This section contains examples of mapping of other events and logs formats to
this data model.
| Property |
Type |
Description |
Maps to Unified Model Field |
| TIMESTAMP |
Timestamp |
Time when an event occurred measured by the origin clock. |
Timestamp |
| SEVERITY |
enum |
Defines the importance of the event. Example: `Debug` |
Severity |
| FACILITY |
enum |
Describes where the event originated. A predefined list of Unix processes. Part of event source identity. Example: `mail system` |
Attributes["syslog.facility"] |
| VERSION |
number |
Meta: protocol version, orthogonal to the event. |
Attributes["syslog.version"] |
| HOSTNAME |
string |
Describes the location where the event originated. Possible values are FQDN, IP address, etc. |
Resource["host.hostname"] |
| APP-NAME |
string |
User-defined app name. Part of event source identity. |
Resource["service.name"] |
| PROCID |
string |
Not well defined. May be used as a meta field for protocol operation purposes or may be part of event source identity. |
Attributes["syslog.procid"] |
| MSGID |
string |
Defines the type of the event. Part of event source identity. Example: "TCPIN" |
Attributes["syslog.msgid"] |
| STRUCTURED-DATA |
array of maps of string to string |
A variety of use cases depending on the SDID:
Can describe event source identity
Can include data that describes particular occurrence of the event.
Can be meta-information, e.g. quality of timestamp value. |
SDID origin.swVersion map to Resource["service.version"]
SDID origin.ip map to attribute["client.address"]
Rest of SDIDs -> Attributes["syslog.*"] |
| MSG |
string |
Free-form text message about the event. Typically human readable. |
Body |
| Field |
Type |
Description |
Maps to Unified Model Field |
| Timestamp |
Timestamp |
Time when the event occurred measured by the origin clock. |
Timestamp |
| EventType |
string |
Short machine understandable string describing the event type. SignalFx specific concept. Non-namespaced. Example: k8s Event Reason field. |
Attributes["com.splunk.signalfx.event_type"] |
| Category |
enum |
Describes where the event originated and why. SignalFx specific concept. Example: AGENT. |
Attributes["com.splunk.signalfx.event_category"] |
| Dimensions |
map<string, string> |
Helps to define the identity of the event source together with EventType and Category. Multiple occurrences of events coming from the same event source can happen across time and they all have the value of Dimensions. |
Resource |
| Properties |
map<string, any> |
Additional information about the specific event occurrence. Unlike Dimensions which are fixed for a particular event source, Properties can have different values for each occurrence of the event coming from the same event source. |
Attributes |
| Field |
Type |
Description |
Maps to Unified Model Field |
| time |
numeric, string |
The event time in epoch time format, in seconds. |
Timestamp |
| host |
string |
The host value to assign to the event data. This is typically the host name of the client that you are sending data from. |
Resource["host.name"] |
| source |
string |
The source value to assign to the event data. For example, if you are sending data from an app you are developing, you could set this key to the name of the app. |
Resource["com.splunk.source"] |
| sourcetype |
string |
The sourcetype value to assign to the event data. |
Resource["com.splunk.sourcetype"] |
| event |
any |
The JSON representation of the raw body of the event. It can be a string, number, string array, number array, JSON object, or a JSON array. |
Body |
| fields |
map<string, any> |
Specifies a JSON object that contains explicit custom fields. |
Attributes |
| index |
string |
The name of the index by which the event data is to be indexed. The index you specify here must be within the list of allowed indexes if the token has the indexes parameter set. |
Attributes["com.splunk.index"] |
| Field |
Type |
Description |
Maps to Unified Model Field |
| eventTime |
string |
The date and time the request was made, in coordinated universal time (UTC). |
Timestamp |
| eventSource |
string |
The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com. |
Resource["service.name"]? |
| awsRegion |
string |
The AWS region that the request was made to, such as us-east-2. |
Resource["cloud.region"] |
| sourceIPAddress |
string |
The IP address that the request was made from. |
Attributes["client.address"] |
| errorCode |
string |
The AWS service error if the request returns an error. |
Attributes["cloudtrail.error_code"] |
