From c71a17e38f3f788a280812bd4d41189e69e60519 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Wed, 4 Sep 2019 10:22:45 -0700
Subject: [PATCH 1/6] [7.1][DOCS] Backport: Fix asciidoctor build (#13460)

* Asciidoctor migration (#12006)

* Change tagging to work with asciidoctor

* Fix formatting issues

* Changes from review

* [DOCS] More fixes for asciidoctor migration (#12434)

* [DOCS] More fixes for asciidoctor migration

* Simplify logic for adding delimiter blocks

* Rebase and run make update

* Revert incorrect fix

* Update script to fix broken list format

* Fix script to pass autopep8 test
---
 auditbeat/docs/fields.asciidoc                |   19 +
 docs/devguide/migrate-dashboards.asciidoc     |    4 +-
 docs/devguide/newdashboards.asciidoc          |   12 +-
 filebeat/docs/fields.asciidoc                 | 8096 +++++++++++++++++
 filebeat/docs/index.asciidoc                  |    6 +
 journalbeat/docs/config-options.asciidoc      |    4 +-
 journalbeat/docs/filtering.asciidoc           |    2 +-
 journalbeat/docs/general-options.asciidoc     |    4 +-
 journalbeat/docs/getting-started.asciidoc     |    6 +-
 journalbeat/docs/index.asciidoc               |    2 +
 libbeat/docs/command-reference.asciidoc       |   16 +-
 .../docs/monitoring/monitoring-beats.asciidoc |   17 +-
 libbeat/docs/outputconfig.asciidoc            |   32 +-
 libbeat/docs/processors-using.asciidoc        |    6 +-
 libbeat/docs/reference-yml.asciidoc           |    8 +-
 libbeat/docs/security/securing-beats.asciidoc |    1 +
 .../docs/shared-central-management.asciidoc   |    6 +-
 libbeat/docs/shared-docker.asciidoc           |   72 +-
 libbeat/docs/shared-path-config.asciidoc      |    2 +-
 libbeat/docs/step-configure-output.asciidoc   |    9 -
 libbeat/scripts/generate_fields_docs.py       |   15 +-
 metricbeat/docs/index.asciidoc                |    2 +
 metricbeat/docs/modules_list.asciidoc         |    4 +-
 metricbeat/scripts/docs_collector.py          |    4 +-
 packetbeat/docs/packetbeat-filtering.asciidoc |   14 +-
 winlogbeat/docs/index.asciidoc                |    3 +
 26 files changed, 8265 insertions(+), 101 deletions(-)

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
index 0633c9147a5..7fca4cc2ca9 100644
--- a/auditbeat/docs/fields.asciidoc
+++ b/auditbeat/docs/fields.asciidoc
@@ -2886,7 +2886,16 @@ The name of the module's dataset that generated the event.
 
 --
 
+<<<<<<< HEAD
 *`event.action`*::
+=======
+An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
+
+
+--
+
+*`file.origin.raw`*::
+>>>>>>> 99e4fbe40... [7.1][DOCS] Backport: Fix asciidoctor build (#13460)
 +
 --
 type: keyword
@@ -2897,9 +2906,19 @@ Action describes the change that triggered the event.
 For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
 
 
+<<<<<<< HEAD
 --
 
 *`event.id`*::
+=======
+[float]
+== selinux fields
+
+The SELinux identity of the file.
+
+
+*`file.selinux.user`*::
+>>>>>>> 99e4fbe40... [7.1][DOCS] Backport: Fix asciidoctor build (#13460)
 +
 --
 type: keyword
diff --git a/docs/devguide/migrate-dashboards.asciidoc b/docs/devguide/migrate-dashboards.asciidoc
index 56a16edf535..64e94d008e1 100644
--- a/docs/devguide/migrate-dashboards.asciidoc
+++ b/docs/devguide/migrate-dashboards.asciidoc
@@ -91,8 +91,8 @@ dashboards:
 Using the yml file, you can export all the dashboards for a single module or for the entire Beat using a single command:
 
 [source,shell]
-------------------
+----
 cd metricbeat/module/system
 go run ../../../dev-tools/cmd/dashboards/export_dashboards.go -yml module.yml
--------------------
+----
 
diff --git a/docs/devguide/newdashboards.asciidoc b/docs/devguide/newdashboards.asciidoc
index a203c5e4217..e8d4437b015 100644
--- a/docs/devguide/newdashboards.asciidoc
+++ b/docs/devguide/newdashboards.asciidoc
@@ -55,7 +55,7 @@ The `setup` phase loads:
 For more details about the `setup` command, run the following:
 
 [source,shell]
--------------------------
+----
 ./metricbeat help setup
 
 This command does initial setup of the environment:
@@ -73,15 +73,15 @@ Flags:
       --machine-learning   Setup machine learning job configurations only
       --modules string     List of enabled modules (comma separated)
       --template           Setup index template only
----------------------------
+----
 
 The flags are useful when you don't want to load everything. For example, to
 import only the dashboards, use the `--dashboards` flag:
 
 [source,shell]
----------------------
+----
 ./metricbeat setup --dashboards
--------------------------------
+----
 
 Starting with Beats 6.0.0, the dashboards are no longer loaded directly into Elasticsearch. Instead, they are imported directly into Kibana.
 Thus, if your Kibana instance is not listening on localhost, or you enabled
@@ -90,9 +90,9 @@ the config for the Beat, or pass the Kibana host and credentials as
 arguments to the `setup` command. For example:
 
 [source,shell]
--------------------------
+----
 ./metricbeat setup -E setup.kibana.host=192.168.3.206:5601 -E setup.kibana.username=elastic -E setup.kibana.password=secret
---------------------------
+----
 
 By default, the `setup` command imports the dashboards from the `kibana`
 directory, which is available in the Beat package.
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index 4c59d4113f9..1b96a3a988d 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -4501,7 +4501,8103 @@ The slow query.
 --
 type: long
 
