search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.6k stars 8.21k forks source link

New Discover doesn't show some of the `span.*` attributes. #107253

Closed michaelhyatt closed 3 years ago

michaelhyatt commented 3 years ago

Kibana version: 7.13.4

Elasticsearch version: 7.13.4

Browser version: Chrome Version 92.0.4515.107 (Official Build) (x86_64)

Browser OS version: MacOS

Original install method (e.g. download page, yum, from source, etc.): ESS

Describe the bug: I am using the new discover view. Certain attributes are not shown in the flyout view of the document, but they are shown in the single view document.

Flyout view: image

Single document view has these additional fields: image

JSON document:

{
  "_index": "apm-7.13.3-span-000001",
  "_type": "_doc",
  "_id": "a06m8XoBPCHo_FM-X7Vi",
  "_score": 1,
  "fields": {
    "span.destination.service.type": [
      "external"
    ],
    "span.name": [
      "producer-function-client"
    ],
    "span.http.method": [
      "GET"
    ],
    "destination.port": [
      443
    ],
    "span.http.response.status_code": [
      200
    ],
    "observer.name": [
      "instance-0000000010"
    ],
    "trace.id": [
      "39104bdf65bf166b91b59fe9e6558daf"
    ],
    "span.duration.us": [
      2911691
    ],
    "processor.event": [
      "span"
    ],
    "agent.name": [
      "opentelemetry/python"
    ],
    "destination.address": [
      "8f9h37t344.execute-api.ap-southeast-2.amazonaws.com"
    ],
    "event.outcome": [
      "success"
    ],
    "service.name": [
      "handler_producer"
    ],
    "processor.name": [
      "transaction"
    ],
    "span.subtype": [
      "http"
    ],
    "span.id": [
      "b8eb5a4c4cdb3c92"
    ],
    "observer.version_major": [
      7
    ],
    "span.http.url.original": [
      "https://8f9h37t344.execute-api.ap-southeast-2.amazonaws.com/dev/consume"
    ],
    "observer.hostname": [
      "239a3178c3af"
    ],
    "span.type": [
      "external"
    ],
    "timestamp.us": [
      1627551847024021
    ],
    "observer.id": [
      "b62ed9f8-d695-4d79-a553-a71fc7f49390"
    ],
    "@timestamp": [
      "2021-07-29T09:44:07.024Z"
    ],
    "observer.ephemeral_id": [
      "529085d7-446f-4cee-9863-141a53918d3f"
    ],
    "observer.version": [
      "7.13.3"
    ],
    "ecs.version": [
      "1.8.0"
    ],
    "observer.type": [
      "apm-server"
    ],
    "parent.id": [
      "7c2a70d558b837aa"
    ],
    "agent.version": [
      "1.3.0"
    ],
    "span.destination.service.name": [
      "https://8f9h37t344.execute-api.ap-southeast-2.amazonaws.com"
    ],
    "span.destination.service.resource": [
      "8f9h37t344.execute-api.ap-southeast-2.amazonaws.com:443"
    ]
  }
}
elasticmachine commented 3 years ago

Pinging @elastic/kibana-app (Team:KibanaApp)

kertal commented 3 years ago

Could you share the mapping of this index? thx!

michaelhyatt commented 3 years ago

It is using the default apm-7.13.4 mapping:

