youtubebeat/vendor/github.com/elastic/beats/packetbeat/docs/fields.asciidoc

////
This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py
////

[[exported-fields]]
= Exported fields

[partintro]

--
This document describes the fields that are exported by Packetbeat. They are
grouped in the following categories:

* <<exported-fields-amqp>>
* <<exported-fields-beat>>
* <<exported-fields-cassandra>>
* <<exported-fields-cloud>>
* <<exported-fields-common>>
* <<exported-fields-dhcpv4>>
* <<exported-fields-dns>>
* <<exported-fields-docker-processor>>
* <<exported-fields-flows_event>>
* <<exported-fields-host-processor>>
* <<exported-fields-http>>
* <<exported-fields-icmp>>
* <<exported-fields-kubernetes-processor>>
* <<exported-fields-memcache>>
* <<exported-fields-mongodb>>
* <<exported-fields-mysql>>
* <<exported-fields-nfs>>
* <<exported-fields-pgsql>>
* <<exported-fields-raw>>
* <<exported-fields-redis>>
* <<exported-fields-thrift>>
* <<exported-fields-tls>>
* <<exported-fields-trans_event>>
* <<exported-fields-trans_measurements>>

--
[[exported-fields-amqp]]
== AMQP fields

AMQP specific event fields.



*`amqp.reply-code`*::
+
--
type: long

example: 404

AMQP reply code to an error, similar to http reply-code


--

*`amqp.reply-text`*::
+
--
type: keyword

Text explaining the error.


--

*`amqp.class-id`*::
+
--
type: long

Failing method class.


--

*`amqp.method-id`*::
+
--
type: long

Failing method ID.


--

*`amqp.exchange`*::
+
--
type: keyword

Name of the exchange.


--

*`amqp.exchange-type`*::
+
--
type: keyword

example: fanout

Exchange type.


--

*`amqp.passive`*::
+
--
type: boolean

If set, do not create exchange/queue.


--

*`amqp.durable`*::
+
--
type: boolean

If set, request a durable exchange/queue.


--

*`amqp.exclusive`*::
+
--
type: boolean

If set, request an exclusive queue.


--

*`amqp.auto-delete`*::
+
--
type: boolean

If set, auto-delete queue when unused.


--

*`amqp.no-wait`*::
+
--
type: boolean

If set, the server will not respond to the method.


--

*`amqp.consumer-tag`*::
+
--
Identifier for the consumer, valid within the current channel.


--

*`amqp.delivery-tag`*::
+
--
type: long

The server-assigned and channel-specific delivery tag.


--

*`amqp.message-count`*::
+
--
type: long

The number of messages in the queue, which will be zero for newly-declared queues.


--

*`amqp.consumer-count`*::
+
--
type: long

The number of consumers of a queue.


--

*`amqp.routing-key`*::
+
--
type: keyword

Message routing key.


--

*`amqp.no-ack`*::
+
--
type: boolean

If set, the server does not expect acknowledgements for messages.


--

*`amqp.no-local`*::
+
--
type: boolean

If set, the server will not send messages to the connection that published them.


--

*`amqp.if-unused`*::
+
--
type: boolean

Delete only if unused.


--

*`amqp.if-empty`*::
+
--
type: boolean

Delete only if empty.


--

*`amqp.queue`*::
+
--
type: keyword

The queue name identifies the queue within the vhost.


--

*`amqp.redelivered`*::
+
--
type: boolean

Indicates that the message has been previously delivered to this or another client.


--

*`amqp.multiple`*::
+
--
type: boolean

Acknowledge multiple messages.


--

*`amqp.arguments`*::
+
--
type: object

Optional additional arguments passed to some methods. Can be of various types.


--

*`amqp.mandatory`*::
+
--
type: boolean

Indicates mandatory routing.


--

*`amqp.immediate`*::
+
--
type: boolean

Request immediate delivery.


--

*`amqp.content-type`*::
+
--
type: keyword

example: text/plain

MIME content type.


--

*`amqp.content-encoding`*::
+
--
type: keyword

MIME content encoding.


--

*`amqp.headers`*::
+
--
type: object

Message header field table.


--

*`amqp.delivery-mode`*::
+
--
type: keyword

Non-persistent (1) or persistent (2).


--

*`amqp.priority`*::
+
--
type: long

Message priority, 0 to 9.


--

*`amqp.correlation-id`*::
+
--
type: keyword

Application correlation identifier.


--

*`amqp.reply-to`*::
+
--
type: keyword

Address to reply to.


--

*`amqp.expiration`*::
+
--
type: keyword

Message expiration specification.


--

*`amqp.message-id`*::
+
--
type: keyword

Application message identifier.


--

*`amqp.timestamp`*::
+
--
type: keyword

Message timestamp.


--

*`amqp.type`*::
+
--
type: keyword

Message type name.


--

*`amqp.user-id`*::
+
--
type: keyword

Creating user id.


--

*`amqp.app-id`*::
+
--
type: keyword

Creating application id.


--

[[exported-fields-beat]]
== Beat fields

Contains common beat fields available in all event types.



*`beat.name`*::
+
--
The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file.


--

*`beat.hostname`*::
+
--
The hostname as returned by the operating system on which the Beat is running.


--

*`beat.timezone`*::
+
--
The timezone as returned by the operating system on which the Beat is running.


--

*`beat.version`*::
+
--
The version of the beat that generated this event.


--

*`@timestamp`*::
+
--
type: date

example: August 26th 2016, 12:35:53.332

format: date

required: True

The timestamp when the event log record was generated.


--

*`tags`*::
+
--
Arbitrary tags that can be set per Beat and per transaction type.


--

*`fields`*::
+
--
type: object

Contains user configurable fields.


--

[float]
== error fields

Error fields containing additional info in case of errors.



*`error.message`*::
+
--
type: text

Error message.


--

*`error.code`*::
+
--
type: long

Error code.


--

*`error.type`*::
+
--
type: keyword

Error type.


--

[[exported-fields-cassandra]]
== Cassandra fields

Cassandra v4/3 specific event fields.


[float]
== cassandra fields

Information about the Cassandra request and response.


[float]
== request fields

Cassandra request.


[float]
== headers fields

Cassandra request headers.


*`cassandra.request.headers.version`*::
+
--
type: long

The version of the protocol.

--

*`cassandra.request.headers.flags`*::
+
--
type: keyword

Flags applying to this frame.

--

*`cassandra.request.headers.stream`*::
+
--
type: keyword

A frame has a stream id.  If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.

--

*`cassandra.request.headers.op`*::
+
--
type: keyword

An operation type that distinguishes the actual message.

--

*`cassandra.request.headers.length`*::
+
--
type: long

A integer representing the length of the body of the frame (a frame is limited to 256MB in length).