+<<<<<<< HEAD
 The connection or thread ID for the query.
+=======
+--
+
+*`elasticsearch.slowlog.total_hits`*::
++
+--
+type: keyword
+
+example: 42
+
+Total hits
+
+--
+
+*`elasticsearch.slowlog.total_shards`*::
++
+--
+type: keyword
+
+example: 22
+
+Total queried shards
+
+--
+
+*`elasticsearch.slowlog.routing`*::
++
+--
+type: keyword
+
+example: s01HZ2QBk9jw4gtgaFtn
+
+Routing
+
+--
+
+*`elasticsearch.slowlog.id`*::
++
+--
+type: keyword
+
+example: 
+
+Id
+
+--
+
+*`elasticsearch.slowlog.type`*::
++
+--
+type: keyword
+
+example: doc
+
+Type
+
+--
+
+[[exported-fields-haproxy]]
+== haproxy fields
+
+haproxy Module
+
+
+
+[float]
+== haproxy fields
+
+
+
+
+*`haproxy.frontend_name`*::
++
+--
+Name of the frontend (or listener) which received and processed the connection.
+
+--
+
+*`haproxy.backend_name`*::
++
+--
+Name of the backend (or listener) which was selected to manage the connection to the server.
+
+--
+
+*`haproxy.server_name`*::
++
+--
+Name of the last server to which the connection was sent.
+
+--
+
+*`haproxy.total_waiting_time_ms`*::
++
+--
+type: long
+
+Total time in milliseconds spent waiting in the various queues
+
+--
+
+*`haproxy.connection_wait_time_ms`*::
++
+--
+type: long
+
+Total time in milliseconds spent waiting for the connection to establish to the final server
+
+--
+
+*`haproxy.bytes_read`*::
++
+--
+type: long
+
+Total number of bytes transmitted to the client when the log is emitted.
+
+--
+
+*`haproxy.time_queue`*::
++
+--
+type: long
+
+Total time in milliseconds spent waiting in the various queues.
+
+--
+
+*`haproxy.time_backend_connect`*::
++
+--
+type: long
+
+Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.
+
+--
+
+*`haproxy.server_queue`*::
++
+--
+type: long
+
+Total number of requests which were processed before this one in the server queue.
+
+--
+
+*`haproxy.backend_queue`*::
++
+--
+type: long
+
+Total number of requests which were processed before this one in the backend's global queue.
+
+--
+
+*`haproxy.bind_name`*::
++
+--
+Name of the listening address which received the connection.
+
+--
+
+*`haproxy.error_message`*::
++
+--
+type: text
+
+Error message logged by HAProxy in case of error.
+
+--
+
+*`haproxy.source`*::
++
+--
+type: keyword
+
+The HAProxy source of the log
+
+--
+
+*`haproxy.termination_state`*::
++
+--
+Condition the session was in when the session ended.
+
+--
+
+*`haproxy.mode`*::
++
+--
+type: keyword
+
+mode that the frontend is operating (TCP or HTTP)
+
+--
+
+[float]
+== connections fields
+
+Contains various counts of connections active in the process.
+
+
+*`haproxy.connections.active`*::
++
+--
+type: long
+
+Total number of concurrent connections on the process when the session was logged.
+
+--
+
+*`haproxy.connections.frontend`*::
++
+--
+type: long
+
+Total number of concurrent connections on the frontend when the session was logged.
+
+--
+
+*`haproxy.connections.backend`*::
++
+--
+type: long
+
+Total number of concurrent connections handled by the backend when the session was logged.
+
+--
+
+*`haproxy.connections.server`*::
++
+--
+type: long
+
+Total number of concurrent connections still active on the server when the session was logged.
+
+--
+
+*`haproxy.connections.retries`*::
++
+--
+type: long
+
+Number of connection retries experienced by this session when trying to connect to the server.
+
+--
+
+[float]
+== client fields
+
+Information about the client doing the request
+
+
+*`haproxy.client.ip`*::
++
+--
+type: alias
+
+alias to: source.address
+
+--
+
+*`haproxy.client.port`*::
++
+--
+type: alias
+
+alias to: source.port
+
+--
+
+*`haproxy.process_name`*::
++
+--
+type: alias
+
+alias to: process.name
+
+--
+
+*`haproxy.pid`*::
++
+--
+type: alias
+
+alias to: process.pid
+
+--
+
+[float]
+== destination fields
+
+Destination information
+
+
+*`haproxy.destination.port`*::
++
+--
+type: alias
+
+alias to: destination.port
+
+--
+
+*`haproxy.destination.ip`*::
++
+--
+type: alias
+
+alias to: destination.ip
+
+--
+
+[float]
+== geoip fields
+
+Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.
+
+
+
+*`haproxy.geoip.continent_name`*::
++
+--
+type: alias
+
+alias to: source.geo.continent_name
+
+--
+
+*`haproxy.geoip.country_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.country_iso_code
+
+--
+
+*`haproxy.geoip.location`*::
++
+--
+type: alias
+
+alias to: source.geo.location
+
+--
+
+*`haproxy.geoip.region_name`*::
++
+--
+type: alias
+
+alias to: source.geo.region_name
+
+--
+
+*`haproxy.geoip.city_name`*::
++
+--
+type: alias
+
+alias to: source.geo.city_name
+
+--
+
+*`haproxy.geoip.region_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.region_iso_code
+
+--
+
+[float]
+== http fields
+
+Please add description
+
+
+[float]
+== response fields
+
+Fields related to the HTTP response
+
+
+*`haproxy.http.response.captured_cookie`*::
++
+--
+Optional "name=value" entry indicating that the client had this cookie in the response.
+
+
+--
+
+*`haproxy.http.response.captured_headers`*::
++
+--
+type: keyword
+
+List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.
+
+
+--
+
+*`haproxy.http.response.status_code`*::
++
+--
+type: alias
+
+alias to: http.response.status_code
+
+--
+
+[float]
+== request fields
+
+Fields related to the HTTP request
+
+
+*`haproxy.http.request.captured_cookie`*::
++
+--
+Optional "name=value" entry indicating that the server has returned a cookie with its request.
+
+
+--
+
+*`haproxy.http.request.captured_headers`*::
++
+--
+type: keyword
+
+List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.
+
+
+--
+
+*`haproxy.http.request.raw_request_line`*::
++
+--
+type: keyword
+
+Complete HTTP request line, including the method, request and HTTP version string.
+
+--
+
+*`haproxy.http.request.time_wait_without_data_ms`*::
++
+--
+type: long
+
+Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.
+
+--
+
+*`haproxy.http.request.time_wait_ms`*::
++
+--
+type: long
+
+Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.
+
+--
+
+[float]
+== tcp fields
+
+TCP log format
+
+
+*`haproxy.tcp.connection_waiting_time_ms`*::
++
+--
+type: long
+
+Total time in milliseconds elapsed between the accept and the last close
+
+--
+
+[[exported-fields-host-processor]]
+== Host fields
+
+Info collected for the host machine.
+
+
+
+
+*`host.containerized`*::
++
+--
+type: boolean
+
+If the host is a container.
+
+
+--
+
+*`host.os.build`*::
++
+--
+type: keyword
+
+example: 18D109
+
+OS build information.
+
+
+--
+
+[[exported-fields-icinga]]
+== Icinga fields
+
+Icinga Module
+
+
+
+[float]
+== icinga fields
+
+
+
+
+[float]
+== debug fields
+
+Contains fields for the Icinga debug logs.
+
+
+
+*`icinga.debug.facility`*::
++
+--
+type: keyword
+
+Specifies what component of Icinga logged the message.
+
+
+--
+
+*`icinga.debug.severity`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`icinga.debug.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+[float]
+== main fields
+
+Contains fields for the Icinga main logs.
+
+
+
+*`icinga.main.facility`*::
++
+--
+type: keyword
+
+Specifies what component of Icinga logged the message.
+
+
+--
+
+*`icinga.main.severity`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`icinga.main.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+[float]
+== startup fields
+
+Contains fields for the Icinga startup logs.
+
+
+
+*`icinga.startup.facility`*::
++
+--
+type: keyword
+
+Specifies what component of Icinga logged the message.
+
+
+--
+
+*`icinga.startup.severity`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`icinga.startup.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+[[exported-fields-iis]]
+== IIS fields
+
+Module for parsing IIS log files.
+
+
+
+[float]
+== iis fields
+
+Fields from IIS log files.
+
+
+
+[float]
+== access fields
+
+Contains fields for IIS access logs.
+
+
+
+*`iis.access.sub_status`*::
++
+--
+type: long
+
+The HTTP substatus code.
+
+
+--
+
+*`iis.access.win32_status`*::
++
+--
+type: long
+
+The Windows status code.
+
+
+--
+
+*`iis.access.site_name`*::
++
+--
+type: keyword
+
+The site name and instance number.
+
+
+--
+
+*`iis.access.server_name`*::
++
+--
+type: keyword
+
+The name of the server on which the log file entry was generated.
+
+
+--
+
+*`iis.access.cookie`*::
++
+--
+type: keyword
+
+The content of the cookie sent or received, if any.
+
+
+--
+
+*`iis.access.body_received.bytes`*::
++
+--
+type: alias
+
+alias to: http.request.body.bytes
+
+--
+
+*`iis.access.body_sent.bytes`*::
++
+--
+type: alias
+
+alias to: http.response.body.bytes
+
+--
+
+*`iis.access.server_ip`*::
++
+--
+type: alias
+
+alias to: destination.address
+
+--
+
+*`iis.access.method`*::
++
+--
+type: alias
+
+alias to: http.request.method
+
+--
+
+*`iis.access.url`*::
++
+--
+type: alias
+
+alias to: url.path
+
+--
+
+*`iis.access.query_string`*::
++
+--
+type: alias
+
+alias to: url.query
+
+--
+
+*`iis.access.port`*::
++
+--
+type: alias
+
+alias to: destination.port
+
+--
+
+*`iis.access.user_name`*::
++
+--
+type: alias
+
+alias to: user.name
+
+--
+
+*`iis.access.remote_ip`*::
++
+--
+type: alias
+
+alias to: source.address
+
+--
+
+*`iis.access.referrer`*::
++
+--
+type: alias
+
+alias to: http.request.referrer
+
+--
+
+*`iis.access.response_code`*::
++
+--
+type: alias
+
+alias to: http.response.status_code
+
+--
+
+*`iis.access.http_version`*::
++
+--
+type: alias
+
+alias to: http.version
+
+--
+
+*`iis.access.hostname`*::
++
+--
+type: alias
+
+alias to: host.hostname
+
+--
+
+
+*`iis.access.user_agent.device`*::
++
+--
+type: alias
+
+alias to: user_agent.device.name
+
+--
+
+*`iis.access.user_agent.name`*::
++
+--
+type: alias
+
+alias to: user_agent.name
+
+--
+
+*`iis.access.user_agent.os`*::
++
+--
+type: alias
+
+alias to: user_agent.os.full_name
+
+--
+
+*`iis.access.user_agent.os_name`*::
++
+--
+type: alias
+
+alias to: user_agent.os.name
+
+--
+
+*`iis.access.user_agent.original`*::
++
+--
+type: alias
+
+alias to: user_agent.original
+
+--
+
+
+*`iis.access.geoip.continent_name`*::
++
+--
+type: alias
+
+alias to: source.geo.continent_name
+
+--
+
+*`iis.access.geoip.country_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.country_iso_code
+
+--
+
+*`iis.access.geoip.location`*::
++
+--
+type: alias
+
+alias to: source.geo.location
+
+--
+
+*`iis.access.geoip.region_name`*::
++
+--
+type: alias
+
+alias to: source.geo.region_name
+
+--
+
+*`iis.access.geoip.city_name`*::
++
+--
+type: alias
+
+alias to: source.geo.city_name
+
+--
+
+*`iis.access.geoip.region_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.region_iso_code
+
+--
+
+[float]
+== error fields
+
+Contains fields for IIS error logs.
+
+
+
+*`iis.error.reason_phrase`*::
++
+--
+type: keyword
+
+The HTTP reason phrase.
+
+
+--
+
+*`iis.error.queue_name`*::
++
+--
+type: keyword
+
+The IIS application pool name.
+
+
+--
+
+*`iis.error.remote_ip`*::
++
+--
+type: alias
+
+alias to: source.address
+
+--
+
+*`iis.error.remote_port`*::
++
+--
+type: alias
+
+alias to: source.port
+
+--
+
+*`iis.error.server_ip`*::
++
+--
+type: alias
+
+alias to: destination.address
+
+--
+
+*`iis.error.server_port`*::
++
+--
+type: alias
+
+alias to: destination.port
+
+--
+
+*`iis.error.http_version`*::
++
+--
+type: alias
+
+alias to: http.version
+
+--
+
+*`iis.error.method`*::
++
+--
+type: alias
+
+alias to: http.request.method
+
+--
+
+*`iis.error.url`*::
++
+--
+type: alias
+
+alias to: url.original
+
+--
+
+*`iis.error.response_code`*::
++
+--
+type: alias
+
+alias to: http.response.status_code
+
+--
+
+
+*`iis.error.geoip.continent_name`*::
++
+--
+type: alias
+
+alias to: source.geo.continent_name
+
+--
+
+*`iis.error.geoip.country_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.country_iso_code
+
+--
+
+*`iis.error.geoip.location`*::
++
+--
+type: alias
+
+alias to: source.geo.location
+
+--
+
+*`iis.error.geoip.region_name`*::
++
+--
+type: alias
+
+alias to: source.geo.region_name
+
+--
+
+*`iis.error.geoip.city_name`*::
++
+--
+type: alias
+
+alias to: source.geo.city_name
+
+--
+
+*`iis.error.geoip.region_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.region_iso_code
+
+--
+
+[[exported-fields-iptables]]
+== iptables fields
+
+Module for handling the iptables logs.
+
+
+
+[float]
+== iptables fields
+
+Fields from the iptables logs.
+
+
+
+*`iptables.ether_type`*::
++
+--
+type: long
+
+Value of the ethernet type field identifying the network layer protocol.
+
+
+--
+
+*`iptables.flow_label`*::
++
+--
+type: integer
+
+IPv6 flow label.
+
+
+--
+
+*`iptables.fragment_flags`*::
++
+--
+type: keyword
+
+IP fragment flags. A combination of CE, DF and MF.
+
+
+--
+
+*`iptables.fragment_offset`*::
++
+--
+type: long
+
+Offset of the current IP fragment.
+
+
+--
+
+[float]
+== icmp fields
+
+ICMP fields.
+
+
+
+*`iptables.icmp.code`*::
++
+--
+type: long
+
+ICMP code.
+
+
+--
+
+*`iptables.icmp.id`*::
++
+--
+type: long
+
+ICMP ID.
+
+
+--
+
+*`iptables.icmp.parameter`*::
++
+--
+type: long
+
+ICMP parameter.
+
+
+--
+
+*`iptables.icmp.redirect`*::
++
+--
+type: ip
+
+ICMP redirect address.
+
+
+--
+
+*`iptables.icmp.seq`*::
++
+--
+type: long
+
+ICMP sequence number.
+
+
+--
+
+*`iptables.icmp.type`*::
++
+--
+type: long
+
+ICMP type.
+
+
+--
+
+*`iptables.id`*::
++
+--
+type: long
+
