forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
base.yml
62 lines (52 loc) · 1.89 KB
/
base.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
- name: base
root: true
title: Base
group: 1
short: All fields defined directly at the top level
description: >
The `base` field set contains all fields which are on the top level.
These fields are common across all types of events.
type: group
fields:
- name: "@timestamp"
type: date
level: core
required: true
example: "2016-05-23T08:05:34.853Z"
short: Date/time when the event originated.
description: >
Date/time when the event originated.
This is the date/time extracted from the event, typically representing
when the event was generated by the source.
If the event source has no original timestamp, this value is typically
populated by the first time the event was received by the pipeline.
Required field for all events.
- name: tags
level: core
type: keyword
example: "[\"production\", \"env2\"]"
description: >
List of keywords used to tag each event.
- name: labels
level: core
type: object
object_type: keyword
example: {env: production, application: foo-bar}
short: Custom key/value pairs.
description: >
Custom key/value pairs.
Can be used to add meta information to events. Should not contain nested
objects. All values are stored as keyword.
Example: `docker` and `k8s` labels.
- name: message
level: core
type: text
example: "Hello World"
short: Log message optimized for viewing in a log viewer.
description: >
For log events the message field contains the log message, optimized for
viewing in a log viewer.
For structured logs without an original message field, other fields can
be concatenated to form a human-readable summary of the event.
If multiple messages exist, they can be combined into one message.