--

*`cassandra.request.query`*::
+
--
type: keyword

The CQL query which client send to cassandra.

--

[float]
== response fields

Cassandra response.


[float]
== headers fields

Cassandra response headers, the structure is as same as request's header.


*`cassandra.response.headers.version`*::
+
--
type: long

The version of the protocol.

--

*`cassandra.response.headers.flags`*::
+
--
type: keyword

Flags applying to this frame.

--

*`cassandra.response.headers.stream`*::
+
--
type: keyword

A frame has a stream id.  If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.

--

*`cassandra.response.headers.op`*::
+
--
type: keyword

An operation type that distinguishes the actual message.

--

*`cassandra.response.headers.length`*::
+
--
type: long

A integer representing the length of the body of the frame (a frame is limited to 256MB in length).

--

[float]
== result fields

Details about the returned result.


*`cassandra.response.result.type`*::
+
--
type: keyword

Cassandra result type.

--

[float]
== rows fields

Details about the rows.


*`cassandra.response.result.rows.num_rows`*::
+
--
type: long

Representing the number of rows present in this result.

--

[float]
== meta fields

Composed of result metadata.


*`cassandra.response.result.rows.meta.keyspace`*::
+
--
type: keyword

Only present after set Global_tables_spec, the keyspace name.

--

*`cassandra.response.result.rows.meta.table`*::
+
--
type: keyword

Only present after set Global_tables_spec, the table name.

--

*`cassandra.response.result.rows.meta.flags`*::
+
--
type: keyword

Provides information on the formatting of the remaining information.

--

*`cassandra.response.result.rows.meta.col_count`*::
+
--
type: long

Representing the number of columns selected by the query that produced this result.

--

*`cassandra.response.result.rows.meta.pkey_columns`*::
+
--
type: long

Representing the PK columns index and counts.

--

*`cassandra.response.result.rows.meta.paging_state`*::
+
--
type: keyword

The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.

--

*`cassandra.response.result.keyspace`*::
+
--
type: keyword

Indicating the name of the keyspace that has been set.

--

[float]
== schema_change fields

The result to a schema_change message.


*`cassandra.response.result.schema_change.change`*::
+
--
type: keyword

Representing the type of changed involved.

--

*`cassandra.response.result.schema_change.keyspace`*::
+
--
type: keyword

This describes which keyspace has changed.

--

*`cassandra.response.result.schema_change.table`*::
+
--
type: keyword

This describes which table has changed.

--

*`cassandra.response.result.schema_change.object`*::
+
--
type: keyword

This describes the name of said affected object (either the table, user type, function, or aggregate name).

--

*`cassandra.response.result.schema_change.target`*::
+
--
type: keyword

Target could be "FUNCTION" or "AGGREGATE", multiple arguments.

--

*`cassandra.response.result.schema_change.name`*::
+
--
type: keyword

The function/aggregate name.

--

*`cassandra.response.result.schema_change.args`*::
+
--
type: keyword

One string for each argument type (as CQL type).

--

[float]
== prepared fields

The result to a PREPARE message.


*`cassandra.response.result.prepared.prepared_id`*::
+
--
type: keyword

Representing the prepared query ID.

--

[float]
== req_meta fields

This describes the request metadata.


*`cassandra.response.result.prepared.req_meta.keyspace`*::
+
--
type: keyword

Only present after set Global_tables_spec, the keyspace name.

--

*`cassandra.response.result.prepared.req_meta.table`*::
+
--
type: keyword

Only present after set Global_tables_spec, the table name.

--

*`cassandra.response.result.prepared.req_meta.flags`*::
+
--
type: keyword

Provides information on the formatting of the remaining information.

--

*`cassandra.response.result.prepared.req_meta.col_count`*::
+
--
type: long

Representing the number of columns selected by the query that produced this result.

--

*`cassandra.response.result.prepared.req_meta.pkey_columns`*::
+
--
type: long

Representing the PK columns index and counts.

--

*`cassandra.response.result.prepared.req_meta.paging_state`*::
+
--
type: keyword

The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.

--

[float]
== resp_meta fields

This describes the metadata for the result set.


*`cassandra.response.result.prepared.resp_meta.keyspace`*::
+
--
type: keyword

Only present after set Global_tables_spec, the keyspace name.

--

*`cassandra.response.result.prepared.resp_meta.table`*::
+
--
type: keyword

Only present after set Global_tables_spec, the table name.

--

*`cassandra.response.result.prepared.resp_meta.flags`*::
+
--
type: keyword

Provides information on the formatting of the remaining information.

--

*`cassandra.response.result.prepared.resp_meta.col_count`*::
+
--
type: long

Representing the number of columns selected by the query that produced this result.

--

*`cassandra.response.result.prepared.resp_meta.pkey_columns`*::
+
--
type: long

Representing the PK columns index and counts.

--

*`cassandra.response.result.prepared.resp_meta.paging_state`*::
+
--
type: keyword

The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.

--

*`cassandra.response.supported`*::
+
--
type: object

Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message.

--

[float]
== authentication fields

Indicates that the server requires authentication, and which authentication mechanism to use.


*`cassandra.response.authentication.class`*::
+
--
type: keyword

Indicates the full class name of the IAuthenticator in use

--

*`cassandra.response.warnings`*::
+
--
type: keyword

The text of the warnings, only occur when Warning flag was set.

--

[float]
== event fields

Event pushed by the server. A client will only receive events for the types it has REGISTERed to.


*`cassandra.response.event.type`*::
+
--
type: keyword

Representing the event type.

--

*`cassandra.response.event.change`*::
+
--
type: keyword

The message corresponding respectively to the type of change followed by the address of the new/removed node.

--

*`cassandra.response.event.host`*::
+
--
type: keyword

Representing the node ip.

--

*`cassandra.response.event.port`*::
+
--
type: long

Representing the node port.

--

[float]
== schema_change fields

The events details related to schema change.


*`cassandra.response.event.schema_change.change`*::
+
--
type: keyword

Representing the type of changed involved.

--

*`cassandra.response.event.schema_change.keyspace`*::
+
--
type: keyword

This describes which keyspace has changed.

--

*`cassandra.response.event.schema_change.table`*::
+
--
type: keyword

This describes which table has changed.

--

*`cassandra.response.event.schema_change.object`*::
+
--
type: keyword

This describes the name of said affected object (either the table, user type, function, or aggregate name).

--

*`cassandra.response.event.schema_change.target`*::
+
--
type: keyword

Target could be "FUNCTION" or "AGGREGATE", multiple arguments.

--

*`cassandra.response.event.schema_change.name`*::
+
--
type: keyword

The function/aggregate name.

--

*`cassandra.response.event.schema_change.args`*::
+
--
type: keyword

One string for each argument type (as CQL type).

--

[float]
== error fields

Indicates an error processing a request. The body of the message will be an  error code followed by a error message. Then, depending on the exception, more content may follow.