+Packet identifier.
+
+
+--
+
+*`iptables.incomplete_bytes`*::
++
+--
+type: long
+
+Number of incomplete bytes.
+
+
+--
+
+*`iptables.input_device`*::
++
+--
+type: keyword
+
+Device that received the packet.
+
+
+--
+
+*`iptables.precedence_bits`*::
++
+--
+type: short
+
+IP precedence bits.
+
+
+--
+
+*`iptables.tos`*::
++
+--
+type: long
+
+IP Type of Service field.
+
+
+--
+
+*`iptables.length`*::
++
+--
+type: long
+
+Packet length.
+
+
+--
+
+*`iptables.output_device`*::
++
+--
+type: keyword
+
+Device that output the packet.
+
+
+--
+
+[float]
+== tcp fields
+
+TCP fields.
+
+
+
+*`iptables.tcp.flags`*::
++
+--
+type: keyword
+
+TCP flags.
+
+
+--
+
+*`iptables.tcp.reserved_bits`*::
++
+--
+type: short
+
+TCP reserved bits.
+
+
+--
+
+*`iptables.tcp.seq`*::
++
+--
+type: long
+
+TCP sequence number.
+
+
+--
+
+*`iptables.tcp.ack`*::
++
+--
+type: long
+
+TCP Acknowledgment number.
+
+
+--
+
+*`iptables.tcp.window`*::
++
+--
+type: long
+
+Advertised TCP window size.
+
+
+--
+
+*`iptables.ttl`*::
++
+--
+type: integer
+
+Time To Live field.
+
+
+--
+
+[float]
+== udp fields
+
+UDP fields.
+
+
+
+*`iptables.udp.length`*::
++
+--
+type: long
+
+Length of the UDP header and payload.
+
+
+--
+
+[float]
+== ubiquiti fields
+
+Fields for Ubiquiti network devices.
+
+
+
+*`iptables.ubiquiti.input_zone`*::
++
+--
+type: keyword
+
+Input zone.
+
+
+--
+
+*`iptables.ubiquiti.output_zone`*::
++
+--
+type: keyword
+
+Output zone.
+
+
+--
+
+*`iptables.ubiquiti.rule_number`*::
++
+--
+type: keyword
+
+The rule number within the rule set.
+
+--
+
+*`iptables.ubiquiti.rule_set`*::
++
+--
+type: keyword
+
+The rule set name.
+
+--
+
+[[exported-fields-kafka]]
+== Kafka fields
+
+Kafka module
+
+
+
+[float]
+== kafka fields
+
+
+
+
+[float]
+== log fields
+
+Kafka log lines.
+
+
+
+*`kafka.log.level`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`kafka.log.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+*`kafka.log.component`*::
++
+--
+type: keyword
+
+Component the log is coming from.
+
+
+--
+
+*`kafka.log.class`*::
++
+--
+type: keyword
+
+Java class the log is coming from.
+
+
+--
+
+[float]
+== trace fields
+
+Trace in the log line.
+
+
+
+*`kafka.log.trace.class`*::
++
+--
+type: keyword
+
+Java class the trace is coming from.
+
+
+--
+
+*`kafka.log.trace.message`*::
++
+--
+type: text
+
+Message part of the trace.
+
+
+--
+
+[[exported-fields-kibana]]
+== kibana fields
+
+kibana Module
+
+
+
+[float]
+== kibana fields
+
+
+
+
+[float]
+== log fields
+
+Kafka log lines.
+
+
+
+*`kibana.log.tags`*::
++
+--
+type: keyword
+
+Kibana logging tags.
+
+
+--
+
+*`kibana.log.state`*::
++
+--
+type: keyword
+
+Current state of Kibana.
+
+
+--
+
+*`kibana.log.meta`*::
++
+--
+type: object
+
+--
+
+*`kibana.log.kibana.log.meta.req.headers.referer`*::
++
+--
+type: alias
+
+alias to: http.request.referrer
+
+--
+
+*`kibana.log.kibana.log.meta.req.referer`*::
++
+--
+type: alias
+
+alias to: http.request.referrer
+
+--
+
+*`kibana.log.kibana.log.meta.req.headers.user-agent`*::
++
+--
+type: alias
+
+alias to: user_agent.original
+
+--
+
+*`kibana.log.kibana.log.meta.req.remoteAddress`*::
++
+--
+type: alias
+
+alias to: source.address
+
+--
+
+*`kibana.log.kibana.log.meta.req.url`*::
++
+--
+type: alias
+
+alias to: url.original
+
+--
+
+*`kibana.log.kibana.log.meta.statusCode`*::
++
+--
+type: alias
+
+alias to: http.response.status_code
+
+--
+
+*`kibana.log.kibana.log.meta.method`*::
++
+--
+type: alias
+
+alias to: http.request.method
+
+--
+
+[[exported-fields-kubernetes-processor]]
+== Kubernetes fields
+
+Kubernetes metadata added by the kubernetes processor
+
+
+
+
+*`kubernetes.pod.name`*::
++
+--
+type: keyword
+
+Kubernetes pod name
+
+
+--
+
+*`kubernetes.pod.uid`*::
++
+--
+type: keyword
+
+Kubernetes Pod UID
+
+
+--
+
+*`kubernetes.namespace`*::
++
+--
+type: keyword
+
+Kubernetes namespace
+
+
+--
+
+*`kubernetes.node.name`*::
++
+--
+type: keyword
+
+Kubernetes node name
+
+
+--
+
+*`kubernetes.labels.*`*::
++
+--
+type: object
+
+Kubernetes labels map
+
+
+--
+
+*`kubernetes.annotations.*`*::
++
+--
+type: object
+
+Kubernetes annotations map
+
+
+--
+
+*`kubernetes.container.name`*::
++
+--
+type: keyword
+
+Kubernetes container name
+
+
+--
+
+*`kubernetes.container.image`*::
++
+--
+type: keyword
+
+Kubernetes container image
+
+
+--
+
+[[exported-fields-log]]
+== Log file content fields
+
+Contains log file lines.
+
+
+
+*`log.file.path`*::
++
+--
+type: keyword
+
+required: False
+
+The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`.
+
+
+--
+
+*`log.source.address`*::
++
+--
+type: keyword
+
+required: False
+
+Source address from which the log event was read / sent from.
+
+
+--
+
+*`log.offset`*::
++
+--
+type: long
+
+required: False
+
+The file offset the reported line starts at.
+
+
+--
+
+*`stream`*::
++
+--
+type: keyword
+
+required: False
+
+Log stream when reading container logs, can be 'stdout' or 'stderr'
+
+
+--
+
+*`input.type`*::
++
+--
+required: True
+
+The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file.
+
+
+--
+
+*`syslog.facility`*::
++
+--
+type: long
+
+required: False
+
+The facility extracted from the priority.
+
+
+--
+
+*`syslog.priority`*::
++
+--
+type: long
+
+required: False
+
+The priority of the syslog event.
+
+
+--
+
+*`syslog.severity_label`*::
++
+--
+type: keyword
+
+required: False
+
+The human readable severity.
+
+
+--
+
+*`syslog.facility_label`*::
++
+--
+type: keyword
+
+required: False
+
+The human readable facility.
+
+
+--
+
+*`process.program`*::
++
+--
+type: keyword
+
+required: False
+
+The name of the program.
+
+
+--
+
+*`log.flags`*::
++
+--
+This field contains the flags of the event.
+
+
+--
+
+*`http.response.content_length`*::
++
+--
+type: alias
+
+alias to: http.response.body.bytes
+
+--
+
+
+
+*`user_agent.os.full_name`*::
++
+--
+type: keyword
+
+--
+
+*`fileset.name`*::
++
+--
+type: keyword
+
+The Filebeat fileset that generated this event.
+
+
+--
+
+*`fileset.module`*::
++
+--
+type: alias
+
+alias to: event.module
+
+--
+
+*`read_timestamp`*::
++
+--
+type: alias
+
+alias to: event.created
+
+--
+
+[[exported-fields-logstash]]
+== logstash fields
+
+logstash Module
+
+
+
+[float]
+== logstash fields
+
+
+
+
+[float]
+== log fields
+
+Fields from the Logstash logs.
+
+
+
+*`logstash.log.module`*::
++
+--
+type: keyword
+
+The module or class where the event originate.
+
+
+--
+
+*`logstash.log.thread`*::
++
+--
+type: keyword
+
+Information about the running thread where the log originate.
+
+
+--
+
+*`logstash.log.thread.text`*::
++
+--
+type: text
+
+--
+
+*`logstash.log.log_event`*::
++
+--
+type: object
+
+key and value debugging information.
+
+
+--
+
+*`logstash.log.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+*`logstash.log.level`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+[float]
+== slowlog fields
+
+slowlog
+
+
+
+*`logstash.slowlog.module`*::
++
+--
+type: keyword
+
+The module or class where the event originate.
+
+
+--
+
+*`logstash.slowlog.thread`*::
++
+--
+type: keyword
+
+Information about the running thread where the log originate.
+
+
+--
+
+*`logstash.slowlog.thread.text`*::
++
+--
+type: text
+
+--
+
+*`logstash.slowlog.event`*::
++
+--
+type: keyword
+
+Raw dump of the original event
+
+
+--
+
+*`logstash.slowlog.event.text`*::
++
+--
+type: text
+
+--
+
+*`logstash.slowlog.plugin_name`*::
++
+--
+type: keyword
+
+Name of the plugin
+
+
+--
+
+*`logstash.slowlog.plugin_type`*::
++
+--
+type: keyword
+
+Type of the plugin: Inputs, Filters, Outputs or Codecs.
+
+
+--
+
+*`logstash.slowlog.took_in_millis`*::
++
+--
+type: long
+
+Execution time for the plugin in milliseconds.
+
+
+--
+
+*`logstash.slowlog.plugin_params`*::
++
+--
+type: keyword
+
+String value of the plugin configuration
+
+
+--
+
+*`logstash.slowlog.plugin_params.text`*::
++
+--
+type: text
+
+--
+
+*`logstash.slowlog.plugin_params_object`*::
++
+--
+type: object
+
+key -> value of the configuration used by the plugin.
+
+
+--
+
+*`logstash.slowlog.level`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`logstash.slowlog.took_in_nanos`*::
++
+--
+type: alias
+
+alias to: event.duration
+
+--
+
+[[exported-fields-mongodb]]
+== mongodb fields
+
+Module for parsing MongoDB log files.
+
+
+
+[float]
+== mongodb fields
+
+Fields from MongoDB logs.
+
+
+
+[float]
+== log fields
+
+Contains fields from MongoDB logs.
+
+
+
+*`mongodb.log.component`*::
++
+--
+type: keyword
+
+example: COMMAND
+
+Functional categorization of message
+
+
+--
+
+*`mongodb.log.context`*::
++
+--
+type: keyword
+
+example: initandlisten
+
+Context of message
+
+
+--
+
+*`mongodb.log.severity`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`mongodb.log.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+[[exported-fields-mysql]]
+== MySQL fields
+
+Module for parsing the MySQL log files.
+
+
+
+[float]
+== mysql fields
+
+Fields from the MySQL log files.
+
+
+
+*`mysql.thread_id`*::
++
+--
+type: long
+
+The connection or thread ID for the query.
+
+
+--
+
+[float]
+== error fields
+
+Contains fields from the MySQL error logs.
+
+
+
+*`mysql.error.thread_id`*::
++
+--
+type: alias
+
+alias to: mysql.thread_id
+
+--
+
+*`mysql.error.level`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`mysql.error.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+[float]
+== slowlog fields
+
+Contains fields from the MySQL slow logs.
+
+
+
+*`mysql.slowlog.lock_time.sec`*::
++
+--
+type: float
+
+The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number.
+
+
+--
+
+*`mysql.slowlog.rows_sent`*::
++
+--
+type: long
+
+The number of rows returned by the query.
+
+
+--
+
+*`mysql.slowlog.rows_examined`*::
++
+--
+type: long
+
+The number of rows scanned by the query.
+
+
+--
+
+*`mysql.slowlog.rows_affected`*::
++
+--
+type: long
+
+The number of rows modified by the query.
+
+
+--
+
+*`mysql.slowlog.bytes_sent`*::
++
+--
+type: long
+
+format: bytes
+
+The size of the query result.
+
+
+--
+
+*`mysql.slowlog.query`*::
++
+--
+The slow query.
+
+
+--
+
+*`mysql.slowlog.id`*::
++
+--
+type: alias
+
+alias to: mysql.thread_id
+
+--
+
+*`mysql.slowlog.schema`*::
++
+--
+type: keyword
+
+The schema where the slow query was executed.
+
+
+--
+
+*`mysql.slowlog.current_user`*::
++
+--
+type: keyword
+
+Current authenticated user, used to determine access privileges. Can differ from the value for user.
+
+
+--
+
+*`mysql.slowlog.last_errno`*::
++
+--
+type: keyword
+
+Last SQL error seen.
+
+
+--
+
+*`mysql.slowlog.killed`*::
++
+--
+type: keyword
+
+Code of the reason if the query was killed.
+
+
+--
+
+*`mysql.slowlog.query_cache_hit`*::
++
+--
+type: boolean
+
+Whether the query cache was hit.
+
+
+--
+
+*`mysql.slowlog.tmp_table`*::
++
+--
+type: boolean
+
+Whether a temporary table was used to resolve the query.
+
+
+--
+
+*`mysql.slowlog.tmp_table_on_disk`*::
++
+--
+type: boolean
+
+Whether the query needed temporary tables on disk.
+
+
+--
+
+*`mysql.slowlog.tmp_tables`*::
++
+--
+type: long
+
+Number of temporary tables created for this query
+
+
+--
+
+*`mysql.slowlog.tmp_disk_tables`*::
++
+--
+type: long
+
+Number of temporary tables created on disk for this query.
+
+
+--
+
+*`mysql.slowlog.tmp_table_sizes`*::
++
+--
+type: long
+
+format: bytes
+
+Size of temporary tables created for this query.
+
+--
+
+*`mysql.slowlog.filesort`*::
++
+--
+type: boolean
+
+Whether filesort optimization was used.
+
+
+--
+
+*`mysql.slowlog.filesort_on_disk`*::
++
+--
+type: boolean
+
+Whether filesort optimization was used and it needed temporary tables on disk.
+
+
+--
+
+*`mysql.slowlog.priority_queue`*::
++
+--
+type: boolean
+
+Whether a priority queue was used for filesort.
+
+
+--
+
+*`mysql.slowlog.full_scan`*::
++
+--
+type: boolean
+
+Whether a full table scan was needed for the slow query.
+
+
+--
+
+*`mysql.slowlog.full_join`*::
++
+--
+type: boolean
+
+Whether a full join was needed for the slow query (no indexes were used for joins).
+
+
+--
+
+*`mysql.slowlog.merge_passes`*::
++
+--
+type: long
+
+Number of merge passes executed for the query.
+
+
+--
+
+*`mysql.slowlog.log_slow_rate_type`*::
++
+--
+type: keyword
+
+Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query.
+
+
+--
+
+*`mysql.slowlog.log_slow_rate_limit`*::
++
+--
+type: keyword
+
+Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged.
+
+
+--
+
+[float]
+== innodb fields
+
+Contains fields relative to InnoDB engine
+
+
+
+*`mysql.slowlog.innodb.trx_id`*::
++
+--
+type: keyword
+
+Transaction ID
+
+
+--
+
+*`mysql.slowlog.innodb.io_r_ops`*::
++
+--
+type: long
+
+Number of page read operations.
+
+
+--
+
+*`mysql.slowlog.innodb.io_r_bytes`*::
++
+--
+type: long
+
+format: bytes
+
+Bytes read during page read operations.
+
+
+--
+
+*`mysql.slowlog.innodb.io_r_wait.sec`*::
++
+--
+type: long
+
+How long it took to read all needed data from storage.
+
+
+--
+
+*`mysql.slowlog.innodb.rec_lock_wait.sec`*::
++
+--
+type: long
+
+How long the query waited for locks.
+
+
+--
+
+*`mysql.slowlog.innodb.queue_wait.sec`*::
++
+--
+type: long
+
+How long the query waited to enter the InnoDB queue and to be executed once in the queue.
+
+
+--
+
+*`mysql.slowlog.innodb.pages_distinct`*::
++
+--
+type: long
+
+Approximated count of pages accessed to execute the query.