Mapping ```json { "mappings": { "_doc": { "_meta": { "beat": "apm", "version": "7.13.4" }, "dynamic_templates": [ { "labels": { "path_match": "labels.*", "match_mapping_type": "string", "mapping": { "type": "keyword" } } }, { "container.labels": { "path_match": "container.labels.*", "match_mapping_type": "string", "mapping": { "type": "keyword" } } }, { "fields": { "path_match": "fields.*", "match_mapping_type": "string", "mapping": { "type": "keyword" } } }, { "docker.container.labels": { "path_match": "docker.container.labels.*", "match_mapping_type": "string", "mapping": { "type": "keyword" } } }, { "kubernetes.labels.*": { "path_match": "kubernetes.labels.*", "mapping": { "type": "keyword" } } }, { "kubernetes.annotations.*": { "path_match": "kubernetes.annotations.*", "mapping": { "type": "keyword" } } }, { "kubernetes.selectors.*": { "path_match": "kubernetes.selectors.*", "mapping": { "type": "keyword" } } }, { "labels_string": { "path_match": "labels.*", "match_mapping_type": "string", "mapping": { "type": "keyword" } } }, { "labels_boolean": { "path_match": "labels.*", "match_mapping_type": "boolean", "mapping": { "type": "boolean" } } }, { "labels_*": { "path_match": "labels.*", "mapping": { "scaling_factor": 1000000, "type": "scaled_float" } } }, { "transaction.marks": { "path_match": "transaction.marks.*", "match_mapping_type": "string", "mapping": { "type": "keyword" } } }, { "transaction.marks.*.*": { "path_match": "transaction.marks.*.*", "mapping": { "scaling_factor": 1000000, "type": "scaled_float" } } }, { "strings_as_keyword": { "match_mapping_type": "string", "mapping": { "ignore_above": 1024, "type": "keyword" } } } ], "date_detection": false, "properties": { "@timestamp": { "type": "date" }, "agent": { "dynamic": "false", "properties": { "build": { "properties": { "original": { "type": "keyword", "ignore_above": 1024 } } }, "ephemeral_id": { "type": "keyword", "ignore_above": 1024 }, "hostname": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } } } }, "child": { "dynamic": "false", "properties": { "id": { "type": "keyword", "ignore_above": 1024 } } }, "client": { "dynamic": "false", "properties": { "address": { "type": "keyword", "ignore_above": 1024 }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword", "ignore_above": 1024 }, "geo": { "properties": { "city_name": { "type": "keyword", "ignore_above": 1024 }, "continent_code": { "type": "keyword", "ignore_above": 1024 }, "continent_name": { "type": "keyword", "ignore_above": 1024 }, "country_iso_code": { "type": "keyword", "ignore_above": 1024 }, "country_name": { "type": "keyword", "ignore_above": 1024 }, "location": { "type": "geo_point" }, "name": { "type": "keyword", "ignore_above": 1024 }, "postal_code": { "type": "keyword", "ignore_above": 1024 }, "region_iso_code": { "type": "keyword", "ignore_above": 1024 }, "region_name": { "type": "keyword", "ignore_above": 1024 }, "timezone": { "type": "keyword", "ignore_above": 1024 } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword", "ignore_above": 1024 }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword", "ignore_above": 1024 }, "subdomain": { "type": "keyword", "ignore_above": 1024 }, "top_level_domain": { "type": "keyword", "ignore_above": 1024 }, "user": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "roles": { "type": "keyword", "ignore_above": 1024 } } } } }, "cloud": { "properties": { "account": { "dynamic": "false", "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "availability_zone": { "type": "keyword", "ignore_above": 1024 }, "image": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 } } }, "instance": { "dynamic": "false", "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "machine": { "dynamic": "false", "properties": { "type": { "type": "keyword", "ignore_above": 1024 } } }, "project": { "dynamic": "false", "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "provider": { "type": "keyword", "ignore_above": 1024 }, "region": { "type": "keyword", "ignore_above": 1024 }, "service": { "dynamic": "false", "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } } } }, "code_signature": { "properties": { "exists": { "type": "boolean" }, "signing_id": { "type": "keyword", "ignore_above": 1024 }, "status": { "type": "keyword", "ignore_above": 1024 }, "subject_name": { "type": "keyword", "ignore_above": 1024 }, "team_id": { "type": "keyword", "ignore_above": 1024 }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "container": { "dynamic": "false", "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "image": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 }, "tag": { "type": "keyword", "ignore_above": 1024 } } }, "labels": { "type": "object" }, "name": { "type": "keyword", "ignore_above": 1024 }, "runtime": { "type": "keyword", "ignore_above": 1024 } } }, "destination": { "properties": { "address": { "type": "keyword", "ignore_above": 1024 }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword", "ignore_above": 1024 }, "geo": { "properties": { "city_name": { "type": "keyword", "ignore_above": 1024 }, "continent_code": { "type": "keyword", "ignore_above": 1024 }, "continent_name": { "type": "keyword", "ignore_above": 1024 }, "country_iso_code": { "type": "keyword", "ignore_above": 1024 }, "country_name": { "type": "keyword", "ignore_above": 1024 }, "location": { "type": "geo_point" }, "name": { "type": "keyword", "ignore_above": 1024 }, "postal_code": { "type": "keyword", "ignore_above": 1024 }, "region_iso_code": { "type": "keyword", "ignore_above": 1024 }, "region_name": { "type": "keyword", "ignore_above": 1024 }, "timezone": { "type": "keyword", "ignore_above": 1024 } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword", "ignore_above": 1024 }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword", "ignore_above": 1024 }, "subdomain": { "type": "keyword", "ignore_above": 1024 }, "top_level_domain": { "type": "keyword", "ignore_above": 1024 }, "user": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "roles": { "type": "keyword", "ignore_above": 1024 } } } } }, "dll": { "properties": { "code_signature": { "properties": { "exists": { "type": "boolean" }, "signing_id": { "type": "keyword", "ignore_above": 1024 }, "status": { "type": "keyword", "ignore_above": 1024 }, "subject_name": { "type": "keyword", "ignore_above": 1024 }, "team_id": { "type": "keyword", "ignore_above": 1024 }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "hash": { "properties": { "md5": { "type": "keyword", "ignore_above": 1024 }, "sha1": { "type": "keyword", "ignore_above": 1024 }, "sha256": { "type": "keyword", "ignore_above": 1024 }, "sha512": { "type": "keyword", "ignore_above": 1024 }, "ssdeep": { "type": "keyword", "ignore_above": 1024 } } }, "name": { "type": "keyword", "ignore_above": 1024 }, "path": { "type": "keyword", "ignore_above": 1024 }, "pe": { "properties": { "architecture": { "type": "keyword", "ignore_above": 1024 }, "company": { "type": "keyword", "ignore_above": 1024 }, "description": { "type": "keyword", "ignore_above": 1024 }, "file_version": { "type": "keyword", "ignore_above": 1024 }, "imphash": { "type": "keyword", "ignore_above": 1024 }, "original_file_name": { "type": "keyword", "ignore_above": 1024 }, "product": { "type": "keyword", "ignore_above": 1024 } } } } }, "dns": { "properties": { "answers": { "properties": { "class": { "type": "keyword", "ignore_above": 1024 }, "data": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "ttl": { "type": "long" }, "type": { "type": "keyword", "ignore_above": 1024 } } }, "header_flags": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "op_code": { "type": "keyword", "ignore_above": 1024 }, "question": { "properties": { "class": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "registered_domain": { "type": "keyword", "ignore_above": 1024 }, "subdomain": { "type": "keyword", "ignore_above": 1024 }, "top_level_domain": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 } } }, "resolved_ip": { "type": "ip" }, "response_code": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 } } }, "docker": { "properties": { "container": { "properties": { "labels": { "type": "object" } } } } }, "ecs": { "properties": { "version": { "type": "keyword", "ignore_above": 1024 } } }, "error": { "dynamic": "false", "properties": { "code": { "type": "keyword", "ignore_above": 1024 }, "culprit": { "type": "keyword", "ignore_above": 1024 }, "exception": { "properties": { "code": { "type": "keyword", "ignore_above": 1024 }, "handled": { "type": "boolean" }, "message": { "type": "text", "norms": false }, "module": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 } } }, "grouping_key": { "type": "keyword", "ignore_above": 1024 }, "grouping_name": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "log": { "properties": { "level": { "type": "keyword", "ignore_above": 1024 }, "logger_name": { "type": "keyword", "ignore_above": 1024 }, "message": { "type": "text", "norms": false }, "param_message": { "type": "keyword", "ignore_above": 1024 } } }, "message": { "type": "text", "norms": false }, "stack_trace": { "type": "keyword", "index": false, "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "type": { "type": "keyword", "ignore_above": 1024 } } }, "event": { "properties": { "action": { "type": "keyword", "ignore_above": 1024 }, "category": { "type": "keyword", "ignore_above": 1024 }, "code": { "type": "keyword", "ignore_above": 1024 }, "created": { "type": "date" }, "dataset": { "type": "keyword", "ignore_above": 1024 }, "duration": { "type": "long" }, "end": { "type": "date" }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "ingested": { "type": "date" }, "kind": { "type": "keyword", "ignore_above": 1024 }, "module": { "type": "keyword", "ignore_above": 1024 }, "original": { "type": "keyword", "index": false, "ignore_above": 1024 }, "outcome": { "type": "keyword", "ignore_above": 1024 }, "provider": { "type": "keyword", "ignore_above": 1024 }, "reason": { "type": "keyword", "ignore_above": 1024 }, "reference": { "type": "keyword", "ignore_above": 1024 }, "risk_score": { "type": "float" }, "risk_score_norm": { "type": "float" }, "sequence": { "type": "long" }, "severity": { "type": "long" }, "start": { "type": "date" }, "timezone": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "url": { "type": "keyword", "ignore_above": 1024 } } }, "experimental": { "type": "object", "dynamic": "true" }, "fields": { "type": "object" }, "file": { "properties": { "accessed": { "type": "date" }, "attributes": { "type": "keyword", "ignore_above": 1024 }, "code_signature": { "properties": { "exists": { "type": "boolean" }, "signing_id": { "type": "keyword", "ignore_above": 1024 }, "status": { "type": "keyword", "ignore_above": 1024 }, "subject_name": { "type": "keyword", "ignore_above": 1024 }, "team_id": { "type": "keyword", "ignore_above": 1024 }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "created": { "type": "date" }, "ctime": { "type": "date" }, "device": { "type": "keyword", "ignore_above": 1024 }, "directory": { "type": "keyword", "ignore_above": 1024 }, "drive_letter": { "type": "keyword", "ignore_above": 1 }, "extension": { "type": "keyword", "ignore_above": 1024 }, "gid": { "type": "keyword", "ignore_above": 1024 }, "group": { "type": "keyword", "ignore_above": 1024 }, "hash": { "properties": { "md5": { "type": "keyword", "ignore_above": 1024 }, "sha1": { "type": "keyword", "ignore_above": 1024 }, "sha256": { "type": "keyword", "ignore_above": 1024 }, "sha512": { "type": "keyword", "ignore_above": 1024 }, "ssdeep": { "type": "keyword", "ignore_above": 1024 } } }, "inode": { "type": "keyword", "ignore_above": 1024 }, "mime_type": { "type": "keyword", "ignore_above": 1024 }, "mode": { "type": "keyword", "ignore_above": 1024 }, "mtime": { "type": "date" }, "name": { "type": "keyword", "ignore_above": 1024 }, "owner": { "type": "keyword", "ignore_above": 1024 }, "path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "pe": { "properties": { "architecture": { "type": "keyword", "ignore_above": 1024 }, "company": { "type": "keyword", "ignore_above": 1024 }, "description": { "type": "keyword", "ignore_above": 1024 }, "file_version": { "type": "keyword", "ignore_above": 1024 }, "imphash": { "type": "keyword", "ignore_above": 1024 }, "original_file_name": { "type": "keyword", "ignore_above": 1024 }, "product": { "type": "keyword", "ignore_above": 1024 } } }, "size": { "type": "long" }, "target_path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "type": { "type": "keyword", "ignore_above": 1024 }, "uid": { "type": "keyword", "ignore_above": 1024 }, "x509": { "properties": { "alternative_names": { "type": "keyword", "ignore_above": 1024 }, "issuer": { "properties": { "common_name": { "type": "keyword", "ignore_above": 1024 }, "country": { "type": "keyword", "ignore_above": 1024 }, "distinguished_name": { "type": "keyword", "ignore_above": 1024 }, "locality": { "type": "keyword", "ignore_above": 1024 }, "organization": { "type": "keyword", "ignore_above": 1024 }, "organizational_unit": { "type": "keyword", "ignore_above": 1024 }, "state_or_province": { "type": "keyword", "ignore_above": 1024 } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword", "ignore_above": 1024 }, "public_key_curve": { "type": "keyword", "ignore_above": 1024 }, "public_key_exponent": { "type": "long", "index": false }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword", "ignore_above": 1024 }, "signature_algorithm": { "type": "keyword", "ignore_above": 1024 }, "subject": { "properties": { "common_name": { "type": "keyword", "ignore_above": 1024 }, "country": { "type": "keyword", "ignore_above": 1024 }, "distinguished_name": { "type": "keyword", "ignore_above": 1024 }, "locality": { "type": "keyword", "ignore_above": 1024 }, "organization": { "type": "keyword", "ignore_above": 1024 }, "organizational_unit": { "type": "keyword", "ignore_above": 1024 }, "state_or_province": { "type": "keyword", "ignore_above": 1024 } } }, "version_number": { "type": "keyword", "ignore_above": 1024 } } } } }, "geo": { "properties": { "city_name": { "type": "keyword", "ignore_above": 1024 }, "continent_code": { "type": "keyword", "ignore_above": 1024 }, "continent_name": { "type": "keyword", "ignore_above": 1024 }, "country_iso_code": { "type": "keyword", "ignore_above": 1024 }, "country_name": { "type": "keyword", "ignore_above": 1024 }, "location": { "type": "geo_point" }, "name": { "type": "keyword", "ignore_above": 1024 }, "postal_code": { "type": "keyword", "ignore_above": 1024 }, "region_iso_code": { "type": "keyword", "ignore_above": 1024 }, "region_name": { "type": "keyword", "ignore_above": 1024 }, "timezone": { "type": "keyword", "ignore_above": 1024 } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "properties": { "md5": { "type": "keyword", "ignore_above": 1024 }, "sha1": { "type": "keyword", "ignore_above": 1024 }, "sha256": { "type": "keyword", "ignore_above": 1024 }, "sha512": { "type": "keyword", "ignore_above": 1024 }, "ssdeep": { "type": "keyword", "ignore_above": 1024 } } }, "host": { "dynamic": "false", "properties": { "architecture": { "type": "keyword", "ignore_above": 1024 }, "containerized": { "type": "boolean" }, "cpu": { "properties": { "usage": { "type": "scaled_float", "scaling_factor": 1000 } } }, "disk": { "properties": { "read": { "properties": { "bytes": { "type": "long" } } }, "write": { "properties": { "bytes": { "type": "long" } } } } }, "domain": { "type": "keyword", "ignore_above": 1024 }, "geo": { "properties": { "city_name": { "type": "keyword", "ignore_above": 1024 }, "continent_code": { "type": "keyword", "ignore_above": 1024 }, "continent_name": { "type": "keyword", "ignore_above": 1024 }, "country_iso_code": { "type": "keyword", "ignore_above": 1024 }, "country_name": { "type": "keyword", "ignore_above": 1024 }, "location": { "type": "geo_point" }, "name": { "type": "keyword", "ignore_above": 1024 }, "postal_code": { "type": "keyword", "ignore_above": 1024 }, "region_iso_code": { "type": "keyword", "ignore_above": 1024 }, "region_name": { "type": "keyword", "ignore_above": 1024 }, "timezone": { "type": "keyword", "ignore_above": 1024 } } }, "hostname": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "ip": { "type": "ip" }, "mac": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "network": { "properties": { "egress": { "properties": { "bytes": { "type": "long" }, "packets": { "type": "long" } } }, "ingress": { "properties": { "bytes": { "type": "long" }, "packets": { "type": "long" } } } } }, "os": { "properties": { "build": { "type": "keyword", "ignore_above": 1024 }, "codename": { "type": "keyword", "ignore_above": 1024 }, "family": { "type": "keyword", "ignore_above": 1024 }, "full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "kernel": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "platform": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "type": { "type": "keyword", "ignore_above": 1024 }, "uptime": { "type": "long" }, "user": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "roles": { "type": "keyword", "ignore_above": 1024 } } } } }, "http": { "dynamic": "false", "properties": { "request": { "properties": { "body": { "properties": { "bytes": { "type": "long" }, "content": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } }, "bytes": { "type": "long" }, "headers": { "type": "object", "enabled": false }, "id": { "type": "keyword", "ignore_above": 1024 }, "method": { "type": "keyword", "ignore_above": 1024 }, "mime_type": { "type": "keyword", "ignore_above": 1024 }, "referrer": { "type": "keyword", "ignore_above": 1024 } } }, "response": { "properties": { "body": { "properties": { "bytes": { "type": "long" }, "content": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } }, "bytes": { "type": "long" }, "finished": { "type": "boolean" }, "headers": { "type": "object", "enabled": false }, "mime_type": { "type": "keyword", "ignore_above": 1024 }, "status_code": { "type": "long" } } }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "interface": { "properties": { "alias": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "kubernetes": { "dynamic": "false", "properties": { "annotations": { "properties": { "*": { "type": "object" } } }, "container": { "properties": { "image": { "type": "alias", "path": "container.image.name" }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "deployment": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } }, "labels": { "properties": { "*": { "type": "object" } } }, "namespace": { "type": "keyword", "ignore_above": 1024 }, "node": { "properties": { "hostname": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "pod": { "properties": { "ip": { "type": "ip" }, "name": { "type": "keyword", "ignore_above": 1024 }, "uid": { "type": "keyword", "ignore_above": 1024 } } }, "replicaset": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } }, "selectors": { "properties": { "*": { "type": "object" } } }, "statefulset": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } } } }, "labels": { "type": "object", "dynamic": "true" }, "log": { "properties": { "file": { "properties": { "path": { "type": "keyword", "ignore_above": 