*`cassandra.response.error.code`*::
+
--
type: long

The error code of the Cassandra response.

--

*`cassandra.response.error.msg`*::
+
--
type: keyword

The error message of the Cassandra response.

--

*`cassandra.response.error.type`*::
+
--
type: keyword

The error type of the Cassandra response.

--

[float]
== details fields

The details of the error.


*`cassandra.response.error.details.read_consistency`*::
+
--
type: keyword

Representing the consistency level of the query that triggered the exception.

--

*`cassandra.response.error.details.required`*::
+
--
type: long

Representing the number of nodes that should be alive to respect consistency level.

--

*`cassandra.response.error.details.alive`*::
+
--
type: long

Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered).

--

*`cassandra.response.error.details.received`*::
+
--
type: long

Representing the number of nodes having acknowledged the request.

--

*`cassandra.response.error.details.blockfor`*::
+
--
type: long

Representing the number of replicas whose acknowledgement is required to achieve consistency level.

--

*`cassandra.response.error.details.write_type`*::
+
--
type: keyword

Describe the type of the write that timed out.

--

*`cassandra.response.error.details.data_present`*::
+
--
type: boolean

It means the replica that was asked for data had responded.

--

*`cassandra.response.error.details.keyspace`*::
+
--
type: keyword

The keyspace of the failed function.

--

*`cassandra.response.error.details.table`*::
+
--
type: keyword

The keyspace of the failed function.

--

*`cassandra.response.error.details.stmt_id`*::
+
--
type: keyword

Representing the unknown ID.

--

*`cassandra.response.error.details.num_failures`*::
+
--
type: keyword

Representing the number of nodes that experience a failure while executing the request.

--

*`cassandra.response.error.details.function`*::
+
--
type: keyword

The name of the failed function.

--

*`cassandra.response.error.details.arg_types`*::
+
--
type: keyword

One string for each argument type (as CQL type) of the failed function.

--

[[exported-fields-cloud]]
== Cloud provider metadata fields

Metadata from cloud providers added by the add_cloud_metadata processor.



*`meta.cloud.provider`*::
+
--
example: ec2

Name of the cloud provider. Possible values are ec2, gce, or digitalocean.


--

*`meta.cloud.instance_id`*::
+
--
Instance ID of the host machine.


--

*`meta.cloud.instance_name`*::
+
--
Instance name of the host machine.


--

*`meta.cloud.machine_type`*::
+
--
example: t2.medium

Machine type of the host machine.


--

*`meta.cloud.availability_zone`*::
+
--
example: us-east-1c

Availability zone in which this host is running.


--

*`meta.cloud.project_id`*::
+
--
example: project-x

Name of the project in Google Cloud.


--

*`meta.cloud.region`*::
+
--
Region in which this host is running.


--

[[exported-fields-common]]
== Common fields

These fields contain data about the environment in which the transaction or flow was captured.



*`server`*::
+
--
The name of the server that served the transaction.


--

*`client_server`*::
+
--
The name of the server that initiated the transaction.


--

*`service`*::
+
--
The name of the logical service that served the transaction.


--

*`client_service`*::
+
--
The name of the logical service that initiated the transaction.


--

*`ip`*::
+
--
format: dotted notation.

The IP address of the server that served the transaction.


--

*`client_ip`*::
+
--
format: dotted notation.

The IP address of the server that initiated the transaction.


--

*`real_ip`*::
+
--
format: Dotted notation.

If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default `X-Forwarded-For`.
Unless this field is disabled, it always has a value, and it matches the `client_ip` for non proxy clients.


--

[float]
== client_geoip fields

The GeoIP information of the client.


*`client_geoip.location`*::
+
--
type: geo_point

example: {'lat': 51, 'lon': 9}

The GeoIP location of the `client_ip` address. This field is available only if you define a https://www.elastic.co/guide/en/elasticsearch/plugins/master/using-ingest-geoip.html[GeoIP Processor] as a pipeline in the https://www.elastic.co/guide/en/elasticsearch/plugins/master/ingest-geoip.html[Ingest GeoIP processor plugin] or using Logstash.


--

*`client_port`*::
+
--
format: dotted notation.

The layer 4 port of the process that initiated the transaction.


--

*`transport`*::
+
--
example: udp

The transport protocol used for the transaction. If not specified, then tcp is assumed.


--

*`type`*::
+
--
required: True

The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.


--

*`port`*::
+
--
format: dotted notation.

The layer 4 port of the process that served the transaction.


--

*`proc`*::
+
--
The name of the process that served the transaction.


--

*`cmdline`*::
+
--
The command-line of the process that served the transaction.


--

*`client_proc`*::
+
--
The name of the process that initiated the transaction.


--

*`client_cmdline`*::
+
--
The command-line of the process that initiated the transaction.


--

*`release`*::
+
--
The software release of the service serving the transaction. This can be the commit id or a semantic version.


--

[[exported-fields-dhcpv4]]
== DHCPv4 fields

DHCPv4 event fields



*`dhcpv4.transaction_id`*::
+
--
type: keyword

Transaction ID, a random number chosen by the
client, used by the client and server to associate
messages and responses between a client and a
server.


--

*`dhcpv4.seconds`*::
+
--
type: long

Number of seconds elapsed since client began address acquisition or
renewal process.


--

*`dhcpv4.flags`*::
+
--
type: keyword

Flags are set by the client to indicate how the DHCP server should
its reply -- either unicast or broadcast.


--

*`dhcpv4.client_ip`*::
+
--
type: ip

The current IP address of the client.

--

*`dhcpv4.assigned_ip`*::
+
--
type: ip

The IP address that the DHCP server is assigning to the client.
This field is also known as "your" IP address.


--

*`dhcpv4.server_ip`*::
+
--
type: ip

The IP address of the DHCP server that the client should use for the
next step in the bootstrap process.


--

*`dhcpv4.relay_ip`*::
+
--
type: ip

The relay IP address used by the client to contact the server
(i.e. a DHCP relay server).


--

*`dhcpv4.client_mac`*::
+
--
type: keyword

The client's MAC address (layer two).

--

*`dhcpv4.server_name`*::
+
--
type: keyword

The name of the server sending the message. Optional. Used in
DHCPOFFER or DHCPACK messages.


--

*`dhcpv4.op_code`*::
+
--
type: keyword

example: bootreply

The message op code (bootrequest or bootreply).


--

*`dhcpv4.hops`*::
+
--
type: long

The number of hops the DHCP message went through.

--

*`dhcpv4.hardware_type`*::
+
--
type: keyword

The type of hardware used for the local network (Ethernet,
LocalTalk, etc).


--


*`dhcpv4.option.message_type`*::
+
--
type: keyword

example: ack

The specific type of DHCP message being sent (e.g. discover,
offer, request, decline, ack, nak, release, inform).


