- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Destination Fields
- DLL Fields
- DNS Fields
- ECS Fields
- Error Fields
- Event Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
Service Fields
editService Fields
editThe service fields describe the service for or from which the data was collected.
These fields help you find and correlate logs for a specific service and version.
Service Field Details
editField | Description | Level |
---|---|---|
Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but type: keyword example: |
extended |
|
Unique identifier of the running service. If the service is comprised of many nodes, the This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that type: keyword example: |
core |
|
Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the type: keyword example: |
core |
|
Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, In the case of Elasticsearch, the type: keyword example: |
extended |
|
Current state of the service. type: keyword |
core |
|
The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, type: keyword example: |
core |
|
Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. type: keyword example: |
core |
On this page