+
+
+--
+
+*`mysql.slowlog.user`*::
++
+--
+type: alias
+
+alias to: user.name
+
+--
+
+*`mysql.slowlog.host`*::
++
+--
+type: alias
+
+alias to: source.domain
+
+--
+
+*`mysql.slowlog.ip`*::
++
+--
+type: alias
+
+alias to: source.ip
+
+--
+
+[[exported-fields-netflow]]
+== NetFlow fields
+
+Fields from NetFlow and IPFIX flows.
+
+
+
+[float]
+== netflow fields
+
+Fields from NetFlow and IPFIX.
+
+
+
+*`netflow.type`*::
++
+--
+type: keyword
+
+The type of NetFlow record described by this event.
+
+
+--
+
+[float]
+== exporter fields
+
+Metadata related to the exporter device that generated this record.
+
+
+
+*`netflow.exporter.address`*::
++
+--
+type: keyword
+
+Exporter's network address in IP:port format.
+
+
+--
+
+*`netflow.exporter.source_id`*::
++
+--
+type: long
+
+Observation domain ID to which this record belongs.
+
+
+--
+
+*`netflow.exporter.timestamp`*::
++
+--
+type: date
+
+Time and date of export.
+
+
+--
+
+*`netflow.exporter.uptime_millis`*::
++
+--
+type: long
+
+How long the exporter process has been running, in milliseconds.
+
+
+--
+
+*`netflow.exporter.version`*::
++
+--
+type: long
+
+NetFlow version used.
+
+
+--
+
+*`netflow.octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.packet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.delta_flow_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.protocol_identifier`*::
++
+--
+type: short
+
+--
+
+*`netflow.ip_class_of_service`*::
++
+--
+type: short
+
+--
+
+*`netflow.tcp_control_bits`*::
++
+--
+type: integer
+
+--
+
+*`netflow.source_transport_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.source_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.source_ipv4_prefix_length`*::
++
+--
+type: short
+
+--
+
+*`netflow.ingress_interface`*::
++
+--
+type: long
+
+--
+
+*`netflow.destination_transport_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.destination_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.destination_ipv4_prefix_length`*::
++
+--
+type: short
+
+--
+
+*`netflow.egress_interface`*::
++
+--
+type: long
+
+--
+
+*`netflow.ip_next_hop_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.bgp_source_as_number`*::
++
+--
+type: long
+
+--
+
+*`netflow.bgp_destination_as_number`*::
++
+--
+type: long
+
+--
+
+*`netflow.bgp_next_hop_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.post_mcast_packet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_mcast_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_end_sys_up_time`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_start_sys_up_time`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_packet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.minimum_ip_total_length`*::
++
+--
+type: long
+
+--
+
+*`netflow.maximum_ip_total_length`*::
++
+--
+type: long
+
+--
+
+*`netflow.source_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.destination_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.source_ipv6_prefix_length`*::
++
+--
+type: short
+
+--
+
+*`netflow.destination_ipv6_prefix_length`*::
++
+--
+type: short
+
+--
+
+*`netflow.flow_label_ipv6`*::
++
+--
+type: long
+
+--
+
+*`netflow.icmp_type_code_ipv4`*::
++
+--
+type: integer
+
+--
+
+*`netflow.igmp_type`*::
++
+--
+type: short
+
+--
+
+*`netflow.sampling_interval`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_algorithm`*::
++
+--
+type: short
+
+--
+
+*`netflow.flow_active_timeout`*::
++
+--
+type: integer
+
+--
+
+*`netflow.flow_idle_timeout`*::
++
+--
+type: integer
+
+--
+
+*`netflow.engine_type`*::
++
+--
+type: short
+
+--
+
+*`netflow.engine_id`*::
++
+--
+type: short
+
+--
+
+*`netflow.exported_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.exported_message_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.exported_flow_record_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.ipv4_router_sc`*::
++
+--
+type: ip
+
+--
+
+*`netflow.source_ipv4_prefix`*::
++
+--
+type: ip
+
+--
+
+*`netflow.destination_ipv4_prefix`*::
++
+--
+type: ip
+
+--
+
+*`netflow.mpls_top_label_type`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_top_label_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.sampler_id`*::
++
+--
+type: short
+
+--
+
+*`netflow.sampler_mode`*::
++
+--
+type: short
+
+--
+
+*`netflow.sampler_random_interval`*::
++
+--
+type: long
+
+--
+
+*`netflow.class_id`*::
++
+--
+type: short
+
+--
+
+*`netflow.minimum_ttl`*::
++
+--
+type: short
+
+--
+
+*`netflow.maximum_ttl`*::
++
+--
+type: short
+
+--
+
+*`netflow.fragment_identification`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_ip_class_of_service`*::
++
+--
+type: short
+
+--
+
+*`netflow.source_mac_address`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.post_destination_mac_address`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.vlan_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.post_vlan_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.ip_version`*::
++
+--
+type: short
+
+--
+
+*`netflow.flow_direction`*::
++
+--
+type: short
+
+--
+
+*`netflow.ip_next_hop_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.bgp_next_hop_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.ipv6_extension_headers`*::
++
+--
+type: long
+
+--
+
+*`netflow.mpls_top_label_stack_section`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section2`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section3`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section4`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section5`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section6`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section7`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section8`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section9`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section10`*::
++
+--
+type: short
+
+--
+
+*`netflow.destination_mac_address`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.post_source_mac_address`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.interface_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.interface_description`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.sampler_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.flags_and_sampler_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.fragment_offset`*::
++
+--
+type: integer
+
+--
+
+*`netflow.forwarding_status`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_vpn_route_distinguisher`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_top_label_prefix_length`*::
++
+--
+type: short
+
+--
+
+*`netflow.src_traffic_index`*::
++
+--
+type: long
+
+--
+
+*`netflow.dst_traffic_index`*::
++
+--
+type: long
+
+--
+
+*`netflow.application_description`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.application_id`*::
++
+--
+type: short
+
+--
+
+*`netflow.application_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.post_ip_diff_serv_code_point`*::
++
+--
+type: short
+
+--
+
+*`netflow.multicast_replication_factor`*::
++
+--
+type: long
+
+--
+
+*`netflow.class_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.classification_engine_id`*::
++
+--
+type: short
+
+--
+
+*`netflow.layer2packet_section_offset`*::
++
+--
+type: integer
+
+--
+
+*`netflow.layer2packet_section_size`*::
++
+--
+type: integer
+
+--
+
+*`netflow.layer2packet_section_data`*::
++
+--
+type: short
+
+--
+
+*`netflow.bgp_next_adjacent_as_number`*::
++
+--
+type: long
+
+--
+
+*`netflow.bgp_prev_adjacent_as_number`*::
++
+--
+type: long
+
+--
+
+*`netflow.exporter_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.exporter_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.dropped_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.dropped_packet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.dropped_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.dropped_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_end_reason`*::
++
+--
+type: short
+
+--
+
+*`netflow.common_properties_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.observation_point_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.icmp_type_code_ipv6`*::
++
+--
+type: integer
+
+--
+
+*`netflow.mpls_top_label_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.line_card_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.port_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.metering_process_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.exporting_process_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.template_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.wlan_channel_id`*::
++
+--
+type: short
+
+--
+
+*`netflow.wlan_ssid`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.flow_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.observation_domain_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_start_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_end_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_start_milliseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_end_milliseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_start_microseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_end_microseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_start_nanoseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_end_nanoseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_start_delta_microseconds`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_end_delta_microseconds`*::
++
+--
+type: long
+
+--
+
+*`netflow.system_init_time_milliseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.flow_duration_milliseconds`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_duration_microseconds`*::
++
+--
+type: long
+
+--
+
+*`netflow.observed_flow_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.ignored_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.ignored_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.not_sent_flow_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.not_sent_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.not_sent_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.destination_ipv6_prefix`*::
++
+--
+type: ip
+
+--
+
+*`netflow.source_ipv6_prefix`*::
++
+--
+type: ip
+
+--
+
+*`netflow.post_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_key_indicator`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_mcast_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_mcast_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.icmp_type_ipv4`*::
++
+--
+type: short
+
+--
+
+*`netflow.icmp_code_ipv4`*::
++
+--
+type: short
+
+--
+
+*`netflow.icmp_type_ipv6`*::
++
+--
+type: short
+
+--
+
+*`netflow.icmp_code_ipv6`*::
++
+--
+type: short
+
+--
+
+*`netflow.udp_source_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.udp_destination_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.tcp_source_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.tcp_destination_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.tcp_sequence_number`*::
++
+--
+type: long
+
+--
+
+*`netflow.tcp_acknowledgement_number`*::
++
+--
+type: long
+
+--
+
+*`netflow.tcp_window_size`*::
++
+--
+type: integer
+
+--
+
+*`netflow.tcp_urgent_pointer`*::
++
+--
+type: integer
+
+--
+
+*`netflow.tcp_header_length`*::
++
+--
+type: short
+
+--
+
+*`netflow.ip_header_length`*::
++
+--
+type: short
+
+--
+
+*`netflow.total_length_ipv4`*::
++
+--
+type: integer
+
+--
+
+*`netflow.payload_length_ipv6`*::
++
+--
+type: integer
+
+--
+
+*`netflow.ip_ttl`*::
++
+--
+type: short
+
+--
+
+*`netflow.next_header_ipv6`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_payload_length`*::
++
+--
+type: long
+
+--
+
+*`netflow.ip_diff_serv_code_point`*::
++
+--
+type: short
+
+--
+
+*`netflow.ip_precedence`*::
++
+--
+type: short
+
+--
+
+*`netflow.fragment_flags`*::
++
+--
+type: short
+
+--
+
+*`netflow.octet_delta_sum_of_squares`*::
++
+--
+type: long
+
+--
+
+*`netflow.octet_total_sum_of_squares`*::
++
+--
+type: long
+
+--
+
+*`netflow.mpls_top_label_ttl`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_length`*::
++
+--
+type: long
+
+--
+
+*`netflow.mpls_label_stack_depth`*::
++
+--
+type: long
+
+--
+
+*`netflow.mpls_top_label_exp`*::
++
+--
+type: short
+
+--
+
+*`netflow.ip_payload_length`*::
++
+--
+type: long
+
+--
+
+*`netflow.udp_message_length`*::
++
+--
+type: integer
+
+--
+
+*`netflow.is_multicast`*::
++
+--
+type: short
+
+--
+
+*`netflow.ipv4_ihl`*::
++
+--
+type: short
+
+--
+
+*`netflow.ipv4_options`*::
++
+--
+type: long
+
+--
+
+*`netflow.tcp_options`*::
++
+--
+type: long
+
+--
+
+*`netflow.padding_octets`*::
++
+--
+type: short
+
+--
+
+*`netflow.collector_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.collector_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.export_interface`*::
++
+--
+type: long
+
+--
+
+*`netflow.export_protocol_version`*::
++
+--
+type: short
+
+--
+
+*`netflow.export_transport_protocol`*::
++
+--
+type: short
+
+--
+