--

*`dhcpv4.option.parameter_request_list`*::
+
--
type: keyword

This option is used by a DHCP client to request values for
specified configuration parameters.


--

*`dhcpv4.option.requested_ip_address`*::
+
--
type: ip

This option is used in a client request (DHCPDISCOVER) to allow
the client to request that a particular IP address be assigned.


--

*`dhcpv4.option.server_identifier`*::
+
--
type: ip

IP address of the individual DHCP server which handled this
message.


--

*`dhcpv4.option.broadcast_address`*::
+
--
type: ip

This option specifies the broadcast address in use on the
client's subnet.


--

*`dhcpv4.option.max_dhcp_message_size`*::
+
--
type: long

This option specifies the maximum length DHCP message that the
client is willing to accept.


--

*`dhcpv4.option.class_identifier`*::
+
--
type: keyword

This option is used by DHCP clients to optionally identify the
vendor type and configuration of a DHCP client. Vendors may
choose to define specific vendor class identifiers to convey
particular configuration or other identification information
about a client.  For example, the identifier may encode the
client's hardware configuration.


--

*`dhcpv4.option.domain_name`*::
+
--
type: keyword

This option specifies the domain name that client should use
when resolving hostnames via the Domain Name System.


--

*`dhcpv4.option.dns_servers`*::
+
--
type: ip

The domain name server option specifies a list of Domain Name
System servers available to the client.


--

*`dhcpv4.option.vendor_identifying_options`*::
+
--
type: object

A DHCP client may use this option to unambiguously identify the
vendor that manufactured the hardware on which the client is
running, the software in use, or an industry consortium to which
the vendor belongs. This field is described in RFC 3925.


--

*`dhcpv4.option.subnet_mask`*::
+
--
type: ip

The subnet mask that the client should use on the currnet
network.


--

*`dhcpv4.option.utc_time_offset_sec`*::
+
--
type: long

The time offset field specifies the offset of the client's
subnet in seconds from Coordinated Universal Time (UTC).


--

*`dhcpv4.option.router`*::
+
--
type: ip

The router option specifies a list of IP addresses for routers
on the client's subnet.


--

*`dhcpv4.option.time_servers`*::
+
--
type: ip

The time server option specifies a list of RFC 868 time servers
available to the client.


--

*`dhcpv4.option.ntp_servers`*::
+
--
type: ip

This option specifies a list of IP addresses indicating NTP
servers available to the client.


--

*`dhcpv4.option.hostname`*::
+
--
type: keyword

This option specifies the name of the client.


--

*`dhcpv4.option.ip_address_lease_time_sec`*::
+
--
type: long

This option is used in a client request (DHCPDISCOVER or
DHCPREQUEST) to allow the client to request a lease time for the
IP address.  In a server reply (DHCPOFFER), a DHCP server uses
this option to specify the lease time it is willing to offer.


--

*`dhcpv4.option.message`*::
+
--
type: text

This option is used by a DHCP server to provide an error message
to a DHCP client in a DHCPNAK message in the event of a failure.
A client may use this option in a DHCPDECLINE message to
indicate the why the client declined the offered parameters.


--

*`dhcpv4.option.renewal_time_sec`*::
+
--
type: long

This option specifies the time interval from address assignment
until the client transitions to the RENEWING state.


--

*`dhcpv4.option.rebinding_time_sec`*::
+
--
type: long

This option specifies the time interval from address assignment
until the client transitions to the REBINDING state.


--

*`dhcpv4.option.boot_file_name`*::
+
--
type: keyword

This option is used to identify a bootfile when the 'file' field
in the DHCP header has been used for DHCP options.


--

[[exported-fields-dns]]
== DNS fields

DNS-specific event fields.



*`dns.id`*::
+
--
type: long

The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.


--

*`dns.op_code`*::
+
--
example: QUERY

The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.


--

*`dns.flags.authoritative`*::
+
--
type: boolean

A DNS flag specifying that the responding server is an authority for the domain name used in the question.


--

*`dns.flags.recursion_available`*::
+
--
type: boolean

A DNS flag specifying whether recursive query support is available in the name server.


--

*`dns.flags.recursion_desired`*::
+
--
type: boolean

A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.


--

*`dns.flags.authentic_data`*::
+
--
type: boolean

A DNS flag specifying that the recursive server considers the response authentic.


--

*`dns.flags.checking_disabled`*::
+
--
type: boolean

A DNS flag specifying that the client disables the server signature validation of the query.


--

*`dns.flags.truncated_response`*::
+
--
type: boolean

A DNS flag specifying that only the first 512 bytes of the reply were returned.


--

*`dns.response_code`*::
+
--
example: NOERROR

The DNS status code.

--

*`dns.question.name`*::
+
--
example: www.google.com.

The domain name being queried. If the name field contains non-printable characters (below 32 or above 126), then those characters are represented as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. Tabs, carriage returns, and line feeds are converted to \t, \r, and \n respectively.


--

*`dns.question.type`*::
+
--
example: AAAA

The type of records being queried.

--

*`dns.question.class`*::
+
--
example: IN

The class of of records being queried.

--

*`dns.question.etld_plus_one`*::
+
--
example: amazon.co.uk.

The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.

--

*`dns.answers`*::
+
--
type: object

An array containing a dictionary about each answer section returned by the server.


--

*`dns.answers_count`*::
+
--
type: long

The number of resource records contained in the `dns.answers` field.


--

*`dns.answers.name`*::
+
--
example: example.com.

The domain name to which this resource record pertains.

--

*`dns.answers.type`*::
+
--
example: MX

The type of data contained in this resource record.

--

*`dns.answers.class`*::
+
--
example: IN

The class of DNS data contained in this resource record.

--

*`dns.answers.ttl`*::
+
--
type: long

The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.


--

*`dns.answers.data`*::
+
--
The data describing the resource. The meaning of this data depends on the type and class of the resource record.


--

*`dns.authorities`*::
+
--
type: object

An array containing a dictionary for each authority section from the answer.


--

*`dns.authorities_count`*::
+
--
type: long

The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat.


--

*`dns.authorities.name`*::
+
--
example: example.com.

The domain name to which this resource record pertains.

--

*`dns.authorities.type`*::
+
--
example: NS

The type of data contained in this resource record.

--

*`dns.authorities.class`*::
+
--
example: IN

The class of DNS data contained in this resource record.

--

*`dns.additionals`*::
+
--
type: object

An array containing a dictionary for each additional section from the answer.


--

*`dns.additionals_count`*::
+
--
type: long

The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat.


--

*`dns.additionals.name`*::
+
--
example: example.com.

The domain name to which this resource record pertains.

--

*`dns.additionals.type`*::
+
--
example: NS

The type of data contained in this resource record.

