system.memory.used.pct

The percentage of used memory.

type: scaled_float

format: percent

actual

edit

Actual memory used and free.

system.memory.actual.used.bytes

Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check system.actual.free.

type: long

format: bytes

system.memory.actual.free

Actual free memory in bytes. It is calculated based on the OS. On Linux it consists of the free memory plus caches and buffers. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to system.memory.free.

type: long

format: bytes

system.memory.actual.used.pct

The percentage of actual used memory.

type: scaled_float

format: percent

swap

edit

This group contains statistics related to the swap memory usage on the system.

system.memory.swap.total

Total swap memory.

type: long

format: bytes

system.memory.swap.used.bytes

Used swap memory.

type: long

format: bytes

system.memory.swap.free

Available swap memory.

type: long

format: bytes

system.memory.swap.out.pages

count of pages swapped out

type: long

system.memory.swap.in.pages

count of pages swapped in

type: long

system.memory.swap.readahead.pages

swap readahead pages

type: long

system.memory.swap.readahead.cached

swap readahead cache hits

type: long

system.memory.swap.used.pct

The percentage of used swap memory.

type: scaled_float

format: percent

hugepages

edit

This group contains statistics related to huge pages usage on the system.

system.memory.hugepages.total

Number of huge pages in the pool.

type: long

format: number

system.memory.hugepages.used.bytes

Memory used in allocated huge pages.

type: long

format: bytes

system.memory.hugepages.used.pct

Percentage of huge pages used.

type: long

format: percent

system.memory.hugepages.free

Number of available huge pages in the pool.

type: long

format: number

system.memory.hugepages.reserved

Number of reserved but not allocated huge pages in the pool.

type: long

format: number

system.memory.hugepages.surplus

Number of overcommited huge pages.

type: long

format: number

system.memory.hugepages.default_size

Default size for huge pages.

type: long

format: bytes

swap.out

edit

huge pages swapped out

system.memory.hugepages.swap.out.pages

pages swapped out

type: long

system.memory.hugepages.swap.out.fallback

Count of huge pages that must be split before swapout

type: long

network

edit

network contains network IO metrics for a single network interface.

system.network.name

The network interface name.

type: keyword

example: eth0

system.network.out.bytes

The number of bytes sent.

type: long

format: bytes

system.network.in.bytes

The number of bytes received.

type: long

format: bytes

system.network.out.packets

The number of packets sent.

type: long

system.network.in.packets

The number or packets received.

type: long

system.network.in.errors

The number of errors while receiving.

type: long

system.network.out.errors

The number of errors while sending.

type: long

system.network.in.dropped

The number of incoming packets that were dropped.

type: long

system.network.out.dropped

The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system.

type: long

process

edit

process contains process metadata, CPU metrics, and memory metrics.

system.process.name

type: alias

alias to: process.name

system.process.state

The process state. For example: "running".

type: keyword

system.process.pid

type: alias

alias to: process.pid

system.process.ppid

type: alias

alias to: process.ppid

system.process.pgid

type: alias

alias to: process.pgid

system.process.cmdline

The full command-line used to start the process, including the arguments separated by space.

type: keyword

system.process.username

type: alias

alias to: user.name

system.process.cwd

type: alias

alias to: process.working_directory

system.process.env

The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X.

type: object

cpu

edit

CPU-specific statistics per process.

system.process.cpu.user.ticks

The amount of CPU time the process spent in user space.

type: long

system.process.cpu.total.value

The value of CPU usage since starting the process.

type: long

system.process.cpu.total.pct

The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.

type: scaled_float

format: percent

system.process.cpu.total.norm.pct

The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.

type: scaled_float

format: percent

system.process.cpu.system.ticks

The amount of CPU time the process spent in kernel space.

type: long

system.process.cpu.total.ticks

The total CPU time spent by the process.

type: long

system.process.cpu.start_time

The time when the process was started.

type: date

memory

edit

Memory-specific statistics per process.

system.process.memory.size

The total virtual memory the process has.

type: long

format: bytes

system.process.memory.rss.bytes

The Resident Set Size. The amount of memory the process occupied in main memory (RAM).

type: long

format: bytes

system.process.memory.rss.pct

The percentage of memory the process occupied in main memory (RAM).

type: scaled_float

format: percent

system.process.memory.share

The shared memory the process uses.

type: long

format: bytes

File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD.

system.process.fd.open

The number of file descriptors open by the process.

type: long

system.process.fd.limit.soft

The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.

type: long

system.process.fd.limit.hard

The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.

type: long

cgroup

edit

Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux.

system.process.cgroup.id

The ID common to all cgroups associated with this task. If there isn’t a common ID used by all cgroups this field will be absent.