+*`netflow.collector_transport_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.exporter_transport_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.tcp_syn_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.tcp_fin_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.tcp_rst_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.tcp_psh_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.tcp_ack_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.tcp_urg_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.ip_total_length`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_nast_ource_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.post_nadt_estination_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.post_napst_ource_transport_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.post_napdt_estination_transport_port`*::
++
+--
+type: integer
+
+--
+
+*`netflow.nat_originating_address_realm`*::
++
+--
+type: short
+
+--
+
+*`netflow.nat_event`*::
++
+--
+type: short
+
+--
+
+*`netflow.initiator_octets`*::
++
+--
+type: long
+
+--
+
+*`netflow.responder_octets`*::
++
+--
+type: long
+
+--
+
+*`netflow.firewall_event`*::
++
+--
+type: short
+
+--
+
+*`netflow.ingress_vrfid`*::
++
+--
+type: long
+
+--
+
+*`netflow.egress_vrfid`*::
++
+--
+type: long
+
+--
+
+*`netflow.vr_fname`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.post_mpls_top_label_exp`*::
++
+--
+type: short
+
+--
+
+*`netflow.tcp_window_scale`*::
++
+--
+type: integer
+
+--
+
+*`netflow.biflow_direction`*::
++
+--
+type: short
+
+--
+
+*`netflow.ethernet_header_length`*::
++
+--
+type: short
+
+--
+
+*`netflow.ethernet_payload_length`*::
++
+--
+type: integer
+
+--
+
+*`netflow.ethernet_total_length`*::
++
+--
+type: integer
+
+--
+
+*`netflow.dot1q_vlan_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.dot1q_priority`*::
++
+--
+type: short
+
+--
+
+*`netflow.dot1q_customer_vlan_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.dot1q_customer_priority`*::
++
+--
+type: short
+
+--
+
+*`netflow.metro_evc_id`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.metro_evc_type`*::
++
+--
+type: short
+
+--
+
+*`netflow.pseudo_wire_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.pseudo_wire_type`*::
++
+--
+type: integer
+
+--
+
+*`netflow.pseudo_wire_control_word`*::
++
+--
+type: long
+
+--
+
+*`netflow.ingress_physical_interface`*::
++
+--
+type: long
+
+--
+
+*`netflow.egress_physical_interface`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_dot1q_vlan_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.post_dot1q_customer_vlan_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.ethernet_type`*::
++
+--
+type: integer
+
+--
+
+*`netflow.post_ip_precedence`*::
++
+--
+type: short
+
+--
+
+*`netflow.collection_time_milliseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.export_sctp_stream_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.max_export_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.max_flow_end_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.message_md5_checksum`*::
++
+--
+type: short
+
+--
+
+*`netflow.message_scope`*::
++
+--
+type: short
+
+--
+
+*`netflow.min_export_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.min_flow_start_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.opaque_octets`*::
++
+--
+type: short
+
+--
+
+*`netflow.session_scope`*::
++
+--
+type: short
+
+--
+
+*`netflow.max_flow_end_microseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.max_flow_end_milliseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.max_flow_end_nanoseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.min_flow_start_microseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.min_flow_start_milliseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.min_flow_start_nanoseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.collector_certificate`*::
++
+--
+type: short
+
+--
+
+*`netflow.exporter_certificate`*::
++
+--
+type: short
+
+--
+
+*`netflow.data_records_reliability`*::
++
+--
+type: boolean
+
+--
+
+*`netflow.observation_point_type`*::
++
+--
+type: short
+
+--
+
+*`netflow.new_connection_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.connection_sum_duration_seconds`*::
++
+--
+type: long
+
+--
+
+*`netflow.connection_transaction_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_nast_ource_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.post_nadt_estination_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.nat_pool_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.nat_pool_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.anonymization_flags`*::
++
+--
+type: integer
+
+--
+
+*`netflow.anonymization_technique`*::
++
+--
+type: integer
+
+--
+
+*`netflow.information_element_index`*::
++
+--
+type: integer
+
+--
+
+*`netflow.p2p_technology`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.tunnel_technology`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.encrypted_technology`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.bgp_validity_state`*::
++
+--
+type: short
+
+--
+
+*`netflow.ip_sec_spi`*::
++
+--
+type: long
+
+--
+
+*`netflow.gre_key`*::
++
+--
+type: long
+
+--
+
+*`netflow.nat_type`*::
++
+--
+type: short
+
+--
+
+*`netflow.initiator_packets`*::
++
+--
+type: long
+
+--
+
+*`netflow.responder_packets`*::
++
+--
+type: long
+
+--
+
+*`netflow.observation_domain_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.selection_sequence_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.selector_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.information_element_id`*::
++
+--
+type: integer
+
+--
+
+*`netflow.selector_algorithm`*::
++
+--
+type: integer
+
+--
+
+*`netflow.sampling_packet_interval`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_packet_space`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_time_interval`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_time_space`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_size`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_population`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_probability`*::
++
+--
+type: double
+
+--
+
+*`netflow.data_link_frame_size`*::
++
+--
+type: integer
+
+--
+
+*`netflow.ip_header_packet_section`*::
++
+--
+type: short
+
+--
+
+*`netflow.ip_payload_packet_section`*::
++
+--
+type: short
+
+--
+
+*`netflow.data_link_frame_section`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_label_stack_section`*::
++
+--
+type: short
+
+--
+
+*`netflow.mpls_payload_packet_section`*::
++
+--
+type: short
+
+--
+
+*`netflow.selector_id_total_pkts_observed`*::
++
+--
+type: long
+
+--
+
+*`netflow.selector_id_total_pkts_selected`*::
++
+--
+type: long
+
+--
+
+*`netflow.absolute_error`*::
++
+--
+type: double
+
+--
+
+*`netflow.relative_error`*::
++
+--
+type: double
+
+--
+
+*`netflow.observation_time_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.observation_time_milliseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.observation_time_microseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.observation_time_nanoseconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.digest_hash_value`*::
++
+--
+type: long
+
+--
+
+*`netflow.hash_ipp_ayload_offset`*::
++
+--
+type: long
+
+--
+
+*`netflow.hash_ipp_ayload_size`*::
++
+--
+type: long
+
+--
+
+*`netflow.hash_output_range_min`*::
++
+--
+type: long
+
+--
+
+*`netflow.hash_output_range_max`*::
++
+--
+type: long
+
+--
+
+*`netflow.hash_selected_range_min`*::
++
+--
+type: long
+
+--
+
+*`netflow.hash_selected_range_max`*::
++
+--
+type: long
+
+--
+
+*`netflow.hash_digest_output`*::
++
+--
+type: boolean
+
+--
+
+*`netflow.hash_initialiser_value`*::
++
+--
+type: long
+
+--
+
+*`netflow.selector_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.upper_cli_imit`*::
++
+--
+type: double
+
+--
+
+*`netflow.lower_cli_imit`*::
++
+--
+type: double
+
+--
+
+*`netflow.confidence_level`*::
++
+--
+type: double
+
+--
+
+*`netflow.information_element_data_type`*::
++
+--
+type: short
+
+--
+
+*`netflow.information_element_description`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.information_element_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.information_element_range_begin`*::
++
+--
+type: long
+
+--
+
+*`netflow.information_element_range_end`*::
++
+--
+type: long
+
+--
+
+*`netflow.information_element_semantics`*::
++
+--
+type: short
+
+--
+
+*`netflow.information_element_units`*::
++
+--
+type: integer
+
+--
+
+*`netflow.private_enterprise_number`*::
++
+--
+type: long
+
+--
+
+*`netflow.virtual_station_interface_id`*::
++
+--
+type: short
+
+--
+
+*`netflow.virtual_station_interface_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.virtual_station_uuid`*::
++
+--
+type: short
+
+--
+
+*`netflow.virtual_station_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.layer2_segment_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.layer2_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.layer2_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.ingress_unicast_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.ingress_multicast_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.ingress_broadcast_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.egress_unicast_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.egress_broadcast_packet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.monitoring_interval_start_milli_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.monitoring_interval_end_milli_seconds`*::
++
+--
+type: date
+
+--
+
+*`netflow.port_range_start`*::
++
+--
+type: integer
+
+--
+
+*`netflow.port_range_end`*::
++
+--
+type: integer
+
+--
+
+*`netflow.port_range_step_size`*::
++
+--
+type: integer
+
+--
+
+*`netflow.port_range_num_ports`*::
++
+--
+type: integer
+
+--
+
+*`netflow.sta_mac_address`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.sta_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.wtp_mac_address`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.ingress_interface_type`*::
++
+--
+type: long
+
+--
+
+*`netflow.egress_interface_type`*::
++
+--
+type: long
+
+--
+
+*`netflow.rtp_sequence_number`*::
++
+--
+type: integer
+
+--
+
+*`netflow.user_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.application_category_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.application_sub_category_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.application_group_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.original_flows_present`*::
++
+--
+type: long
+
+--
+
+*`netflow.original_flows_initiated`*::
++
+--
+type: long
+
+--
+
+*`netflow.original_flows_completed`*::
++
+--
+type: long
+
+--
+
+*`netflow.distinct_count_of_sourc_eipa_ddress`*::
++
+--
+type: long
+
+--
+
+*`netflow.distinct_count_of_destinatio_nipa_ddress`*::
++
+--
+type: long
+
+--
+
+*`netflow.distinct_count_of_source_ipv4_address`*::
++
+--
+type: long
+
+--
+
+*`netflow.distinct_count_of_destination_ipv4_address`*::
++
+--
+type: long
+
+--
+
+*`netflow.distinct_count_of_source_ipv6_address`*::
++
+--
+type: long
+
+--
+
+*`netflow.distinct_count_of_destination_ipv6_address`*::
++
+--
+type: long
+
+--
+
+*`netflow.value_distribution_method`*::
++
+--
+type: short
+
+--
+
+*`netflow.rfc3550_jitter_milliseconds`*::
++
+--
+type: long
+
+--
+
+*`netflow.rfc3550_jitter_microseconds`*::
++
+--
+type: long
+
+--
+
+*`netflow.rfc3550_jitter_nanoseconds`*::
++
+--
+type: long
+
+--
+
+*`netflow.dot1q_dei`*::
++
+--
+type: boolean
+
+--
+
+*`netflow.dot1q_customer_dei`*::
++
+--
+type: boolean
+
+--
+
+*`netflow.flow_selector_algorithm`*::
++
+--
+type: integer
+
+--
+
+*`netflow.flow_selected_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_selected_packet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_selected_flow_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.selector_itd_otal_flows_observed`*::
++
+--
+type: long
+
+--
+
+*`netflow.selector_itd_otal_flows_selected`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_flow_interval`*::
++
+--
+type: long
+
+--
+
+*`netflow.sampling_flow_spacing`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_sampling_time_interval`*::
++
+--
+type: long
+
+--
+
+*`netflow.flow_sampling_time_spacing`*::
++
+--
+type: long
+
+--
+
+*`netflow.hash_flow_domain`*::
++
+--
+type: integer
+
+--
+
+*`netflow.transport_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.transport_packet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.original_exporter_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.original_exporter_ipv6_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.original_observation_domain_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.intermediate_process_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.ignored_data_record_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.data_link_frame_type`*::
++
+--
+type: integer
+
+--
+
+*`netflow.section_offset`*::
++
+--
+type: integer
+
+--
+
+*`netflow.section_exported_octets`*::
++
+--
+type: integer
+
+--
+
+*`netflow.dot1q_service_instance_tag`*::
++
+--
+type: short
+
+--
+
+*`netflow.dot1q_service_instance_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.dot1q_service_instance_priority`*::
++
+--
+type: short
+
+--
+
+*`netflow.dot1q_customer_source_mac_address`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.dot1q_customer_destination_mac_address`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.post_layer2_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_mcast_layer2_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_layer2_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.post_mcast_layer2_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.minimum_layer2_total_length`*::