--

*`dns.additionals.class`*::
+
--
example: IN

The class of DNS data contained in this resource record.

--

*`dns.additionals.ttl`*::
+
--
type: long

The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.


--

*`dns.additionals.data`*::
+
--
The data describing the resource. The meaning of this data depends on the type and class of the resource record.


--

*`dns.opt.version`*::
+
--
example: 0

The EDNS version.

--

*`dns.opt.do`*::
+
--
type: boolean

If set, the transaction uses DNSSEC.

--

*`dns.opt.ext_rcode`*::
+
--
example: BADVERS

Extended response code field.

--

*`dns.opt.udp_size`*::
+
--
type: long

Requestor's UDP payload size (in bytes).

--

[[exported-fields-docker-processor]]
== Docker fields

Docker stats collected from Docker.




*`docker.container.id`*::
+
--
type: keyword

Unique container id.


--

*`docker.container.image`*::
+
--
type: keyword

Name of the image the container was built on.


--

*`docker.container.name`*::
+
--
type: keyword

Container name.


--

*`docker.container.labels`*::
+
--
type: object

Image labels.


--

[[exported-fields-flows_event]]
== Flow Event fields

These fields contain data about the flow itself.



*`start_time`*::
+
--
type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the first packet for the flow has been seen.


--

*`last_time`*::
+
--
type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the most recent processed packet for the flow has been seen.


--

*`final`*::
+
--
Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.


--

*`flow_id`*::
+
--
Internal flow id based on connection meta data and address.


--

*`vlan`*::
+
--
Innermost VLAN address used in network packets.


--

*`outer_vlan`*::
+
--
Second innermost VLAN address used in network packets.


--

[float]
== source fields

Properties of the source host



*`source.mac`*::
+
--
Source MAC address as indicated by first packet seen for the current flow.


--

*`source.ip`*::
+
--
Innermost IPv4 source address as indicated by first packet seen for the current flow.


--

*`source.ip_location`*::
+
--
type: geo_point

example: 40.715, -74.011

The GeoIP location of the `ip_source` IP address. The field is a string containing the latitude and longitude separated by a comma.


--

*`source.outer_ip`*::
+
--
Second innermost IPv4 source address as indicated by first packet seen for the current flow.


--

*`source.outer_ip_location`*::
+
--
type: geo_point

example: 40.715, -74.011

The GeoIP location of the `outer_ip_source` IP address. The field is a string containing the latitude and longitude separated by a comma.


--

*`source.ipv6`*::
+
--
Innermost IPv6 source address as indicated by first packet seen for the current flow.


--

*`source.ipv6_location`*::
+
--
type: geo_point

example: 60.715, -76.011

The GeoIP location of the `ipv6_source` IP address. The field is a string containing the latitude and longitude separated by a comma.


--

*`source.outer_ipv6`*::
+
--
Second innermost IPv6 source address as indicated by first packet seen for the current flow.


--

*`source.outer_ipv6_location`*::
+
--
type: geo_point

example: 60.715, -76.011

The GeoIP location of the `outer_ipv6_source` IP address. The field is a string containing the latitude and longitude separated by a comma.


--

*`source.port`*::
+
--
Source port number as indicated by first packet seen for the current flow.


--

[float]
== stats fields

Object with source to destination flow measurements.



*`source.stats.net_packets_total`*::
+
--
type: long

Total number of packets


--

*`source.stats.net_bytes_total`*::
+
--
type: long

Total number of bytes


--

[float]
== dest fields

Properties of the destination host



*`dest.mac`*::
+
--
Destination MAC address as indicated by first packet seen for the current flow.


--

*`dest.ip`*::
+
--
Innermost IPv4 destination address as indicated by first packet seen for the current flow.


--

*`dest.ip_location`*::
+
--
type: geo_point

example: 40.715, -74.011

The GeoIP location of the `ip_dest` IP address. The field is a string containing the latitude and longitude separated by a comma.


--

*`dest.outer_ip`*::
+
--
Second innermost IPv4 destination address as indicated by first packet seen for the current flow.


--

*`dest.outer_ip_location`*::
+
--
type: geo_point

example: 40.715, -74.011

The GeoIP location of the `outer_ip_dest` IP address. The field is a string containing the latitude and longitude separated by a comma.


--

*`dest.ipv6`*::
+
--
Innermost IPv6 destination address as indicated by first packet seen for the current flow.


--

*`dest.ipv6_location`*::
+
--
type: geo_point

example: 60.715, -76.011

The GeoIP location of the `ipv6_dest` IP address. The field is a string containing the latitude and longitude separated by a comma.


--

*`dest.outer_ipv6`*::
+
--
Second innermost IPv6 destination address as indicated by first packet seen for the current flow.


--

*`dest.outer_ipv6_location`*::
+
--
type: geo_point

example: 60.715, -76.011

The GeoIP location of the `outer_ipv6_dest` IP address. The field is a string containing the latitude and longitude separated by a comma.


--

*`dest.port`*::
+
--
Destination port number as indicated by first packet seen for the current flow.


--

[float]
== stats fields

Object with destination to source flow measurements.



*`dest.stats.net_packets_total`*::
+
--
type: long

Total number of packets


--

*`dest.stats.net_bytes_total`*::
+
--
type: long

Total number of bytes


--

*`icmp_id`*::
+
--
ICMP id used in ICMP based flow.


--

*`connection_id`*::
+
--
optional TCP connection id


--

[[exported-fields-host-processor]]
== Host fields

Info collected for the host machine.




*`host.name`*::
+
--
type: keyword

Hostname.


--

*`host.id`*::
+
--
type: keyword

Unique host id.


--

*`host.architecture`*::
+
--
type: keyword

Host architecture (e.g. x86_64, arm, ppc, mips).


--

*`host.os.platform`*::
+
--
type: keyword

OS platform (e.g. centos, ubuntu, windows).


--

*`host.os.version`*::
+
--
type: keyword

OS version.


--

*`host.os.family`*::
+
--
type: keyword

OS family (e.g. redhat, debian, freebsd, windows).


--

*`host.ip`*::
+
--
type: ip

List of IP-addresses.


--

*`host.mac`*::
+
--
type: keyword

List of hardware-addresses, usually MAC-addresses.


--

[[exported-fields-http]]
== HTTP fields

HTTP-specific event fields.


[float]
== http fields

Information about the HTTP request and response.


[float]
== request fields

HTTP request


*`http.request.params`*::
+
--
The query parameters or form values. The query parameters are available in the Request-URI and the form values are set in the HTTP body when the content-type is set to `x-www-form-urlencoded`.


--

*`http.request.headers`*::
+
--
type: object

A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.


--

*`http.request.body`*::
+
--
type: text

The body of the HTTP request.

--

[float]
== response fields

HTTP response


*`http.response.code`*::
+
--
example: 404

The HTTP status code.

