These are the fields exported by the logging system and available for searching
from Elasticsearch and Kibana. Use the full, dotted field name when searching.
For example, for an Elasticsearch /_search URL, to look for a Kubernetes Pod name,
use /_search/q=kubernetes.pod_name:name-of-my-pod
.
The following sections describe fields that may not be present in your logging store. Not all of these fields are present in every record. The fields are grouped in the following categories:
exported-fields-Default
exported-fields-rsyslog
exported-fields-systemd
exported-fields-kubernetes
exported-fields-pipeline_metadata
exported-fields-ovirt
exported-fields-aushape
exported-fields-tlog
These are the default fields exported by the logging system and available for searching
from Elasticsearch and Kibana. The default fields are Top Level and collectd*
The top level fields are common to every application, and may be present in
every record. For the Elasticsearch template, top level fields populate the actual
mappings of default
in the template’s mapping section.
Parameter | Description |
---|---|
|
The UTC value marking when the log payload was created, or when the log payload
was first collected if the creation time is not known. This is the log
processing pipeline’s best effort determination of when the log payload was
generated. Add the |
|
This is geo-ip of the machine. |
|
The |
|
The IP address V4 of the source server, which can be an array. |
|
The IP address V6 of the source server, if available. |
|
The logging level as provided by * You should only use * Consider * * Convert * Convert Numeric values from Log levels and priorities from other logging systems should be mapped to the nearest match. See python logging for an example. |
|
A typical log entry message, or payload. It can be stripped of metadata pulled out of it by the collector or normalizer, that is UTF-8 encoded. |
|
This is the process ID of the logging entity, if available. |
|
The name of the service associated with the logging entity, if available. For
example, the |
|
Optionally provided operator defined list of tags placed on each log by the collector or normalizer. The payload can be a string with whitespace-delimited string tokens, or a JSON list of string tokens. |
|
Optional path to the file containing the log entry local to the collector |
|
The offset value can represent bytes to the start of the log line in the file (zero or one based), or log line numbers (zero or one based), as long as the values are strictly monotonically increasing in the context of a single log file. The values are allowed to wrap, representing a new version of the log file (rotation). |
|
Associate this record with the |
|
This is the |
collectd
FieldsThe following fields represent namespace metrics metadata.
Parameter | Description |
---|---|
|
type: float The |
|
type: string The |
|
type: string The |
|
type: string The |
|
type: string The |
|
type: string The |
collectd.processes
FieldsThe following field corresponds to the collectd
processes plug-in.
Parameter | Description |
---|---|
|
type: integer
The |
collectd.processes.ps_disk_ops
FieldsThe collectd
ps_disk_ops
type of processes plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
collectd.processes.ps_cputime
FieldsThe collectd
ps_cputime
type of processes plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.processes.ps_count
FieldsThe collectd
ps_count
type of processes plug-in.
Parameter | Description |
---|---|
|
type: integer
|
|
type: integer
|
collectd.processes.ps_pagefaults
FieldsThe collectd
ps_pagefaults
type of processes plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.processes.ps_disk_octets
FieldsThe collectd ps_disk_octets
type of processes plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: float The |
collectd.disk
FieldsCorresponds to collectd
disk plug-in.
collectd.disk.disk_merged
FieldsThe collectd
disk_merged
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.disk.disk_octets
FieldsThe collectd
disk_octets
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.disk.disk_time
FieldsThe collectd
disk_time
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.disk.disk_ops
FieldsThe collectd
disk_ops
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: integer The |
collectd.disk.disk_io_time
FieldsThe collectd disk_io_time
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.interface
FieldsCorresponds to the collectd
interface plug-in.
collectd.interface.if_octets
FieldsThe collectd
if_octets
type of interface plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.interface.if_packets
FieldsThe collectd
if_packets
type of interface plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.interface.if_errors
FieldsThe collectd
if_errors
type of interface plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
The collectd
if_dropped
type of interface plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt
FieldsCorresponds to collectd
virt plug-in.
collectd.virt.if_octets
FieldsThe collectd if_octets
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.if_packets
FieldsThe collectd
if_packets
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.if_errors
FieldsThe collectd
if_errors
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.if_dropped
FieldsThe collectd
if_dropped
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.disk_ops
FieldsThe collectd
disk_ops
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.disk_octets
FieldsThe collectd
disk_octets
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: float The |
|
type: float The |
|
type: float The |
collectd.CPU
FieldsCorresponds to the collectd
CPU plug-in.
Parameter | Description |
---|---|
|
type: float The |
Corresponds to the collectd
df
plug-in.
Parameter | Description |
---|---|
|
type: float The |
|
type: float The |
collectd.entropy
FieldsCorresponds to the collectd
entropy plug-in.
Parameter | Description |
---|---|
|
type: integer The |
collectd.memory
FieldsCorresponds to the collectd
memory plug-in.
Parameter | Description |
---|---|
|
type: float The |
|
type: float The |
collectd.swap
FieldsCorresponds to the collectd
swap plug-in.
Parameter | Description |
---|---|
|
type: integer The |
|
type: integer The |
collectd.load
FieldsCorresponds to the collectd
load plug-in.
collectd.load.load
FieldsThe collectd
load type of load plug-in
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: float
|
collectd.aggregation
FieldsCorresponds to collectd
aggregation plug-in.
Parameter | Description |
---|---|
|
type: float
|
collectd.statsd
FieldsCorresponds to collectd
statsd
plug-in.