++
+--
+type: long
+
+--
+
+*`netflow.maximum_layer2_total_length`*::
++
+--
+type: long
+
+--
+
+*`netflow.dropped_layer2_octet_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.dropped_layer2_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.ignored_layer2_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.not_sent_layer2_octet_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.layer2_octet_delta_sum_of_squares`*::
++
+--
+type: long
+
+--
+
+*`netflow.layer2_octet_total_sum_of_squares`*::
++
+--
+type: long
+
+--
+
+*`netflow.layer2_frame_delta_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.layer2_frame_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.pseudo_wire_destination_ipv4_address`*::
++
+--
+type: ip
+
+--
+
+*`netflow.ignored_layer2_frame_total_count`*::
++
+--
+type: long
+
+--
+
+*`netflow.mib_object_value_integer`*::
++
+--
+type: integer
+
+--
+
+*`netflow.mib_object_value_octet_string`*::
++
+--
+type: short
+
+--
+
+*`netflow.mib_object_value_oid`*::
++
+--
+type: short
+
+--
+
+*`netflow.mib_object_value_bits`*::
++
+--
+type: short
+
+--
+
+*`netflow.mib_object_valuei_pa_ddress`*::
++
+--
+type: ip
+
+--
+
+*`netflow.mib_object_value_counter`*::
++
+--
+type: long
+
+--
+
+*`netflow.mib_object_value_gauge`*::
++
+--
+type: long
+
+--
+
+*`netflow.mib_object_value_time_ticks`*::
++
+--
+type: long
+
+--
+
+*`netflow.mib_object_value_unsigned`*::
++
+--
+type: long
+
+--
+
+*`netflow.mib_object_identifier`*::
++
+--
+type: short
+
+--
+
+*`netflow.mib_sub_identifier`*::
++
+--
+type: long
+
+--
+
+*`netflow.mib_index_indicator`*::
++
+--
+type: long
+
+--
+
+*`netflow.mib_capture_time_semantics`*::
++
+--
+type: short
+
+--
+
+*`netflow.mib_context_engine_id`*::
++
+--
+type: short
+
+--
+
+*`netflow.mib_context_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.mib_object_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.mib_object_description`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.mib_object_syntax`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.mib_module_name`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.mobile_imsi`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.mobile_msisdn`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.http_status_code`*::
++
+--
+type: integer
+
+--
+
+*`netflow.source_transport_ports_limit`*::
++
+--
+type: integer
+
+--
+
+*`netflow.http_request_method`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.http_request_host`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.http_request_target`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.http_message_version`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.nat_instance_id`*::
++
+--
+type: long
+
+--
+
+*`netflow.internal_address_realm`*::
++
+--
+type: short
+
+--
+
+*`netflow.external_address_realm`*::
++
+--
+type: short
+
+--
+
+*`netflow.nat_quota_exceeded_event`*::
++
+--
+type: long
+
+--
+
+*`netflow.nat_threshold_event`*::
++
+--
+type: long
+
+--
+
+*`netflow.http_user_agent`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.http_content_type`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.http_reason_phrase`*::
++
+--
+type: keyword
+
+--
+
+*`netflow.max_session_entries`*::
++
+--
+type: long
+
+--
+
+*`netflow.max_bieb_ntries`*::
++
+--
+type: long
+
+--
+
+*`netflow.max_entries_per_user`*::
++
+--
+type: long
+
+--
+
+*`netflow.max_subscribers`*::
++
+--
+type: long
+
+--
+
+*`netflow.max_fragments_pending_reassembly`*::
++
+--
+type: long
+
+--
+
+*`netflow.address_pool_high_threshold`*::
++
+--
+type: long
+
+--
+
+*`netflow.address_pool_low_threshold`*::
++
+--
+type: long
+
+--
+
+*`netflow.address_port_mapping_high_threshold`*::
++
+--
+type: long
+
+--
+
+*`netflow.address_port_mapping_low_threshold`*::
++
+--
+type: long
+
+--
+
+*`netflow.address_port_mapping_per_user_high_threshold`*::
++
+--
+type: long
+
+--
+
+*`netflow.global_address_mapping_high_threshold`*::
++
+--
+type: long
+
+--
+
+*`netflow.vpn_identifier`*::
++
+--
+type: short
+
+--
+
+[[exported-fields-nginx]]
+== Nginx fields
+
+Module for parsing the Nginx log files.
+
+
+
+[float]
+== nginx fields
+
+Fields from the Nginx log files.
+
+
+
+[float]
+== access fields
+
+Contains fields for the Nginx access logs.
+
+
+
+*`nginx.access.remote_ip_list`*::
++
+--
+type: array
+
+An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.
+
+
+--
+
+*`nginx.access.body_sent.bytes`*::
++
+--
+type: alias
+
+alias to: http.response.body.bytes
+
+--
+
+*`nginx.access.remote_ip`*::
++
+--
+type: alias
+
+alias to: source.address
+
+--
+
+*`nginx.access.user_name`*::
++
+--
+type: alias
+
+alias to: user.name
+
+--
+
+*`nginx.access.method`*::
++
+--
+type: alias
+
+alias to: http.request.method
+
+--
+
+*`nginx.access.url`*::
++
+--
+type: alias
+
+alias to: url.original
+
+--
+
+*`nginx.access.http_version`*::
++
+--
+type: alias
+
+alias to: http.version
+
+--
+
+*`nginx.access.response_code`*::
++
+--
+type: alias
+
+alias to: http.response.status_code
+
+--
+
+*`nginx.access.referrer`*::
++
+--
+type: alias
+
+alias to: http.request.referrer
+
+--
+
+*`nginx.access.agent`*::
++
+--
+type: alias
+
+alias to: user_agent.original
+
+--
+
+
+*`nginx.access.user_agent.device`*::
++
+--
+type: alias
+
+alias to: user_agent.device.name
+
+--
+
+*`nginx.access.user_agent.name`*::
++
+--
+type: alias
+
+alias to: user_agent.name
+
+--
+
+*`nginx.access.user_agent.os`*::
++
+--
+type: alias
+
+alias to: user_agent.os.full_name
+
+--
+
+*`nginx.access.user_agent.os_name`*::
++
+--
+type: alias
+
+alias to: user_agent.os.name
+
+--
+
+*`nginx.access.user_agent.original`*::
++
+--
+type: alias
+
+alias to: user_agent.original
+
+--
+
+
+*`nginx.access.geoip.continent_name`*::
++
+--
+type: alias
+
+alias to: source.geo.continent_name
+
+--
+
+*`nginx.access.geoip.country_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.country_iso_code
+
+--
+
+*`nginx.access.geoip.location`*::
++
+--
+type: alias
+
+alias to: source.geo.location
+
+--
+
+*`nginx.access.geoip.region_name`*::
++
+--
+type: alias
+
+alias to: source.geo.region_name
+
+--
+
+*`nginx.access.geoip.city_name`*::
++
+--
+type: alias
+
+alias to: source.geo.city_name
+
+--
+
+*`nginx.access.geoip.region_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.region_iso_code
+
+--
+
+[float]
+== error fields
+
+Contains fields for the Nginx error logs.
+
+
+
+*`nginx.error.connection_id`*::
++
+--
+type: long
+
+Connection identifier.
+
+
+--
+
+*`nginx.error.level`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`nginx.error.pid`*::
++
+--
+type: alias
+
+alias to: process.pid
+
+--
+
+*`nginx.error.tid`*::
++
+--
+type: alias
+
+alias to: process.thread.id
+
+--
+
+*`nginx.error.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+[[exported-fields-osquery]]
+== Osquery fields
+
+Fields exported by the `osquery` module
+
+
+
+[float]
+== osquery fields
+
+
+
+
+[float]
+== result fields
+
+Common fields exported by the result metricset.
+
+
+
+*`osquery.result.name`*::
++
+--
+type: keyword
+
+The name of the query that generated this event.
+
+
+--
+
+*`osquery.result.action`*::
++
+--
+type: keyword
+
+For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot".
+
+
+--
+
+*`osquery.result.host_identifier`*::
++
+--
+type: keyword
+
+The identifier for the host on which the osquery agent is running. Normally the hostname.
+
+
+--
+
+*`osquery.result.unix_time`*::
++
+--
+type: long
+
+Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.
+
+
+--
+
+*`osquery.result.calendar_time`*::
++
+--
+String representation of the collection time, as formatted by osquery.
+
+
+--
+
+[[exported-fields-postgresql]]
+== PostgreSQL fields
+
+Module for parsing the PostgreSQL log files.
+
+
+
+[float]
+== postgresql fields
+
+Fields from PostgreSQL logs.
+
+
+
+[float]
+== log fields
+
+Fields from the PostgreSQL log files.
+
+
+
+*`postgresql.log.timestamp`*::
++
+--
+The timestamp from the log line.
+
+
+--
+
+*`postgresql.log.core_id`*::
++
+--
+type: long
+
+Core id
+
+
+--
+
+*`postgresql.log.database`*::
++
+--
+example: mydb
+
+Name of database
+
+--
+
+*`postgresql.log.query`*::
++
+--
+example: SELECT * FROM users;
+
+Query statement.
+
+--
+
+*`postgresql.log.timezone`*::
++
+--
+type: alias
+
+alias to: event.timezone
+
+--
+
+*`postgresql.log.thread_id`*::
++
+--
+type: alias
+
+alias to: process.pid
+
+--
+
+*`postgresql.log.user`*::
++
+--
+type: alias
+
+alias to: user.name
+
+--
+
+*`postgresql.log.level`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`postgresql.log.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+[[exported-fields-process]]
+== Process fields
+
+Process metadata fields
+
+
+
+
+*`process.exe`*::
++
+--
+type: alias
+
+alias to: process.executable
+
+--
+
+[[exported-fields-redis]]
+== Redis fields
+
+Redis Module
+
+
+
+[float]
+== redis fields
+
+
+
+
+[float]
+== log fields
+
+Redis log files
+
+
+
+*`redis.log.role`*::
++
+--
+type: keyword
+
+The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`.
+
+
+--
+
+*`redis.log.pid`*::
++
+--
+type: alias
+
+alias to: process.pid
+
+--
+
+*`redis.log.level`*::
++
+--
+type: alias
+
+alias to: log.level
+
+--
+
+*`redis.log.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+[float]
+== slowlog fields
+
+Slow logs are retrieved from Redis via a network connection.
+
+
+
+*`redis.slowlog.cmd`*::
++
+--
+type: keyword
+
+The command executed.
+
+
+--
+
+*`redis.slowlog.duration.us`*::
++
+--
+type: long
+
+How long it took to execute the command in microseconds.
+
+
+--
+
+*`redis.slowlog.id`*::
++
+--
+type: long
+
+The ID of the query.
+
+
+--
+
+*`redis.slowlog.key`*::
++
+--
+type: keyword
+
+The key on which the command was executed.
+
+
+--
+
+*`redis.slowlog.args`*::
++
+--
+type: keyword
+
+The arguments with which the command was called.
+
+
+--
+
+[[exported-fields-santa]]
+== Google Santa fields
+
+Santa Module
+
+
+
+[float]
+== santa fields
+
+
+
+
+*`santa.action`*::
++
+--
+type: keyword
+
+example: EXEC
+
+Action
+
+--
+
+*`santa.decision`*::
++
+--
+type: keyword
+
+example: ALLOW
+
+Decision that santad took.
+
+--
+
+*`santa.reason`*::
++
+--
+type: keyword
+
+example: CERT
+
+Reason for the decsision.
+
+--
+
+*`santa.mode`*::
++
+--
+type: keyword
+
+example: M
+
+Operating mode of Santa.
+
+--
+
+[float]
+== disk fields
+
+Fields for DISKAPPEAR actions.
+
+
+*`santa.disk.volume`*::
++
+--
+The volume name.
+
+--
+
+*`santa.disk.bus`*::
++
+--
+The disk bus protocol.
+
+--
+
+*`santa.disk.serial`*::
++
+--
+The disk serial number.
+
+--
+
+*`santa.disk.bsdname`*::
++
+--
+example: disk1s3
+
+The disk BSD name.
+
+--
+
+*`santa.disk.model`*::
++
+--
+example: APPLE SSD SM0512L
+
+The disk model.
+
+--
+
+*`santa.disk.fs`*::
++
+--
+example: apfs
+
+The disk volume kind (filesystem type).
+
+--
+
+*`santa.disk.mount`*::
++
+--
+The disk volume path.
+
+--
+
+*`certificate.common_name`*::
++
+--
+type: keyword
+
+Common name from code signing certificate.
+
+--
+
+*`certificate.sha256`*::
++
+--
+type: keyword
+
+SHA256 hash of code signing certificate.
+
+--
+
+*`hash.sha256`*::
++
+--
+type: keyword
+
+Hash of process executable.
+
+--
+
+[[exported-fields-suricata]]
+== Suricata fields
+
+Module for handling the EVE JSON logs produced by Suricata.
+
+
+
+[float]
+== suricata fields
+
+Fields from the Suricata EVE log file.
+
+
+
+[float]
+== eve fields
+
+Fields exported by the EVE JSON logs
+
+
+
+*`suricata.eve.event_type`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.app_proto_orig`*::
++
+--
+type: keyword
+
+--
+
+
+*`suricata.eve.tcp.tcp_flags`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tcp.psh`*::
++
+--
+type: boolean
+
+--
+
+*`suricata.eve.tcp.tcp_flags_tc`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tcp.ack`*::
++
+--
+type: boolean
+
+--
+
+*`suricata.eve.tcp.syn`*::
++
+--
+type: boolean
+
+--
+
+*`suricata.eve.tcp.state`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tcp.tcp_flags_ts`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tcp.rst`*::
++
+--
+type: boolean
+
+--
+
+*`suricata.eve.tcp.fin`*::
++
+--
+type: boolean
+
+--
+
+
+*`suricata.eve.fileinfo.sha1`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.fileinfo.filename`*::
++
+--
+type: alias
+
+alias to: file.path
+
+--
+
+*`suricata.eve.fileinfo.tx_id`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.fileinfo.state`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.fileinfo.stored`*::
++
+--
+type: boolean
+
+--
+
+*`suricata.eve.fileinfo.gaps`*::
++
+--
+type: boolean
+
+--
+
+*`suricata.eve.fileinfo.sha256`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.fileinfo.md5`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.fileinfo.size`*::
++
+--
+type: alias
+
+alias to: file.size
+
+--
+
+*`suricata.eve.icmp_type`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.dest_port`*::
++
+--
+type: alias
+
+alias to: destination.port
+
+--
+
+*`suricata.eve.src_port`*::
++
+--
+type: alias
+
+alias to: source.port
+
+--
+
+*`suricata.eve.proto`*::
++
+--