--

*`http.response.phrase`*::
+
--
example: Not found.

The HTTP status phrase.

--

*`http.response.headers`*::
+
--
type: object

A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.


--

*`http.response.body`*::
+
--
type: text

The body of the HTTP response.

--

[[exported-fields-icmp]]
== ICMP fields

ICMP specific event fields.




*`icmp.version`*::
+
--
The version of the ICMP protocol.

--

*`icmp.request.message`*::
+
--
type: keyword

A human readable form of the request.

--

*`icmp.request.type`*::
+
--
type: long

The request type.

--

*`icmp.request.code`*::
+
--
type: long

The request code.

--

*`icmp.response.message`*::
+
--
type: keyword

A human readable form of the response.

--

*`icmp.response.type`*::
+
--
type: long

The response type.

--

*`icmp.response.code`*::
+
--
type: long

The response code.

--

[[exported-fields-kubernetes-processor]]
== Kubernetes fields

Kubernetes metadata added by the kubernetes processor




*`kubernetes.pod.name`*::
+
--
type: keyword

Kubernetes pod name


--

*`kubernetes.pod.uid`*::
+
--
type: keyword

Kubernetes Pod UID


--

*`kubernetes.namespace`*::
+
--
type: keyword

Kubernetes namespace


--

*`kubernetes.node.name`*::
+
--
type: keyword

Kubernetes node name


--

*`kubernetes.labels`*::
+
--
type: object

Kubernetes labels map


--

*`kubernetes.annotations`*::
+
--
type: object

Kubernetes annotations map


--

*`kubernetes.container.name`*::
+
--
type: keyword

Kubernetes container name


--

*`kubernetes.container.image`*::
+
--
type: keyword

Kubernetes container image


--

[[exported-fields-memcache]]
== Memcache fields

Memcached-specific event fields



*`memcache.protocol_type`*::
+
--
type: keyword

The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type.


--

*`memcache.request.line`*::
+
--
type: keyword

The raw command line for unknown commands ONLY.


--

*`memcache.request.command`*::
+
--
type: keyword

The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands.


--

*`memcache.response.command`*::
+
--
type: keyword

Either the text based protocol response message type or the name of the originating request if binary protocol is used.


--

*`memcache.request.type`*::
+
--
type: keyword

The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth".


--

*`memcache.response.type`*::
+
--
type: keyword

The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol).


--

*`memcache.response.error_msg`*::
+
--
type: keyword

The optional error message in the memcache response (text based protocol only).


--

*`memcache.request.opcode`*::
+
--
type: keyword

The binary protocol message opcode name.


--

*`memcache.response.opcode`*::
+
--
type: keyword

The binary protocol message opcode name.


--

*`memcache.request.opcode_value`*::
+
--
type: long

The binary protocol message opcode value.


--

*`memcache.response.opcode_value`*::
+
--
type: long

The binary protocol message opcode value.


--

*`memcache.request.opaque`*::
+
--
type: long

The binary protocol opaque header value used for correlating request with response messages.


--

*`memcache.response.opaque`*::
+
--
type: long

The binary protocol opaque header value used for correlating request with response messages.


--

*`memcache.request.vbucket`*::
+
--
type: long

The vbucket index sent in the binary message.


--

*`memcache.response.status`*::
+
--
type: keyword

The textual representation of the response error code (binary protocol only).


--

*`memcache.response.status_code`*::
+
--
type: long

The status code value returned in the response (binary protocol only).


--

*`memcache.request.keys`*::
+
--
type: array

The list of keys sent in the store or load commands.


--

*`memcache.response.keys`*::
+
--
type: array

The list of keys returned for the load command (if present).


--

*`memcache.request.count_values`*::
+
--
type: long

The number of values found in the memcache request message. If the command does not send any data, this field is missing.


--

*`memcache.response.count_values`*::
+
--
type: long

The number of values found in the memcache response message. If the command does not send any data, this field is missing.


--

*`memcache.request.values`*::
+
--
type: array

The list of base64 encoded values sent with the request (if present).


--

*`memcache.response.values`*::
+
--
type: array

The list of base64 encoded values sent with the response (if present).


--

*`memcache.request.bytes`*::
+
--
type: long

format: bytes

The byte count of the values being transferred.


--

*`memcache.response.bytes`*::
+
--
type: long

format: bytes

The byte count of the values being transferred.


--

*`memcache.request.delta`*::
+
--
type: long

The counter increment/decrement delta value.


--

*`memcache.request.initial`*::
+
--
type: long

The counter increment/decrement initial value parameter (binary protocol only).


--

*`memcache.request.verbosity`*::
+
--
type: long

The value of the memcache "verbosity" command.


--

*`memcache.request.raw_args`*::
+
--
type: keyword

The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands.


--

*`memcache.request.source_class`*::
+
--
type: long

The source class id in 'slab reassign' command.


--

*`memcache.request.dest_class`*::
+
--
type: long

The destination class id in 'slab reassign' command.


--

*`memcache.request.automove`*::
+
--
type: keyword

The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown.


--

*`memcache.request.flags`*::
+
--
type: long

The memcache command flags sent in the request (if present).


--

*`memcache.response.flags`*::
+
--
type: long

The memcache message flags sent in the response (if present).


--

*`memcache.request.exptime`*::
+
--
type: long

The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit).


--

*`memcache.request.sleep_us`*::
+
--
type: long

The sleep setting in microseconds for the 'lru_crawler sleep' command.


--

*`memcache.response.value`*::
+
--
type: long

The counter value returned by a counter operation.


--

*`memcache.request.noreply`*::
+
--
type: boolean

Set to true if noreply was set in the request. The `memcache.response` field will be missing.


--

*`memcache.request.quiet`*::
+
--
type: boolean

Set to true if the binary protocol message is to be treated as a quiet message.


--

*`memcache.request.cas_unique`*::
+
--
type: long

The CAS (compare-and-swap) identifier if present.


--

*`memcache.response.cas_unique`*::
+
--
type: long

The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present).


--

*`memcache.response.stats`*::
+
--
type: array

The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value".


--

*`memcache.response.version`*::
+
--
type: keyword

The returned memcache version string.


--

[[exported-fields-mongodb]]
== MongoDb fields

MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well.




*`mongodb.error`*::
+
--
If the MongoDB request has resulted in an error, this field contains the error message returned by the server.


--

*`mongodb.fullCollectionName`*::
+
--
The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar.


--

*`mongodb.numberToSkip`*::
+
--
type: long

Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query.


--

*`mongodb.numberToReturn`*::
+
--
type: long

The requested maximum number of documents to be returned.


--

*`mongodb.numberReturned`*::
+
--
type: long

The number of documents in the reply.


--

*`mongodb.startingFrom`*::
+
--
Where in the cursor this reply is starting.


