Base Fields

@timestamp

Date/time when the event originated.

This is the date/time extracted from the event, typically representing when the event was generated by the source.

If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.

Required field for all events.

type: date

example: 2016-05-23T08:05:34.853Z

time_unix_nano

observed_time_unix_nano

start_time_unix_nano

Note: On logs, events and metrics, time_unix_nano defines the time of the event. For logs, observed_time_unix_nano defines the time when the event was observed by the collection system. On spans, start_time_unix_nano represents the start time of the span.

core

labels

Custom key/value pairs.

Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.

Example: docker and k8s labels.

type: object

example: {"application": "foo-bar", "env": "production"}

k8s.pod.label

container.label

core

message

For log events the message field contains the log message, optimized for viewing in a log viewer.

For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.

If multiple messages exist, they can be combined into one message.

type: match_only_text

example: Hello World

body

Note: The body in OTLP is of type Any and can be either an unstructured log message or a structured event.

core

tags

List of keywords used to tag each event.

type: keyword

Note: this field should contain an array of values.

example: ["production", "env2"]

core