+type: alias
+
+alias to: network.transport
+
+--
+
+*`suricata.eve.pcap_cnt`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.src_ip`*::
++
+--
+type: alias
+
+alias to: source.ip
+
+--
+
+
+*`suricata.eve.dns.type`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.dns.rrtype`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.dns.rrname`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.dns.rdata`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.dns.tx_id`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.dns.ttl`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.dns.rcode`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.dns.id`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.flow_id`*::
++
+--
+type: keyword
+
+--
+
+
+*`suricata.eve.email.status`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.dest_ip`*::
++
+--
+type: alias
+
+alias to: destination.ip
+
+--
+
+*`suricata.eve.icmp_code`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.http.status`*::
++
+--
+type: alias
+
+alias to: http.response.status_code
+
+--
+
+*`suricata.eve.http.redirect`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.http.http_user_agent`*::
++
+--
+type: alias
+
+alias to: user_agent.original
+
+--
+
+*`suricata.eve.http.protocol`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.http.http_refer`*::
++
+--
+type: alias
+
+alias to: http.request.referrer
+
+--
+
+*`suricata.eve.http.url`*::
++
+--
+type: alias
+
+alias to: url.original
+
+--
+
+*`suricata.eve.http.hostname`*::
++
+--
+type: alias
+
+alias to: url.domain
+
+--
+
+*`suricata.eve.http.length`*::
++
+--
+type: alias
+
+alias to: http.response.body.bytes
+
+--
+
+*`suricata.eve.http.http_method`*::
++
+--
+type: alias
+
+alias to: http.request.method
+
+--
+
+*`suricata.eve.http.http_content_type`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.timestamp`*::
++
+--
+type: alias
+
+alias to: @timestamp
+
+--
+
+*`suricata.eve.in_iface`*::
++
+--
+type: keyword
+
+--
+
+
+*`suricata.eve.alert.category`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.alert.severity`*::
++
+--
+type: alias
+
+alias to: event.severity
+
+--
+
+*`suricata.eve.alert.rev`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.alert.gid`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.alert.signature`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.alert.action`*::
++
+--
+type: alias
+
+alias to: event.outcome
+
+--
+
+*`suricata.eve.alert.signature_id`*::
++
+--
+type: long
+
+--
+
+
+
+*`suricata.eve.ssh.client.proto_version`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.ssh.client.software_version`*::
++
+--
+type: keyword
+
+--
+
+
+*`suricata.eve.ssh.server.proto_version`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.ssh.server.software_version`*::
++
+--
+type: keyword
+
+--
+
+
+
+*`suricata.eve.stats.capture.kernel_packets`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.capture.kernel_drops`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.capture.kernel_ifdrops`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.uptime`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.detect.alert`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.http.memcap`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.http.memuse`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.file_store.open_files`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.defrag.max_frag_hits`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.defrag.ipv4.timeouts`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.defrag.ipv4.fragments`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.defrag.ipv4.reassembled`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.defrag.ipv6.timeouts`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.defrag.ipv6.fragments`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.defrag.ipv6.reassembled`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.flow.tcp_reuse`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.udp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.memcap`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.emerg_mode_entered`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.emerg_mode_over`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.tcp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.icmpv6`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.icmpv4`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.spare`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow.memuse`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.tcp.pseudo_failed`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.ssn_memcap_drop`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.insert_data_overlap_fail`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.sessions`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.pseudo`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.synack`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.insert_data_normal_fail`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.syn`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.memuse`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.invalid_checksum`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.segment_memcap_drop`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.overlap`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.insert_list_fail`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.rst`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.stream_depth_reached`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.reassembly_memuse`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.reassembly_gap`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.overlap_diff_data`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.tcp.no_flow`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.decoder.avg_pkt_size`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.bytes`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.tcp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.raw`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.ppp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.vlan_qinq`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.null`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.decoder.ltnull.unsupported_type`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.invalid`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.gre`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.ipv4`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.ipv6`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.pkts`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.ipv6_in_ipv6`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.pppoe`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.udp`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.decoder.dce.pkt_too_small`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.vlan`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.sctp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.max_pkt_size`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.teredo`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.mpls`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.sll`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.icmpv6`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.icmpv4`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.erspan`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.ethernet`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.ipv4_in_ipv6`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.decoder.ieee8021ah`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.dns.memcap_global`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.dns.memcap_state`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.dns.memuse`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.flow_mgr.rows_busy`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.flows_timeout`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.flows_notimeout`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.rows_skipped`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.closed_pruned`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.new_pruned`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.flows_removed`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.bypassed_pruned`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.est_pruned`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.flows_checked`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.rows_maxlen`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.rows_checked`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.flow_mgr.rows_empty`*::
++
+--
+type: long
+
+--
+
+
+
+*`suricata.eve.stats.app_layer.flow.tls`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.ftp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.http`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.failed_udp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.dns_udp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.dns_tcp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.smtp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.failed_tcp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.msn`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.ssh`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.imap`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.flow.smb`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.stats.app_layer.tx.tls`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.ftp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.http`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.dns_udp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.dns_tcp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.smtp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.ssh`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.stats.app_layer.tx.smb`*::
++
+--
+type: long
+
+--
+
+
+*`suricata.eve.tls.notbefore`*::
++
+--
+type: date
+
+--
+
+*`suricata.eve.tls.issuerdn`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tls.sni`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tls.version`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tls.session_resumed`*::
++
+--
+type: boolean
+
+--
+
+*`suricata.eve.tls.fingerprint`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tls.serial`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.tls.notafter`*::
++
+--
+type: date
+
+--
+
+*`suricata.eve.tls.subject`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.app_proto_ts`*::
++
+--
+type: keyword
+
+--
+
+
+*`suricata.eve.flow.bytes_toclient`*::
++
+--
+type: alias
+
+alias to: destination.bytes
+
+--
+
+*`suricata.eve.flow.start`*::
++
+--
+type: alias
+
+alias to: event.start
+
+--
+
+*`suricata.eve.flow.pkts_toclient`*::
++
+--
+type: alias
+
+alias to: destination.packets
+
+--
+
+*`suricata.eve.flow.age`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.flow.state`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.flow.bytes_toserver`*::
++
+--
+type: alias
+
+alias to: source.bytes
+
+--
+
+*`suricata.eve.flow.reason`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.flow.pkts_toserver`*::
++
+--
+type: alias
+
+alias to: source.packets
+
+--
+
+*`suricata.eve.flow.end`*::
++
+--
+type: date
+
+--
+
+*`suricata.eve.flow.alerted`*::
++
+--
+type: boolean
+
+--
+
+*`suricata.eve.app_proto`*::
++
+--
+type: alias
+
+alias to: network.protocol
+
+--
+
+*`suricata.eve.tx_id`*::
++
+--
+type: long
+
+--
+
+*`suricata.eve.app_proto_tc`*::
++
+--
+type: keyword
+
+--
+
+
+*`suricata.eve.smtp.rcpt_to`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.smtp.mail_from`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.smtp.helo`*::
++
+--
+type: keyword
+
+--
+
+*`suricata.eve.app_proto_expected`*::
++
+--
+type: keyword
+
+--
+
+[[exported-fields-system]]
+== System fields
+
+Module for parsing system log files.
+
+
+
+[float]
+== system fields
+
+Fields from the system log files.
+
+
+
+[float]
+== auth fields
+
+Fields from the Linux authorization logs.
+
+
+
+*`system.auth.timestamp`*::
++
+--
+type: alias
+
+alias to: @timestamp
+
+--
+
+*`system.auth.hostname`*::
++
+--
+type: alias
+
+alias to: host.hostname
+
+--
+
+*`system.auth.program`*::
++
+--
+type: alias
+
+alias to: process.name
+
+--
+
+*`system.auth.pid`*::
++
+--
+type: alias
+
+alias to: process.pid
+
+--
+
+*`system.auth.message`*::
++
+--
+type: alias
+
+alias to: message
+
+--
+
+*`system.auth.user`*::
++
+--
+type: alias
+
+alias to: user.name
+
+--
+
+
+*`system.auth.ssh.method`*::
++
+--
+The SSH authentication method. Can be one of "password" or "publickey".
+
+
+--
+
+*`system.auth.ssh.signature`*::
++
+--
+The signature of the client public key.
+
+
+--
+
+*`system.auth.ssh.dropped_ip`*::
++
+--
+type: ip
+
+The client IP from SSH connections that are open and immediately dropped.
+
+
+--
+
+*`system.auth.ssh.event`*::
++
+--
+example: Accepted
+
+The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
+
+
+--
+
+*`system.auth.ssh.ip`*::
++
+--
+type: alias
+>>>>>>> 99e4fbe40... [7.1][DOCS] Backport: Fix asciidoctor build (#13460)
 