1024 } } }, "level": { "type": "keyword", "ignore_above": 1024 }, "logger": { "type": "keyword", "ignore_above": 1024 }, "origin": { "properties": { "file": { "properties": { "line": { "type": "long" }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "function": { "type": "keyword", "ignore_above": 1024 } } }, "original": { "type": "keyword", "index": false, "ignore_above": 1024 }, "syslog": { "properties": { "facility": { "properties": { "code": { "type": "long" }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "priority": { "type": "long" }, "severity": { "properties": { "code": { "type": "long" }, "name": { "type": "keyword", "ignore_above": 1024 } } } } } } }, "message": { "type": "text", "norms": false }, "metricset": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 }, "period": { "type": "long" } } }, "network": { "properties": { "application": { "type": "keyword", "ignore_above": 1024 }, "bytes": { "type": "long" }, "community_id": { "type": "keyword", "ignore_above": 1024 }, "direction": { "type": "keyword", "ignore_above": 1024 }, "forwarded_ip": { "type": "ip" }, "iana_number": { "type": "keyword", "ignore_above": 1024 }, "inner": { "properties": { "vlan": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } } } }, "name": { "type": "keyword", "ignore_above": 1024 }, "packets": { "type": "long" }, "protocol": { "type": "keyword", "ignore_above": 1024 }, "transport": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "vlan": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } } } }, "observer": { "dynamic": "false", "properties": { "egress": { "properties": { "interface": { "properties": { "alias": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "vlan": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "zone": { "type": "keyword", "ignore_above": 1024 } } }, "geo": { "properties": { "city_name": { "type": "keyword", "ignore_above": 1024 }, "continent_code": { "type": "keyword", "ignore_above": 1024 }, "continent_name": { "type": "keyword", "ignore_above": 1024 }, "country_iso_code": { "type": "keyword", "ignore_above": 1024 }, "country_name": { "type": "keyword", "ignore_above": 1024 }, "location": { "type": "geo_point" }, "name": { "type": "keyword", "ignore_above": 1024 }, "postal_code": { "type": "keyword", "ignore_above": 1024 }, "region_iso_code": { "type": "keyword", "ignore_above": 1024 }, "region_name": { "type": "keyword", "ignore_above": 1024 }, "timezone": { "type": "keyword", "ignore_above": 1024 } } }, "hostname": { "type": "keyword", "ignore_above": 1024 }, "ingress": { "properties": { "interface": { "properties": { "alias": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "vlan": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "zone": { "type": "keyword", "ignore_above": 1024 } } }, "ip": { "type": "ip" }, "listening": { "type": "keyword", "ignore_above": 1024 }, "mac": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "os": { "properties": { "family": { "type": "keyword", "ignore_above": 1024 }, "full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "kernel": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "platform": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "product": { "type": "keyword", "ignore_above": 1024 }, "serial_number": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "vendor": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 }, "version_major": { "type": "byte" } } }, "organization": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } }, "os": { "properties": { "family": { "type": "keyword", "ignore_above": 1024 }, "full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "kernel": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "platform": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "package": { "properties": { "architecture": { "type": "keyword", "ignore_above": 1024 }, "build_version": { "type": "keyword", "ignore_above": 1024 }, "checksum": { "type": "keyword", "ignore_above": 1024 }, "description": { "type": "keyword", "ignore_above": 1024 }, "install_scope": { "type": "keyword", "ignore_above": 1024 }, "installed": { "type": "date" }, "license": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "path": { "type": "keyword", "ignore_above": 1024 }, "reference": { "type": "keyword", "ignore_above": 1024 }, "size": { "type": "long" }, "type": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "parent": { "dynamic": "false", "properties": { "id": { "type": "keyword", "ignore_above": 1024 } } }, "pe": { "properties": { "architecture": { "type": "keyword", "ignore_above": 1024 }, "company": { "type": "keyword", "ignore_above": 1024 }, "description": { "type": "keyword", "ignore_above": 1024 }, "file_version": { "type": "keyword", "ignore_above": 1024 }, "imphash": { "type": "keyword", "ignore_above": 1024 }, "original_file_name": { "type": "keyword", "ignore_above": 1024 }, "product": { "type": "keyword", "ignore_above": 1024 } } }, "process": { "dynamic": "false", "properties": { "args": { "type": "keyword", "ignore_above": 1024 }, "args_count": { "type": "long" }, "code_signature": { "properties": { "exists": { "type": "boolean" }, "signing_id": { "type": "keyword", "ignore_above": 1024 }, "status": { "type": "keyword", "ignore_above": 1024 }, "subject_name": { "type": "keyword", "ignore_above": 1024 }, "team_id": { "type": "keyword", "ignore_above": 1024 }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "command_line": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "entity_id": { "type": "keyword", "ignore_above": 1024 }, "executable": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "exit_code": { "type": "long" }, "hash": { "properties": { "md5": { "type": "keyword", "ignore_above": 1024 }, "sha1": { "type": "keyword", "ignore_above": 1024 }, "sha256": { "type": "keyword", "ignore_above": 1024 }, "sha512": { "type": "keyword", "ignore_above": 1024 }, "ssdeep": { "type": "keyword", "ignore_above": 1024 } } }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "parent": { "properties": { "args": { "type": "keyword", "ignore_above": 1024 }, "args_count": { "type": "long" }, "code_signature": { "properties": { "exists": { "type": "boolean" }, "signing_id": { "type": "keyword", "ignore_above": 1024 }, "status": { "type": "keyword", "ignore_above": 1024 }, "subject_name": { "type": "keyword", "ignore_above": 1024 }, "team_id": { "type": "keyword", "ignore_above": 1024 }, "trusted": { "type": "boolean" }, "valid": { "type": "boolean" } } }, "command_line": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "entity_id": { "type": "keyword", "ignore_above": 1024 }, "executable": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "exit_code": { "type": "long" }, "hash": { "properties": { "md5": { "type": "keyword", "ignore_above": 1024 }, "sha1": { "type": "keyword", "ignore_above": 1024 }, "sha256": { "type": "keyword", "ignore_above": 1024 }, "sha512": { "type": "keyword", "ignore_above": 1024 }, "ssdeep": { "type": "keyword", "ignore_above": 1024 } } }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "pe": { "properties": { "architecture": { "type": "keyword", "ignore_above": 1024 }, "company": { "type": "keyword", "ignore_above": 1024 }, "description": { "type": "keyword", "ignore_above": 1024 }, "file_version": { "type": "keyword", "ignore_above": 1024 }, "imphash": { "type": "keyword", "ignore_above": 1024 }, "original_file_name": { "type": "keyword", "ignore_above": 1024 }, "product": { "type": "keyword", "ignore_above": 1024 } } }, "pgid": { "type": "long" }, "pid": { "type": "long" }, "ppid": { "type": "long" }, "start": { "type": "date" }, "thread": { "properties": { "id": { "type": "long" }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "title": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "uptime": { "type": "long" }, "working_directory": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } }, "pe": { "properties": { "architecture": { "type": "keyword", "ignore_above": 1024 }, "company": { "type": "keyword", "ignore_above": 1024 }, "description": { "type": "keyword", "ignore_above": 1024 }, "file_version": { "type": "keyword", "ignore_above": 1024 }, "imphash": { "type": "keyword", "ignore_above": 1024 }, "original_file_name": { "type": "keyword", "ignore_above": 1024 }, "product": { "type": "keyword", "ignore_above": 1024 } } }, "pgid": { "type": "long" }, "pid": { "type": "long" }, "ppid": { "type": "long" }, "start": { "type": "date" }, "thread": { "properties": { "id": { "type": "long" }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "title": { "type": "keyword", "ignore_above": 1024 }, "uptime": { "type": "long" }, "working_directory": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } }, "processor": { "properties": { "event": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "profile": { "dynamic": "false", "properties": { "alloc_objects": { "properties": { "count": { "type": "long" } } }, "alloc_space": { "properties": { "bytes": { "type": "long" } } }, "cpu": { "properties": { "ns": { "type": "long" } } }, "duration": { "type": "long" }, "id": { "type": "keyword", "ignore_above": 1024 }, "inuse_objects": { "properties": { "count": { "type": "long" } } }, "inuse_space": { "properties": { "bytes": { "type": "long" } } }, "samples": { "properties": { "count": { "type": "long" } } }, "stack": { "dynamic": "false", "properties": { "filename": { "type": "keyword", "ignore_above": 1024 }, "function": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "line": { "type": "long" } } }, "top": { "dynamic": "false", "properties": { "filename": { "type": "keyword", "ignore_above": 1024 }, "function": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "line": { "type": "long" } } }, "wall": { "properties": { "us": { "type": "long" } } } } }, "registry": { "properties": { "data": { "properties": { "bytes": { "type": "keyword", "ignore_above": 1024 }, "strings": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 } } }, "hive": { "type": "keyword", "ignore_above": 1024 }, "key": { "type": "keyword", "ignore_above": 1024 }, "path": { "type": "keyword", "ignore_above": 1024 }, "value": { "type": "keyword", "ignore_above": 1024 } } }, "related": { "properties": { "hash": { "type": "keyword", "ignore_above": 1024 }, "hosts": { "type": "keyword", "ignore_above": 1024 }, "ip": { "type": "ip" }, "user": { "type": "keyword", "ignore_above": 1024 } } }, "rule": { "properties": { "author": { "type": "keyword", "ignore_above": 1024 }, "category": { "type": "keyword", "ignore_above": 1024 }, "description": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "license": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "reference": { "type": "keyword", "ignore_above": 1024 }, "ruleset": { "type": "keyword", "ignore_above": 1024 }, "uuid": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "server": { "properties": { "address": { "type": "keyword", "ignore_above": 1024 }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword", "ignore_above": 1024 }, "geo": { "properties": { "city_name": { "type": "keyword", "ignore_above": 1024 }, "continent_code": { "type": "keyword", "ignore_above": 1024 }, "continent_name": { "type": "keyword", "ignore_above": 1024 }, "country_iso_code": { "type": "keyword", "ignore_above": 1024 }, "country_name": { "type": "keyword", "ignore_above": 1024 }, "location": { "type": "geo_point" }, "name": { "type": "keyword", "ignore_above": 1024 }, "postal_code": { "type": "keyword", "ignore_above": 1024 }, "region_iso_code": { "type": "keyword", "ignore_above": 1024 }, "region_name": { "type": "keyword", "ignore_above": 1024 }, "timezone": { "type": "keyword", "ignore_above": 1024 } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword", "ignore_above": 1024 }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword", "ignore_above": 1024 }, "subdomain": { "type": "keyword", "ignore_above": 1024 }, "top_level_domain": { "type": "keyword", "ignore_above": 1024 }, "user": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "roles": { "type": "keyword", "ignore_above": 1024 } } } } }, "service": { "dynamic": "false", "properties": { "environment": { "type": "keyword", "ignore_above": 1024 }, "ephemeral_id": { "type": "keyword", "ignore_above": 1024 }, "framework": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "id": { "type": "keyword", "ignore_above": 1024 }, "language": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "name": { "type": "keyword", "ignore_above": 1024 }, "node": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } }, "runtime": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "state": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "session": { "dynamic": "false", "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "sequence": { "type": "long" } } }, "source": { "dynamic": "false", "properties": { "address": { "type": "keyword", "ignore_above": 1024 }, "as": { "properties": { "number": { "type": "long" }, "organization": { "properties": { "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } } } } } }, "bytes": { "type": "long" }, "domain": { "type": "keyword", "ignore_above": 1024 }, "geo": { "properties": { "city_name": { "type": "keyword", "ignore_above": 1024 }, "continent_code": { "type": "keyword", "ignore_above": 1024 }, "continent_name": { "type": "keyword", "ignore_above": 1024 }, "country_iso_code": { "type": "keyword", "ignore_above": 1024 }, "country_name": { "type": "keyword", "ignore_above": 1024 }, "location": { "type": "geo_point" }, "name": { "type": "keyword", "ignore_above": 1024 }, "postal_code": { "type": "keyword", "ignore_above": 1024 }, "region_iso_code": { "type": "keyword", "ignore_above": 1024 }, "region_name": { "type": "keyword", "ignore_above": 1024 }, "timezone": { "type": "keyword", "ignore_above": 1024 } } }, "ip": { "type": "ip" }, "mac": { "type": "keyword", "ignore_above": 1024 }, "nat": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" } } }, "packets": { "type": "long" }, "port": { "type": "long" }, "registered_domain": { "type": "keyword", "ignore_above": 1024 }, "subdomain": { "type": "keyword", "ignore_above": 1024 }, "top_level_domain": { "type": "keyword", "ignore_above": 1024 }, "user": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "roles": { "type": "keyword", "ignore_above": 1024 } } } } }, "sourcemap": { "dynamic": "false", "properties": { "bundle_filepath": { "type": "keyword", "ignore_above": 1024 }, "service": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } } } }, "span": { "dynamic": "false", "properties": { "action": { "type": "keyword", "ignore_above": 1024 }, "db": { "dynamic": "false", "properties": { "link": { "type": "keyword", "ignore_above": 1024 }, "rows_affected": { "type": "long" } } }, "destination": { "dynamic": "false", "properties": { "service": { "dynamic": "false", "properties": { "name": { "type": "keyword", "ignore_above": 1024 }, "resource": { "type": "keyword", "ignore_above": 1024 }, "response_time": { "properties": { "count": { "type": "long" }, "sum": { "properties": { "us": { "type": "long" } } } } }, "type": { "type": "keyword", "ignore_above": 1024 } } } } }, "duration": { "properties": { "us": { "type": "long" } } }, "id": { "type": "keyword", "ignore_above": 1024 }, "message": { "dynamic": "false", "properties": { "age": { "properties": { "ms": { "type": "long" } } }, "queue": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } } } }, "name": { "type": "keyword", "ignore_above": 1024 }, "self_time": { "properties": { "count": { "type": "long" }, "sum": { "properties": { "us": { "type": "long" } } } } }, "start": { "properties": { "us": { "type": "long" } } }, "subtype": { "type": "keyword", "ignore_above": 1024 }, "sync": { "type": "boolean" }, "type": { "type": "keyword", "ignore_above": 1024 } } }, "system": { "properties": { "cpu": { "properties": { "total": { "properties": { "norm": { "properties": { "pct": { "type": "scaled_float", "scaling_factor": 1000 } } } } } } }, "memory": { "properties": { "actual": { "properties": { "free": { "type": "long" } } }, "total": { "type": "long" } } }, "process": { "properties": { "cgroup": { "properties": { "cpu": { "properties": { "cfs": { "properties": { "period": { "properties": { "us": { "type": "long" } } }, "quota": { "properties": { "us": { "type": "long" } } } } }, "id": { "type": "keyword", "ignore_above": 1024 }, "stats": { "properties": { "periods": { "type": "long" }, "throttled": { "properties": { "ns": { "type": "long" }, "periods": { "type": "long" } } } } } } }, "cpuacct": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "total": { "properties": { "ns": { "type": "long" } } } } }, "memory": { "properties": { "mem": { "properties": { "limit": { "properties": { "bytes": { "type": "long" } } }, "usage": { "properties": { "bytes": { "type": "long" } } } } } } } } }, "cpu": { "properties": { "total": { "properties": { "norm": { "properties": { "pct": { "type": "scaled_float", "scaling_factor": 1000 } } } } } } }, "memory": { "properties": { "rss": { "properties": { "bytes": { "type": "long" } } }, "size": { "type": "long" } } } } } } }, "tags": { "type": "keyword", "ignore_above": 1024 }, "threat": { "properties": { "framework": { "type": "keyword", "ignore_above": 1024 }, "tactic": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "reference": { "type": "keyword", "ignore_above": 1024 } } }, "technique": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "reference": { "type": "keyword", "ignore_above": 1024 }, "subtechnique": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "reference": { "type": "keyword", "ignore_above": 1024 } } } } } } }, "timeseries": { "properties": { "instance": { "type": "keyword", "ignore_above": 1024 } } }, "timestamp": { "properties": { "us": { "type": "long" } } }, "tls": { "properties": { "cipher": { "type": "keyword", "ignore_above": 1024 }, "client": { "properties": { "certificate": { "type": "keyword", "ignore_above": 1024 }, "certificate_chain": { "type": "keyword", "ignore_above": 1024 }, "hash": { "properties": { "md5": { "type": "keyword", "ignore_above": 1024 }, "sha1": { "type": "keyword", "ignore_above": 1024 }, "sha256": { "type": "keyword", "ignore_above": 1024 } } }, "issuer": { "type": "keyword", "ignore_above": 1024 }, "ja3": { "type": "keyword", "ignore_above": 1024 }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "server_name": { "type": "keyword", "ignore_above": 1024 }, "subject": { "type": "keyword", "ignore_above": 1024 }, "supported_ciphers": { "type": "keyword", "ignore_above": 1024 }, "x509": { "properties": { "alternative_names": { "type": "keyword", "ignore_above": 1024 }, "issuer": { "properties": { "common_name": { "type": "keyword", "ignore_above": 1024 }, "country": { "type": "keyword", "ignore_above": 1024 }, "distinguished_name": { "type": "keyword", "ignore_above": 1024 }, "locality": { "type": "keyword", "ignore_above": 1024 }, "organization": { "type": "keyword", "ignore_above": 1024 }, "organizational_unit": { "type": "keyword", "ignore_above": 1024 }, "state_or_province": { "type": "keyword", "ignore_above": 1024 } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword", "ignore_above": 1024 }, "public_key_curve": { "type": "keyword", "ignore_above": 1024 }, "public_key_exponent": { "type": "long", "index": false }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword", "ignore_above": 1024 }, "signature_algorithm": { "type": "keyword", "ignore_above": 1024 }, "subject": { "properties": { "common_name": { "type": "keyword", "ignore_above": 1024 }, "country": { "type": "keyword", "ignore_above": 1024 }, "distinguished_name": { "type": "keyword", "ignore_above": 1024 }, "locality": { "type": "keyword", "ignore_above": 1024 }, "organization": { "type": "keyword", "ignore_above": 1024 }, "organizational_unit": { "type": "keyword", "ignore_above": 1024 }, "state_or_province": { "type": "keyword", "ignore_above": 1024 } } }, "version_number": { "type": "keyword", "ignore_above": 1024 } } } } }, "curve": { "type": "keyword", "ignore_above": 1024 }, "established": { "type": "boolean" }, "next_protocol": { "type": "keyword", "ignore_above": 1024 }, "resumed": { "type": "boolean" }, "server": { "properties": { "certificate": { "type": "keyword", "ignore_above": 1024 }, "certificate_chain": { "type": "keyword", "ignore_above": 1024 }, "hash": { "properties": { "md5": { "type": "keyword", "ignore_above": 1024 }, "sha1": { "type": "keyword", "ignore_above": 1024 }, "sha256": { "type": "keyword", "ignore_above": 1024 } } }, "issuer": { "type": "keyword", "ignore_above": 1024 }, "ja3s": { "type": "keyword", "ignore_above": 1024 }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "subject": { "type": "keyword", "ignore_above": 1024 }, "x509": { "properties": { "alternative_names": { "type": "keyword", "ignore_above": 1024 }, "issuer": { "properties": { "common_name": { "type": "keyword", "ignore_above": 1024 }, "country": { "type": "keyword", "ignore_above": 1024 }, "distinguished_name": { "type": "keyword", "ignore_above": 1024 }, "locality": { "type": "keyword", "ignore_above": 1024 }, "organization": { "type": "keyword", "ignore_above": 1024 }, "organizational_unit": { "type": "keyword", "ignore_above": 1024 }, "state_or_province": { "type": "keyword", "ignore_above": 1024 } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword", "ignore_above": 1024 }, "public_key_curve": { "type": "keyword", "ignore_above": 1024 }, "public_key_exponent": { "type": "long", "index": false }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword", "ignore_above": 1024 }, "signature_algorithm": { "type": "keyword", "ignore_above": 1024 }, "subject": { "properties": { "common_name": { "type": "keyword", "ignore_above": 1024 }, "country": { "type": "keyword", "ignore_above": 1024 }, "distinguished_name": { "type": "keyword", "ignore_above": 1024 }, "locality": { "type": "keyword", "ignore_above": 1024 }, "organization": { "type": "keyword", "ignore_above": 1024 }, "organizational_unit": { "type": "keyword", "ignore_above": 1024 }, "state_or_province": { "type": "keyword", "ignore_above": 1024 } } }, "version_number": { "type": "keyword", "ignore_above": 1024 } } } } }, "version": { "type": "keyword", "ignore_above": 1024 }, "version_protocol": { "type": "keyword", "ignore_above": 1024 } } }, "trace": { "dynamic": "false", "properties": { "id": { "type": "keyword", "ignore_above": 1024 } } }, "transaction": { "dynamic": "false", "properties": { "breakdown": { "properties": { "count": { "type": "long" } } }, "duration": { "properties": { "count": { "type": "long" }, "histogram": { "type": "histogram" }, "sum": { "properties": { "us": { "type": "long" } } }, "us": { "type": "long" } } }, "experience": { "properties": { "cls": { "type": "scaled_float", "scaling_factor": 1000000 }, "fid": { "type": "scaled_float", "scaling_factor": 1000000 }, "longtask": { "properties": { "count": { "type": "long" }, "max": { "type": "scaled_float", "scaling_factor": 1000000 }, "sum": { "type": "scaled_float", "scaling_factor": 1000000 } } }, "tbt": { "type": "scaled_float", "scaling_factor": 1000000 } } }, "id": { "type": "keyword", "ignore_above": 1024 }, "marks": { "dynamic": "true", "properties": { "*": { "properties": { "*": { "type": "object", "dynamic": "true" } } } } }, "message": { "dynamic": "false", "properties": { "age": { "properties": { "ms": { "type": "long" } } }, "queue": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } } } }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "result": { "type": "keyword", "ignore_above": 1024 }, "root": { "type": "boolean" }, "sampled": { "type": "boolean" }, "self_time": { "properties": { "count": { "type": "long" }, "sum": { "properties": { "us": { "type": "long" } } } } }, "span_count": { "properties": { "dropped": { "type": "long" } } }, "type": { "type": "keyword", "ignore_above": 1024 } } }, "url": { "dynamic": "false", "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "extension": { "type": "keyword", "ignore_above": 1024 }, "fragment": { "type": "keyword", "ignore_above": 1024 }, "full": { "type": "keyword", "ignore_above": 1024 }, "original": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "password": { "type": "keyword", "ignore_above": 1024 }, "path": { "type": "keyword", "ignore_above": 1024 }, "port": { "type": "long" }, "query": { "type": "keyword", "ignore_above": 1024 }, "registered_domain": { "type": "keyword", "ignore_above": 1024 }, "scheme": { "type": "keyword", "ignore_above": 1024 }, "subdomain": { "type": "keyword", "ignore_above": 1024 }, "top_level_domain": { "type": "keyword", "ignore_above": 1024 }, "username": { "type": "keyword", "ignore_above": 1024 } } }, "user": { "dynamic": "false", "properties": { "changes": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "roles": { "type": "keyword", "ignore_above": 1024 } } }, "domain": { "type": "keyword", "ignore_above": 1024 }, "effective": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "roles": { "type": "keyword", "ignore_above": 1024 } } }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "roles": { "type": "keyword", "ignore_above": 1024 }, "target": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "email": { "type": "keyword", "ignore_above": 1024 }, "full_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "group": { "properties": { "domain": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "hash": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "roles": { "type": "keyword", "ignore_above": 1024 } } } } }, "user_agent": { "dynamic": "false", "properties": { "device": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } }, "name": { "type": "keyword", "ignore_above": 1024 }, "original": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "os": { "properties": { "family": { "type": "keyword", "ignore_above": 1024 }, "full": { "type": "keyword", "ignore_above": 1024 }, "kernel": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 }, "platform": { "type": "keyword", "ignore_above": 1024 }, "type": { "type": "keyword", "ignore_above": 1024 }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "vlan": { "properties": { "id": { "type": "keyword", "ignore_above": 1024 }, "name": { "type": "keyword", "ignore_above": 1024 } } }, "vulnerability": { "properties": { "category": { "type": "keyword", "ignore_above": 1024 }, "classification": { "type": "keyword", "ignore_above": 1024 }, "description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "enumeration": { "type": "keyword", "ignore_above": 1024 }, "id": { "type": "keyword", "ignore_above": 1024 }, "reference": { "type": "keyword", "ignore_above": 1024 }, "report_id": { "type": "keyword", "ignore_above": 1024 }, "scanner": { "properties": { "vendor": { "type": "keyword", "ignore_above": 1024 } } }, "score": { "properties": { "base": { "type": "float" }, "environmental": { "type": "float" }, "temporal": { "type": "float" }, "version": { "type": "keyword", "ignore_above": 1024 } } }, "severity": { "type": "keyword", "ignore_above": 1024 } } }, "x509": { "properties": { "alternative_names": { "type": "keyword", "ignore_above": 1024 }, "issuer": { "properties": { "common_name": { "type": "keyword", "ignore_above": 1024 }, "country": { "type": "keyword", "ignore_above": 1024 }, "distinguished_name": { "type": "keyword", "ignore_above": 1024 }, "locality": { "type": "keyword", "ignore_above": 1024 }, "organization": { "type": "keyword", "ignore_above": 1024 }, "organizational_unit": { "type": "keyword", "ignore_above": 1024 }, "state_or_province": { "type": "keyword", "ignore_above": 1024 } } }, "not_after": { "type": "date" }, "not_before": { "type": "date" }, "public_key_algorithm": { "type": "keyword", "ignore_above": 1024 }, "public_key_curve": { "type": "keyword", "ignore_above": 1024 }, "public_key_exponent": { "type": "long", "index": false }, "public_key_size": { "type": "long" }, "serial_number": { "type": "keyword", "ignore_above": 1024 }, "signature_algorithm": { "type": "keyword", "ignore_above": 1024 }, "subject": { "properties": { "common_name": { "type": "keyword", "ignore_above": 1024 }, "country": { "type": "keyword", "ignore_above": 1024 }, "distinguished_name": { "type": "keyword", "ignore_above": 1024 }, "locality": { "type": "keyword", "ignore_above": 1024 }, "organization": { "type": "keyword", "ignore_above": 1024 }, "organizational_unit": { "type": "keyword", "ignore_above": 1024 }, "state_or_province": { "type": "keyword", "ignore_above": 1024 } } }, "version_number": { "type": "keyword", "ignore_above": 1024 } } } } } } } ```
kertal commented 3 years ago

