You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Required fields

Learn about the fields required to display data in the Infrastructure UI.

This section lists the fields the Infrastructure UI uses to display data. Please note that some of the fields listed here are not ECS fields.

Additional field details

The event.dataset field is required to display data properly in some views. This field is a combination of metricset.module, which is the Metricbeat module name, and metricset.name, which is the metricset name.

To determine each metric's optimal time interval, all charts use metricset.period. If metricset.period is not available, then it falls back to 1 minute intervals.

Base fields

The base field set contains all fields which are on the top level. These fields are common across all types of events.

FieldDescriptionType
@timestamp

Date/time when the event originated.

This is the date/time extracted from the event, typically representing when the source generated the event. If the event source has no original timestamp, this value is typically populated by the first time the pipeline received the event. Required field for all events.

Example: May 27, 2020 @ 15:22:27.982

date
message

For log events the message field contains the log message, optimized for viewing in a log viewer.

For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.

If multiple messages exist, they can be combined into one message.

Example: Hello World

text

Hosts fields

These fields must be mapped to display host data in the Infrastructure app.

FieldDescriptionType
host.name

Name of the host.

It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.

Example: MacBook-Elastic.local

keyword
host.ip

IP of the host that records the event.

ip

Docker container fields

These fields must be mapped to display Docker container data in the Infrastructure app.

FieldDescriptionType
container.id

Unique container id.

Example: data

keyword
container.name

Container name.

keyword
container.ip_address

IP of the container.

Not an ECS field

ip

Kubernetes pod fields

These fields must be mapped to display Kubernetes pod data in the Infrastructure app.

FieldDescriptionType
kubernetes.pod.uid

Kubernetes Pod UID.

Example: 8454328b-673d-11ea-7d80-21010a840123

Not an ECS field

keyword
kubernetes.pod.name

Kubernetes pod name.

Example: nginx-demo

Not an ECS field

keyword
kubernetes.pod.ip

IP of the Kubernetes pod.

Not an ECS field

keyword

AWS EC2 instance fields

These fields must be mapped to display EC2 instance data in the Infrastructure app.

FieldDescriptionType
cloud.instance.id

Instance ID of the host machine.

Example: i-1234567890abcdef0

keyword
cloud.instance.name

Instance name of the host machine.

keyword
aws.ec2.instance.public.ip

Instance public IP of the host machine.

Not an ECS field

keyword

AWS S3 bucket fields

These fields must be mapped to display S3 bucket data in the Infrastructure app.

FieldDescriptionType
aws.s3.bucket.name

The name or ID of the AWS S3 bucket.

Not an ECS field

keyword

AWS SQS queue fields

These fields must be mapped to display SQS queue data in the Infrastructure app.

FieldDescriptionType
aws.sqs.queue.name

The name or ID of the AWS SQS queue.

Not an ECS field

keyword

AWS RDS database fields

These fields must be mapped to display RDS database data in the Infrastructure app.

FieldDescriptionType
aws.rds.db_instance.arn

Amazon Resource Name (ARN) for each RDS.

Not an ECS field

keyword
aws.rds.db_instance.identifier

Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance.

Not an ECS field

keyword

Additional grouping fields

Depending on which entity you select in the Inventory view, these additional fields can be mapped to group entities by.

FieldDescriptionType
cloud.availability_zone

Availability zone in which this host is running.

Example: us-east-1c

keyword
cloud.machine.type

Machine type of the host machine.

Example: t2.medium

keyword
cloud.region

Region in which this host is running.

Example: us-east-1

keyword
cloud.instance.id

Instance ID of the host machine.

Example: i-1234567890abcdef0

keyword
cloud.provider

Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

Example: aws

keyword
cloud.instance.name

Instance name of the host machine.

keyword
cloud.project.id

Name of the project in Google Cloud.

Not an ECS field

keyword
service.type

The type of service data is collected from.

The type can be used to group and correlate logs and metrics from one service type.

For example, the service type for metrics collected from Elasticsearch is elasticsearch.

Example: elasticsearch

Not an ECS field

keyword
host.hostname

Name of the host. This field is required if you want to use machine learning features

It normally contains what the hostname command returns on the host machine.

Example: Elastic.local

keyword
host.os.name

Operating system name, without the version.

Multi-fields:

os.name.text (type: text)

Example: Mac OS X

keyword
host.os.kernel

Operating system kernel version as a raw string.

Example: 4.4.0-112-generic

keyword

On this page