type: keyword

system.process.cgroup.path

The path to the cgroup relative to the cgroup subsystem’s mountpoint. If there isn’t a common path used by all cgroups this field will be absent.

type: keyword

cpu

edit

The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period.

system.process.cgroup.cpu.id

ID of the cgroup.

type: keyword

system.process.cgroup.cpu.path

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

type: keyword

system.process.cgroup.cpu.cfs.period.us

Period of time in microseconds for how regularly a cgroup’s access to CPU resources should be reallocated.

type: long

system.process.cgroup.cpu.cfs.quota.us

Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).

type: long

system.process.cgroup.cpu.cfs.shares

An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.

type: long

system.process.cgroup.cpu.rt.period.us

Period of time in microseconds for how regularly a cgroup’s access to CPU resources is reallocated.

type: long

system.process.cgroup.cpu.rt.runtime.us

Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.

type: long

system.process.cgroup.cpu.stats.periods

Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.

type: long

system.process.cgroup.cpu.stats.throttled.periods

Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).

type: long

system.process.cgroup.cpu.stats.throttled.ns

The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.

type: long

cpuacct

edit

CPU accounting metrics.

system.process.cgroup.cpuacct.id

ID of the cgroup.

type: keyword

system.process.cgroup.cpuacct.path

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

type: keyword

system.process.cgroup.cpuacct.total.ns

Total CPU time in nanoseconds consumed by all tasks in the cgroup.

type: long

system.process.cgroup.cpuacct.stats.user.ns

CPU time consumed by tasks in user mode.

type: long

system.process.cgroup.cpuacct.stats.system.ns

CPU time consumed by tasks in user (kernel) mode.

type: long

system.process.cgroup.cpuacct.percpu

CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.

type: object

memory

edit

Memory limits and metrics.

system.process.cgroup.memory.id

ID of the cgroup.

type: keyword

system.process.cgroup.memory.path

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

type: keyword

system.process.cgroup.memory.mem.usage.bytes

Total memory usage by processes in the cgroup (in bytes).

type: long

format: bytes

system.process.cgroup.memory.mem.usage.max.bytes

The maximum memory used by processes in the cgroup (in bytes).

type: long

format: bytes

system.process.cgroup.memory.mem.limit.bytes

The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.

type: long

format: bytes

system.process.cgroup.memory.mem.failures

The number of times that the memory limit (mem.limit.bytes) was reached.

type: long

system.process.cgroup.memory.memsw.usage.bytes

The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).

type: long

format: bytes

system.process.cgroup.memory.memsw.usage.max.bytes

The maximum amount of memory and swap space used by processes in the cgroup (in bytes).

type: long

format: bytes

system.process.cgroup.memory.memsw.limit.bytes

The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.

type: long

format: bytes

system.process.cgroup.memory.memsw.failures

The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.

type: long

system.process.cgroup.memory.kmem.usage.bytes

Total kernel memory usage by processes in the cgroup (in bytes).

type: long

format: bytes

system.process.cgroup.memory.kmem.usage.max.bytes

The maximum kernel memory used by processes in the cgroup (in bytes).

type: long

format: bytes

system.process.cgroup.memory.kmem.limit.bytes

The maximum amount of kernel memory that tasks in the cgroup are allowed to use.

type: long

format: bytes

system.process.cgroup.memory.kmem.failures

The number of times that the memory limit (kmem.limit.bytes) was reached.

type: long

system.process.cgroup.memory.kmem_tcp.usage.bytes

Total memory usage for TCP buffers in bytes.

type: long

format: bytes

system.process.cgroup.memory.kmem_tcp.usage.max.bytes

The maximum memory used for TCP buffers by processes in the cgroup (in bytes).

type: long

format: bytes

system.process.cgroup.memory.kmem_tcp.limit.bytes

The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.

type: long

format: bytes

system.process.cgroup.memory.kmem_tcp.failures

The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.

type: long

system.process.cgroup.memory.stats.active_anon.bytes

Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.active_file.bytes

File-backed memory on active LRU list, in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.cache.bytes

Page cache, including tmpfs (shmem), in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes

Memory limit for the hierarchy that contains the memory cgroup, in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes

Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.inactive_anon.bytes

Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes

type: long

format: bytes

system.process.cgroup.memory.stats.inactive_file.bytes

File-backed memory on inactive LRU list, in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.mapped_file.bytes

Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.page_faults

Number of times that a process in the cgroup triggered a page fault.

type: long

system.process.cgroup.memory.stats.major_page_faults

Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk.

type: long

system.process.cgroup.memory.stats.pages_in

Number of pages paged into memory. This is a counter.

type: long

system.process.cgroup.memory.stats.pages_out

Number of pages paged out of memory. This is a counter.

type: long

system.process.cgroup.memory.stats.rss.bytes

Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.rss_huge.bytes

Number of bytes of anonymous transparent hugepages.