sorry for the late reply @michaelhyatt , I couldn't reproduce, but have a theory. could you provide the '_source' of the document that misses fields? could get it by GET /{index}/_doc/{id}, this would help to reproduce

michaelhyatt commented 3 years ago
Here it is ```javascript { "took" : 101, "timed_out" : false, "_shards" : { "total" : 94, "successful" : 94, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 1, "relation" : "eq" }, "max_score" : 1.0, "hits" : [ { "_index" : "apm-7.13.3-span-000001", "_type" : "_doc", "_id" : "a06m8XoBPCHo_FM-X7Vi", "_score" : 1.0, "_source" : { "parent" : { "id" : "7c2a70d558b837aa" }, "agent" : { "name" : "opentelemetry/python", "version" : "1.3.0" }, "destination" : { "address" : "8f9h37t344.execute-api.ap-southeast-2.amazonaws.com", "port" : 443 }, "processor" : { "name" : "transaction", "event" : "span" }, "observer" : { "hostname" : "239a3178c3af", "name" : "instance-0000000010", "id" : "b62ed9f8-d695-4d79-a553-a71fc7f49390", "type" : "apm-server", "ephemeral_id" : "529085d7-446f-4cee-9863-141a53918d3f", "version" : "7.13.3", "version_major" : 7 }, "trace" : { "id" : "39104bdf65bf166b91b59fe9e6558daf" }, "@timestamp" : "2021-07-29T09:44:07.024Z", "ecs" : { "version" : "1.8.0" }, "service" : { "name" : "handler_producer" }, "event" : { "outcome" : "success" }, "span" : { "duration" : { "us" : 2911691 }, "subtype" : "http", "destination" : { "service" : { "resource" : "8f9h37t344.execute-api.ap-southeast-2.amazonaws.com:443", "name" : "https://8f9h37t344.execute-api.ap-southeast-2.amazonaws.com", "type" : "external" } }, "name" : "producer-function-client", "http" : { "method" : "GET", "response" : { "status_code" : 200 }, "url" : { "original" : "https://8f9h37t344.execute-api.ap-southeast-2.amazonaws.com/dev/consume" } }, "id" : "b8eb5a4c4cdb3c92", "type" : "external" }, "timestamp" : { "us" : 1627551847024021 } } } ] } } ```
kertal commented 3 years ago