| errorMessage |
string |
If the request returns an error, the description of the error. |
Body |
| All other fields |
* |
|
Attributes["cloudtrail.*"] |
| Field |
Type |
Description |
Maps to Unified Model Field |
| @timestamp |
datetime |
Time the event was recorded |
Timestamp |
| message |
string |
Any type of message |
Body |
| labels |
key/value |
Arbitrary labels related to the event |
Attributes[*] |
| tags |
array of string |
List of values related to the event |
? |
| trace.id |
string |
Trace ID |
TraceId |
| span.id* |
string |
Span ID |
SpanId |
| agent.ephemeral_id |
string |
Ephemeral ID created by agent |
**Resource |
| agent.id |
string |
Unique identifier of this agent |
**Resource |
| agent.name |
string |
Name given to the agent |
Resource["telemetry.sdk.name"] |
| agent.type |
string |
Type of agent |
Resource["telemetry.sdk.language"] |
| agent.version |
string |
Version of agent |
Resource["telemetry.sdk.version"] |
| source.ip, client.ip |
string |
The IP address that the request was made from. |
Attributes["client.address"] |
| cloud.account.id |
string |
ID of the account in the given cloud |
Resource["cloud.account.id"] |
| cloud.availability_zone |
string |
Availability zone in which this host is running. |
Resource["cloud.zone"] |
| cloud.instance.id |
string |
Instance ID of the host machine. |
**Resource |
| cloud.instance.name |
string |
Instance name of the host machine. |
**Resource |
| cloud.machine.type |
string |
Machine type of the host machine. |
**Resource |
| cloud.provider |
string |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
Resource["cloud.provider"] |
| cloud.region |
string |
Region in which this host is running. |
Resource["cloud.region"] |
| cloud.image.id* |
string |
|
Resource["host.image.name"] |
| container.id |
string |
Unique container id |
Resource["container.id"] |
| container.image.name |
string |
Name of the image the container was built on. |
Resource["container.image.name"] |
| container.image.tag |
Array of string |
Container image tags. |
**Resource |
| container.labels |
key/value |
Image labels. |
Attributes[*] |
| container.name |
string |
Container name. |
Resource["container.name"] |
| container.runtime |
string |
Runtime managing this container. Example: "docker" |
**Resource |
| destination.address |
string |
Destination address for the event |
Attributes["destination.address"] |
| error.code |
string |
Error code describing the error. |
Attributes["error.code"] |
| error.id |
string |
Unique identifier for the error. |
Attributes["error.id"] |
| error.message |
string |
Error message. |
Attributes["error.message"] |
| error.stack_trace |
string |
The stack trace of this error in plain text. |
Attributes["error.stack_trace] |
| host.architecture |
string |
Operating system architecture |
**Resource |
| host.domain |
string |
Name of the domain of which the host is a member.
For example, on Windows this could be the host’s Active Directory domain or
NetBIOS domain name. For Linux this could be the domain of the host’s LDAP
provider. |
**Resource |
| host.hostname |
string |
Hostname of the host.
It normally contains what the hostname command returns on the host machine. |
Resource["host.hostname"] |
| host.id |
string |
Unique host id. |
Resource["host.id"] |
| host.ip |
Array of string |
Host IP |
Resource["host.ip"] |
| host.mac |
array of string |
MAC addresses of the host |
Resource["host.mac"] |
| host.name |
string |
Name of the host.
It may contain what hostname returns on Unix systems, the fully qualified, or a
name specified by the user. |
Resource["host.name"] |
| host.type |
string |
Type of host. |
Resource["host.type"] |
| host.uptime |
string |
Seconds the host has been up. |
? |
| service.ephemeral_id
|
string |
Ephemeral identifier of this service |
**Resource |
| service.id |
string |
Unique identifier of the running service. If the service is comprised of many nodes, the service.id should be the same for all nodes. |
**Resource |
| service.name |
string |
Name of the service data is collected from. |
Resource["service.name"] |
| service.node.name |
string |
Specific node serving that service |
Resource["service.instance.id"] |
| service.state |
string |
Current state of the service. |
Attributes["service.state"] |
| service.type |
string |
The type of the service data is collected from. |
**Resource |
| service.version |
string |
Version of the service the data was collected from. |
Resource["service.version"] |
* Not yet formalized into ECS.