type: long

format: bytes

system.process.cgroup.memory.stats.swap.bytes

Swap usage, in bytes.

type: long

format: bytes

system.process.cgroup.memory.stats.unevictable.bytes

Memory that cannot be reclaimed, in bytes.

type: long

format: bytes

blkio

edit

Block IO metrics.

system.process.cgroup.blkio.id

ID of the cgroup.

type: keyword

system.process.cgroup.blkio.path

Path to the cgroup relative to the cgroup subsystems mountpoint.

type: keyword

system.process.cgroup.blkio.total.bytes

Total number of bytes transferred to and from all block devices by processes in the cgroup.

type: long

format: bytes

system.process.cgroup.blkio.total.ios

Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.

type: long

process.summary

edit

Summary metrics for the processes running on the host.

system.process.summary.total

Total number of processes on this host.

type: long

system.process.summary.running

Number of running processes on this host.

type: long

system.process.summary.idle

Number of idle processes on this host.

type: long

system.process.summary.sleeping

Number of sleeping processes on this host.

type: long

system.process.summary.stopped

Number of stopped processes on this host.

type: long

system.process.summary.zombie

Number of zombie processes on this host.

type: long

system.process.summary.dead

Number of dead processes on this host. It’s very unlikely that it will appear but in some special situations it may happen.

type: long

system.process.summary.unknown

Number of processes for which the state couldn’t be retrieved or is unknown.

type: long

raid

edit

raid

system.raid.name

Name of the device.

type: keyword

system.raid.status

activity-state of the device.

type: keyword

system.raid.level

The raid level of the device

type: keyword

system.raid.sync_action

Current sync action, if the RAID array is redundant

type: keyword

system.raid.disks.active

Number of active disks.

type: long

system.raid.disks.total

Total number of disks the device consists of.

type: long

system.raid.disks.spare

Number of spared disks.

type: long

system.raid.disks.failed

Number of failed disks.

type: long

system.raid.disks.states.*

map of raw disk states

type: object

system.raid.blocks.total

Number of blocks the device holds, in 1024-byte blocks.

type: long

system.raid.blocks.synced

Number of blocks on the device that are in sync, in 1024-byte blocks.

type: long

socket

edit

TCP sockets that are active.

system.socket.direction

type: alias

alias to: network.direction

system.socket.family

type: alias

alias to: network.type

system.socket.local.ip

Local IP address. This can be an IPv4 or IPv6 address.

type: ip

example: 192.0.2.1 or 2001:0DB8:ABED:8536::1

system.socket.local.port

Local port.

type: long

example: 22

system.socket.remote.ip

Remote IP address. This can be an IPv4 or IPv6 address.

type: ip

example: 192.0.2.1 or 2001:0DB8:ABED:8536::1

system.socket.remote.port

Remote port.

type: long

example: 22

system.socket.remote.host

PTR record associated with the remote IP. It is obtained via reverse IP lookup.

type: keyword

example: 76-211-117-36.nw.example.com.

system.socket.remote.etld_plus_one

The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.

type: keyword

example: example.com.

system.socket.remote.host_error

Error describing the cause of the reverse lookup failure.

type: keyword

system.socket.process.pid

type: alias

alias to: process.pid

system.socket.process.command

type: alias

alias to: process.name

system.socket.process.cmdline

Full command line

type: keyword

system.socket.process.exe

type: alias

alias to: process.executable

system.socket.user.id

type: alias

alias to: user.id

system.socket.user.name

type: alias

alias to: user.full_name

socket.summary

edit

Summary metrics of open sockets in the host system

all

edit

All connections

system.socket.summary.all.count

All open connections

type: integer

system.socket.summary.all.listening

All listening ports

type: integer

tcp

edit

All TCP connections

system.socket.summary.tcp.memory

Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux.

type: integer

format: bytes

all

edit

All TCP connections

system.socket.summary.tcp.all.orphan

A count of all orphaned tcp sockets. Only available on Linux.

type: integer

system.socket.summary.tcp.all.count

All open TCP connections

type: integer

system.socket.summary.tcp.all.listening

All TCP listening ports

type: integer

system.socket.summary.tcp.all.established

Number of established TCP connections

type: integer

system.socket.summary.tcp.all.close_wait

Number of TCP connections in close_wait state

type: integer

system.socket.summary.tcp.all.time_wait

Number of TCP connections in time_wait state

type: integer

udp

edit

All UDP connections

system.socket.summary.udp.memory

Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux.

type: integer

format: bytes

all

edit

All UDP connections

system.socket.summary.udp.all.count

All open UDP connections

type: integer

uptime

edit

uptime contains the operating system uptime metric.

system.uptime.duration.ms

The OS uptime in milliseconds.

type: long

format: duration