--

*`mongodb.query`*::
+
--
A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot.


--

*`mongodb.returnFieldsSelector`*::
+
--
A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1.


--

*`mongodb.selector`*::
+
--
A BSON document that specifies the query for selecting the document to update or delete.


--

*`mongodb.update`*::
+
--
A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual.


--

*`mongodb.cursorId`*::
+
--
The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.


--

[float]
== rpc fields

OncRPC specific event fields.


*`rpc.xid`*::
+
--
RPC message transaction identifier.

--

*`rpc.call_size`*::
+
--
type: long

RPC call size with argument.

--

*`rpc.reply_size`*::
+
--
type: long

RPC reply size with argument.

--

*`rpc.status`*::
+
--
RPC message reply status.

--

*`rpc.time`*::
+
--
type: long

RPC message processing time.

--

*`rpc.time_str`*::
+
--
RPC message processing time in human readable form.

--

*`rpc.auth_flavor`*::
+
--
RPC authentication flavor.

--

*`rpc.cred.uid`*::
+
--
type: long

RPC caller's user id, in case of auth-unix.

--

*`rpc.cred.gid`*::
+
--
type: long

RPC caller's group id, in case of auth-unix.

--

*`rpc.cred.gids`*::
+
--
RPC caller's secondary group ids, in case of auth-unix.

--

*`rpc.cred.stamp`*::
+
--
type: long

Arbitrary ID which the caller machine may generate.

--

*`rpc.cred.machinename`*::
+
--
The name of the caller's machine.

--

[[exported-fields-mysql]]
== MySQL fields

MySQL-specific event fields.




*`mysql.iserror`*::
+
--
type: boolean

If the MySQL query returns an error, this field is set to true.


--

*`mysql.affected_rows`*::
+
--
type: long

If the MySQL command is successful, this field contains the affected number of rows of the last statement.


--

*`mysql.insert_id`*::
+
--
If the INSERT query is successful, this field contains the id of the newly inserted row.


--

*`mysql.num_fields`*::
+
--
If the SELECT query is successful, this field is set to the number of fields returned.


--

*`mysql.num_rows`*::
+
--
If the SELECT query is successful, this field is set to the number of rows returned.


--

*`mysql.query`*::
+
--
The row mysql query as read from the transaction's request.


--

*`mysql.error_code`*::
+
--
type: long

The error code returned by MySQL.


--

*`mysql.error_message`*::
+
--
The error info message returned by MySQL.


--

[[exported-fields-nfs]]
== NFS fields

NFS v4/3 specific event fields.



*`nfs.version`*::
+
--
type: long

NFS protocol version number.

--

*`nfs.minor_version`*::
+
--
type: long

NFS protocol minor version number.

--

*`nfs.tag`*::
+
--
NFS v4 COMPOUND operation tag.

--

*`nfs.opcode`*::
+
--
NFS operation name, or main operation name, in case of COMPOUND calls.


--

*`nfs.status`*::
+
--
NFS operation reply status.

--

[[exported-fields-pgsql]]
== PostgreSQL fields

PostgreSQL-specific event fields.




*`pgsql.query`*::
+
--
The row pgsql query as read from the transaction's request.


--

*`pgsql.iserror`*::
+
--
type: boolean

If the PgSQL query returns an error, this field is set to true.


--

*`pgsql.error_code`*::
+
--
type: long

The PostgreSQL error code.

--

*`pgsql.error_message`*::
+
--
The PostgreSQL error message.

--

*`pgsql.error_severity`*::
+
--
The PostgreSQL error severity.

--

*`pgsql.num_fields`*::
+
--
If the SELECT query if successful, this field is set to the number of fields returned.


--

*`pgsql.num_rows`*::
+
--
If the SELECT query if successful, this field is set to the number of rows returned.


--

[[exported-fields-raw]]
== Raw fields

These fields contain the raw transaction data.


*`request`*::
+
--
type: text

For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.


--

*`response`*::
+
--
type: text

For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.


--

[[exported-fields-redis]]
== Redis fields

Redis-specific event fields.




*`redis.return_value`*::
+
--
The return value of the Redis command in a human readable format.


--

*`redis.error`*::
+
--
If the Redis command has resulted in an error, this field contains the error message returned by the Redis server.


--

[[exported-fields-thrift]]
== Thrift-RPC fields

Thrift-RPC specific event fields.




*`thrift.params`*::
+
--
The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used.


--

*`thrift.service`*::
+
--
The name of the Thrift-RPC service as defined in the IDL files.


--

*`thrift.return_value`*::
+
--
The value returned by the Thrift-RPC call. This is encoded in a human readable format.


--

*`thrift.exceptions`*::
+
--
If the call resulted in exceptions, this field contains the exceptions in a human readable format.


--

[[exported-fields-tls]]
== TLS fields

TLS-specific event fields.




*`tls.handshake_completed`*::
+
--
type: boolean

Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.


--

*`tls.resumed`*::
+
--
type: boolean

If the TLS session has been resumed from a previous session.


--

*`tls.resumption_method`*::
+
--
type: keyword

If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.


--

*`tls.client_certificate_requested`*::
+
--
type: boolean

Whether the server has requested the client to authenticate itself using a client certificate.


--


*`tls.client_hello.version`*::
+
--
type: keyword

The version of the TLS protocol by which the client wishes to communicate during this session.


--

*`tls.client_hello.supported_ciphers`*::
+
--
type: array

List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4


--

*`tls.client_hello.supported_compression_methods`*::
+
--
type: array

The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml


--

[float]
== extensions fields

The hello extensions provided by the client.


*`tls.client_hello.extensions.server_name_indication`*::
+
--
type: keyword

List of hostnames

--

*`tls.client_hello.extensions.application_layer_protocol_negotiation`*::
+
--
type: keyword

List of application-layer protocols the client is willing to use.


--

*`tls.client_hello.extensions.session_ticket`*::
+
--
type: keyword

Length of the session ticket, if provided, or an empty string to advertise support for tickets.


--


*`tls.server_hello.version`*::
+
--
type: keyword

The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.


--

*`tls.server_hello.selected_cipher`*::
+
--
type: keyword

The cipher suite selected by the server from the list provided by in the client hello.


--

*`tls.server_hello.selected_compression_method`*::
+
--
type: keyword

The compression method selected by the server from the list provided in the client hello.


--

[float]
== extensions fields

The hello extensions provided by the server.


*`tls.server_hello.extensions.application_layer_protocol_negotiation`*::
+
--
type: array

Negotiated application layer protocol

--

*`tls.server_hello.extensions.session_ticket`*::
+
--
type: keyword

Used to announce that a session ticket will be provided by the server. Always an empty string.


--

[float]
== client_certificate fields

Certificate provided by the client for authentication.