thank you, I'm getting closer ... so it seems it works when I ingest the document without the mapping you've provided, seems APM mapping changed and there is now a dedicated mapping for span data? Bildschirmfoto 2021-08-19 um 09 47 32 however, when I ingest the doc you provided, the unmapped fields are displayed, so there's another thing I'd need for debugging, could you provide the index pattern saved object? many thx!

michaelhyatt commented 3 years ago

@kertal no probs, here it is. export.ndjson.zip

kertal commented 3 years ago

many thanks. Since it works in my test, another question, was this instance upgraded , and if yes, from what version? thx

michaelhyatt commented 3 years ago

It went through 7.12 -> 7.13 -> 7.14

Do you need the minor versions too?

kertal commented 3 years ago

thx, no this should be fine 👍

majagrubic commented 3 years ago

@michaelhyatt , we are looking into this issue, but it seems like the entire team has trouble reproducing this. I have a few additional questions:

  1. Can you post the full request/response from Discover? (the Inspect tab)
  2. Are the missing fields showing in the sidebar at all?
  3. Was the original mapping at any point updated?
michaelhyatt commented 3 years ago

@majagrubic I don't have that cluster anymore, but it was upgraded from an earlier version to 7.13.3, so the APM mapping may have been updated, not too sure. The missing fields were showing in the JSON view, but not available in the sidebar.

majagrubic commented 3 years ago

I think you ran into some issue around how unmapped fields were displayed - obviously showing in the JSON view, but not in the document view. We did a lot of improvement in this area over the past few minors so it's possible this has been fixed. Since we are having trouble reproducing, and you are not using the cluster, mind if we close the issue?

michaelhyatt commented 3 years ago

Not at all, please close it, will reopen it if it surfaces again.