Parameter | Description |
---|---|
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The collectd` |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
collectd.postgresql Fields
Corresponds to collectd
postgresql
plug-in.
Parameter | Description |
---|---|
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
rsyslog
exported fieldsThese are the rsyslog
fields exported by the logging system and available for searching
from Elasticsearch and Kibana.
The following fields are RFC5424 based metadata.
Parameter | Description |
---|---|
|
See |
|
This is the |
|
See |
|
This is the |
|
If |
systemd
exported fieldsThese are the systemd
fields exported by the OpenShift Container Platform cluster logging available for searching
from Elasticsearch and Kibana.
Contains common fields specific to systemd
journal.
Applications
may write their own fields to the journal. These will be available under the
systemd.u
namespace. RESULT
and UNIT
are two such fields.
systemd.k
FieldsThe following table contains systemd
kernel-specific metadata.
Parameter | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
systemd.t
Fieldssystemd.t Fields
are trusted journal fields, fields that are implicitly added
by the journal, and cannot be altered by client code.
Parameter | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
systemd.u
Fieldssystemd.u Fields
are directly passed from clients and stored in the journal.
Parameter | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
For private use only. |
|
For private use only. |
These are the Kubernetes fields exported by the OpenShift Container Platform cluster logging available for searching from Elasticsearch and Kibana.
The namespace for Kubernetes-specific metadata. The kubernetes.pod_name
is the
name of the pod.
kubernetes.labels
FieldsLabels attached to the OpenShift object are kubernetes.labels
. Each label name
is a subfield of labels field. Each label name is de-dotted, meaning dots in the
name are replaced with underscores.
Parameter | Description |
---|---|
|
Kubernetes ID of the pod. |
|
The name of the namespace in Kubernetes. |
|
ID of the namespace in Kubernetes. |
|
Kubernetes node name. |
|
The name of the container in Kubernetes. |
|
The deployment associated with the Kubernetes object. |
|
The deploymentconfig associated with the Kubernetes object. |
|
The component associated with the Kubernetes object. |
|
The provider associated with the Kubernetes object. |
kubernetes.annotations
FieldsAnnotations associated with the OpenShift object are kubernetes.annotations
fields.
These are the Docker fields exported by the OpenShift Container Platform cluster logging available for searching from Elasticsearch and Kibana. Namespace for docker container-specific metadata. The docker.container_id is the Docker container ID.
pipeline_metadata.collector
FieldsThis section contains metadata specific to the collector.
Parameter | Description |
---|---|
|
FQDN of the collector. It might be different from the FQDN of the actual emitter of the logs. |
|
Name of the collector. |
|
Version of the collector. |
|
IP address v4 of the collector server, can be an array. |
|
IP address v6 of the collector server, can be an array. |
|
How the log message was received by the collector whether it was TCP/UDP, or imjournal/imfile. |
|
Time when the message was received by the collector. |
|
The original non-parsed log message, collected by the collector or as close to the source as possible. |
pipeline_metadata.normalizer
FieldsThis section contains metadata specific to the normalizer.
Parameter | Description |
---|---|
|
FQDN of the normalizer. |
|
Name of the normalizer. |
|
Version of the normalizer. |
|
IP address v4 of the normalizer server, can be an array. |
|
IP address v6 of the normalizer server, can be an array. |
|
how the log message was received by the normalizer whether it was TCP/UDP. |
|
Time when the message was received by the normalizer. |
|
The original non-parsed log message as it is received by the normalizer. |
|
The field records the trace of the message. Each collector and normalizer appends information about itself and the date and time when the message was processed. |
These are the oVirt fields exported by the OpenShift Container Platform cluster logging available for searching from Elasticsearch and Kibana.
Namespace for oVirt metadata.
Parameter | Description |
---|---|
|
The type of the data source, hosts, VMS, and engine. |
|
The oVirt host UUID. |
ovirt.engine
FieldsNamespace for oVirt engine related metadata. The FQDN of the oVirt engine is
ovirt.engine.fqdn
These are the Aushape fields exported by the OpenShift Container Platform cluster logging available for searching from Elasticsearch and Kibana.
Audit events converted with Aushape. For more information, see Aushape.
Parameter | Description |
---|---|
|
Audit event serial number. |
|
Name of the host where the audit event occurred. |
|
The error aushape encountered while converting the event. |
|
An array of JSONPath expressions relative to the event object, specifying objects or arrays with the content removed as the result of event size limiting. An empty string means the event removed the content, and an empty array means the trimming occurred by unspecified objects and arrays. |
|
An array log record strings representing the original audit event. |
aushape.data
FieldsParsed audit event data related to Aushape.
Parameter | Description |
---|---|
|
type: nested |
|
type: string |
|
type: nested |
|
type: nested |
|
type: nested |
These are the Tlog fields exported by the OpenShift Container Platform cluster logging system and available for searching from Elasticsearch and Kibana.
Tlog terminal I/O recording messages. For more information see Tlog.
Parameter | Description |
---|---|
|
Message format version number. |
|
Recorded user name. |
|
Terminal type name. |
|
Audit session ID of the recorded session. |
|
ID of the message within the session. |
|
Message position in the session, milliseconds. |
|
Distribution of this message’s events in time. |
|
Input text with invalid characters scrubbed. |
|
Scrubbed invalid input characters as bytes. |
|
Output text with invalid characters scrubbed. |
|
Scrubbed invalid output characters as bytes. |