*`tls.client_certificate.version`*::
+
--
type: long

X509 format version.

--

*`tls.client_certificate.serial_number`*::
+
--
type: keyword

The certificate's serial number.

--

*`tls.client_certificate.not_before`*::
+
--
type: date

Date before which the certificate is not valid.

--

*`tls.client_certificate.not_after`*::
+
--
type: date

Date after which the certificate expires.

--

*`tls.client_certificate.public_key_algorithm`*::
+
--
type: keyword

The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA.


--

*`tls.client_certificate.public_key_size`*::
+
--
type: long

Size of the public key.

--

*`tls.client_certificate.signature_algorithm`*::
+
--
type: keyword

The algorithm used for the certificate's signature.


--

*`tls.client_certificate.alternative_names`*::
+
--
type: array

Subject Alternative Names for this certificate.

--

*`tls.client_certificate.raw`*::
+
--
type: keyword

The raw certificate in PEM format.

--

[float]
== subject fields

Subject represented by this certificate.


*`tls.client_certificate.subject.country`*::
+
--
type: keyword

Country code.

--

*`tls.client_certificate.subject.organization`*::
+
--
type: keyword

Organization name.

--

*`tls.client_certificate.subject.organizational_unit`*::
+
--
type: keyword

Unit within organization.

--

*`tls.client_certificate.subject.province`*::
+
--
type: keyword

Province or region within country.

--

*`tls.client_certificate.subject.common_name`*::
+
--
type: keyword

Name or host name identified by the certificate.

--

[float]
== issuer fields

Entity that issued and signed this certificate.


*`tls.client_certificate.issuer.country`*::
+
--
type: keyword

Country code.

--

*`tls.client_certificate.issuer.organization`*::
+
--
type: keyword

Organization name.

--

*`tls.client_certificate.issuer.organizational_unit`*::
+
--
type: keyword

Unit within organization.

--

*`tls.client_certificate.issuer.province`*::
+
--
type: keyword

Province or region within country.

--

*`tls.client_certificate.issuer.common_name`*::
+
--
type: keyword

Name or host name identified by the certificate.

--

[float]
== server_certificate fields

Certificate provided by the server for authentication.


*`tls.server_certificate.version`*::
+
--
type: long

X509 format version.

--

*`tls.server_certificate.serial_number`*::
+
--
type: keyword

The certificate's serial number.

--

*`tls.server_certificate.not_before`*::
+
--
type: date

Date before which the certificate is not valid.

--

*`tls.server_certificate.not_after`*::
+
--
type: date

Date after which the certificate expires.

--

*`tls.server_certificate.public_key_algorithm`*::
+
--
type: keyword

The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA.


--

*`tls.server_certificate.public_key_size`*::
+
--
type: long

Size of the public key.

--

*`tls.server_certificate.signature_algorithm`*::
+
--
type: keyword

The algorithm used for the certificate's signature.


--

*`tls.server_certificate.alternative_names`*::
+
--
type: array

Subject Alternative Names for this certificate.

--

*`tls.server_certificate.raw`*::
+
--
type: keyword

The raw certificate in PEM format.

--

[float]
== subject fields

Subject represented by this certificate.


*`tls.server_certificate.subject.country`*::
+
--
type: keyword

Country code.

--

*`tls.server_certificate.subject.organization`*::
+
--
type: keyword

Organization name.

--

*`tls.server_certificate.subject.organizational_unit`*::
+
--
type: keyword

Unit within organization.

--

*`tls.server_certificate.subject.province`*::
+
--
type: keyword

Province or region within country.

--

*`tls.server_certificate.subject.common_name`*::
+
--
type: keyword

Name or host name identified by the certificate.

--

[float]
== issuer fields

Entity that issued and signed this certificate.


*`tls.server_certificate.issuer.country`*::
+
--
type: keyword

Country code.

--

*`tls.server_certificate.issuer.organization`*::
+
--
type: keyword

Organization name.

--

*`tls.server_certificate.issuer.organizational_unit`*::
+
--
type: keyword

Unit within organization.

--

*`tls.server_certificate.issuer.province`*::
+
--
type: keyword

Province or region within country.

--

*`tls.server_certificate.issuer.common_name`*::
+
--
type: keyword

Name or host name identified by the certificate.

--

*`tls.server_certificate_chain`*::
+
--
type: array

Chain of trust for the server certificate.

--

*`tls.client_certificate_chain`*::
+
--
type: array

Chain of trust for the client certificate.

--

*`tls.alert_types`*::
+
--
type: keyword

An array containing the TLS alert type for every alert received.


--

[float]
== fingerprints fields

Fingerprints for this TLS session.


[float]
== ja3 fields

JA3 TLS client fingerprint


*`tls.fingerprints.ja3.hash`*::
+
--
type: keyword

The JA3 fingerprint hash for the client side.


--

*`tls.fingerprints.ja3.str`*::
+
--
type: keyword

The JA3 string used to calculate the hash.


--

[[exported-fields-trans_event]]
== Transaction Event fields

These fields contain data about the transaction itself.



*`direction`*::
+
--
required: True

Indicates whether the transaction is inbound (emitted by server) or outbound (emitted by the client). Values can be in or out. No defaults.


--

*`status`*::
+
--
required: True

The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.


--

*`method`*::
+
--
The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).


--

*`resource`*::
+
--
The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types.


--

*`path`*::
+
--
required: True

The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.


--

*`query`*::
+
--
type: keyword

The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`.


--

*`params`*::
+
--
type: text

The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.


--

*`notes`*::
+
--
Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting.


--

[[exported-fields-trans_measurements]]
== Measurements (Transactions) fields

These fields contain measurements related to the transaction.



*`responsetime`*::
+
--
type: long

The wall clock time it took to complete the transaction. The precision is in milliseconds.


--

*`cpu_time`*::
+
--
type: long

The CPU time it took to complete the transaction.

--

*`bytes_in`*::
+
--
type: long

format: bytes

The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers.


--

*`bytes_out`*::
+
--
type: long

format: bytes

The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers.


--

*`dnstime`*::
+
--
type: long

The time it takes to query the name server for a given request. This is typically used for RUM (real-user-monitoring) but can also have values for server-to-server communication when DNS is used for service discovery. The precision is in microseconds.


--

*`connecttime`*::
+
--
type: long

The time it takes for the TCP connection to be established for the given transaction. The precision is in microseconds.


--

*`loadtime`*::
+
--
type: long

The time it takes for the content to be loaded. This is typically used for RUM (real-user-monitoring) but it can make sense in other cases as well. The precision is in microseconds.


--

*`domloadtime`*::
+
--
type: long

In RUM (real-user-monitoring), the total time it takes for the DOM to be loaded. In terms of the W3 Navigation Timing API, this is the difference between `domContentLoadedEnd` and `domContentLoadedStart`.


--