A newer version is available. For the latest information, see the
current release documentation.
Osquery fields
editOsquery fields
editFields exported by the osquery
module
osquery
editresult
editCommon fields exported by the result metricset.
-
osquery.result.name
-
The name of the query that generated this event.
type: keyword
-
osquery.result.action
-
For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot".
type: keyword
-
osquery.result.host_identifier
-
The identifier for the host on which the osquery agent is running. Normally the hostname.
type: keyword
-
osquery.result.unix_time
-
Unix timestamp of the event, in seconds since the epoch. Used for computing the
@timestamp
column.type: long
-
osquery.result.calendar_time
-
String representation of the collection time, as formatted by osquery.
type: keyword