Volume Fields

edit

Fields related to storage volume details.

These fields are beta and are subject to change.

Volume Field Details

edit
Field Description Level

volume.bus_type

Bus type of the device, such as Nvme, Usb, or FileBackedVirtual.

type: keyword

example: FileBackedVirtual

extended

volume.default_access

Describes the default access(es) of the volume.

type: keyword

extended

volume.device_name

Full path of the volume device.

Only populate this field for POSIX system volumes.

type: keyword

extended

volume.device_type

Volume device type.

The most frequently seen volume device types are Disk File System and CD-ROM File System.

type: keyword

example: CD-ROM File System

extended

volume.dos_name

The MS-DOS name of a device.

DOS device name is in the format of driver letters, such as C:. The field is relevant to Windows systems only.

type: keyword

example: E:

extended

volume.file_system_type

Volume device file system type.

The most common volume file system types are NTFS and UDF.

type: keyword

extended

volume.mount_name

Mount name of the volume device.

Only populate this field for POSIX system volumes.

type: keyword

extended

volume.nt_name

The NT device name.

NT device name uses a format of \Device\HarddiskVolume2. The field is relevant to Windows systems only.

type: keyword

example: \Device\Cdrom1

extended

volume.product_id

ProductID of the device.

The vendor provides the ProductID for the volume, if any.

type: keyword

extended

volume.product_name

Product name of the volume.

The volume device vendor provides this value.

type: keyword

example: Virtual DVD-ROM

extended

volume.removable

Indicates if the volume is removable.

type: boolean

extended

volume.serial_number

Serial number identifier for the volume device.

The serial number is provided by the vendor of the device, if any.

type: keyword

extended

volume.size

Size of the volume device in bytes.

type: long

extended

volume.vendor_id

VendorID of the volume device.

The volume device vendor provides this value.

type: keyword

extended

volume.vendor_name

Vendor name of the volume device.

The value is provided by the vendor of the device.

type: keyword

example: Msft

extended

volume.writable

Indicates if the volume is writable.

type: boolean

extended