 
 --
diff --git a/filebeat/docs/index.asciidoc b/filebeat/docs/index.asciidoc
index 84cc0313d54..3ecf681b06b 100644
--- a/filebeat/docs/index.asciidoc
+++ b/filebeat/docs/index.asciidoc
@@ -16,6 +16,12 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 :has_ml_jobs: yes
 :has_central_config:
 :has_solutions:
+:ignores_max_retries:
+:has_docker_label_ex:
+:has_decode_csv_fields_processor:
+:has_script_processor:
+:has_modules_command:
+:has_registry:
 :deb_os:
 :rpm_os:
 :mac_os:
diff --git a/journalbeat/docs/config-options.asciidoc b/journalbeat/docs/config-options.asciidoc
index 4cfdb7d9e09..a52f741c0c8 100644
--- a/journalbeat/docs/config-options.asciidoc
+++ b/journalbeat/docs/config-options.asciidoc
@@ -101,7 +101,7 @@ The maximum number of seconds to wait before attempting to read again from
 journals. The default is 60s.
 
 [float]
-[id="{beatname_lc}-seek"]
+[id="seek"]
 ==== `seek`
 
 The position to start reading the journal from. Valid settings are:
@@ -124,7 +124,7 @@ If you have old log files and want to skip lines, start {beatname_uc} with
 {beatname_uc}.
 
 [float]
-[id="{beatname_lc}-include-matches"]
+[id="include-matches"]
 ==== `include_matches`
 
 A list of filter expressions used to match fields. The format of the expression
diff --git a/journalbeat/docs/filtering.asciidoc b/journalbeat/docs/filtering.asciidoc
index ef8681b67fa..1150e70f754 100644
--- a/journalbeat/docs/filtering.asciidoc
+++ b/journalbeat/docs/filtering.asciidoc
@@ -7,7 +7,7 @@ metadata). {beatname_uc} provides a couple of options for filtering and
 enhancing exported data.
 
 You can configure {beatname_uc} to include events that match specific filtering
-criteria. To do this, use the <<{beatname_lc}-include-matches,`include_matches`>>
+criteria. To do this, use the <<include-matches,`include_matches`>>
 option. The advantage of this approach is that you can reduce the number of
 fields that {beatname_uc} needs to process.
 
diff --git a/journalbeat/docs/general-options.asciidoc b/journalbeat/docs/general-options.asciidoc
index 12dfc390b31..c71e4140ece 100644
--- a/journalbeat/docs/general-options.asciidoc
+++ b/journalbeat/docs/general-options.asciidoc
@@ -47,14 +47,14 @@ or under `paths`. For a description of this option, see
 
 This option is valid as a global setting under the +{beatname_lc}+ namespace
 or under `paths`. For a description of this option, see
-<<{beatname_lc}-seek,`seek`>>. 
+<<seek,`seek`>>. 
 
 [float]
 ==== `include_matches` deprecated[5.6.1,Use the option under `paths` instead.]
 
 This option is valid as a global setting under the +{beatname_lc}+ namespace
 or under `paths`. For a description of this option, see
-<<{beatname_lc}-include-matches,`include_matches`>>. 
+<<include-matches,`include_matches`>>. 
 
 include::{libbeat-dir}/docs/generalconfig.asciidoc[]
 
diff --git a/journalbeat/docs/getting-started.asciidoc b/journalbeat/docs/getting-started.asciidoc
index 06270b4a2d6..35d229b6a3c 100644
--- a/journalbeat/docs/getting-started.asciidoc
+++ b/journalbeat/docs/getting-started.asciidoc
@@ -123,15 +123,15 @@ path. For example:
 +
 If no paths are specified, {beatname_uc} reads from the default journal.
 
-. Set the <<{beatname_lc}-seek,`seek`>> option to control the position where
+. Set the <<seek,`seek`>> option to control the position where
 {beatname_uc} starts reading the journal. The available options are `head`,
 `tail`, and `cursor`. The default is `cursor`, which means that on first read,
 {beatname_uc} starts reading at the beginning of the file, but continues reading
 at the last known position after a reload or restart. For more detail about
 the settings, see the reference docs for the
-<<{beatname_lc}-seek,`seek` option>>. 
+<<seek,`seek` option>>. 
 
-. (Optional) Set the <<{beatname_lc}-include-matches,`include_matches`>> option
+. (Optional) Set the <<include-matches,`include_matches`>> option
 to filter entries in journald before collecting any log events. This reduces the
 number of events that {beatname_uc} needs to process. For example, to fetch only
 Redis events from a Docker container tagged as `redis`, use: 
diff --git a/journalbeat/docs/index.asciidoc b/journalbeat/docs/index.asciidoc
index c8967c01664..1a56e4913f3 100644
--- a/journalbeat/docs/index.asciidoc
+++ b/journalbeat/docs/index.asciidoc
@@ -13,6 +13,8 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 :github_repo_name: beats
 :discuss_forum: beats/{beatname_lc}
 :beat_default_index_prefix: {beatname_lc}
+:has_decode_csv_fields_processor:
+:has_script_processor:
 :deb_os:
 :rpm_os:
 :linux_os:
diff --git a/libbeat/docs/command-reference.asciidoc b/libbeat/docs/command-reference.asciidoc
index 4566e4e6161..02ae326e9ac 100644
--- a/libbeat/docs/command-reference.asciidoc
+++ b/libbeat/docs/command-reference.asciidoc
@@ -80,23 +80,23 @@ endif::[]
 [options="header"]
 |=======================
 |Commands |
-ifeval::[("{beatname_lc}"=="functionbeat")]
+ifeval::["{beatname_lc}"=="functionbeat"]
 |<<deploy-command,`deploy`>> | {deploy-command-short-desc}.
 endif::[]
 |<<export-command,`export`>> |{export-command-short-desc}.
 |<<help-command,`help`>> |{help-command-short-desc}.
 |<<keystore-command,`keystore`>> |{keystore-command-short-desc}.
-ifeval::[("{beatname_lc}"=="functionbeat")]
+ifeval::["{beatname_lc}"=="functionbeat"]
 |<<package-command,`package`>> |{package-command-short-desc}.
 |<<remove-command,`remove`>> |{remove-command-short-desc}.
 endif::[]
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="metricbeat")]
+ifdef::has_modules_command[]
 |<<modules-command,`modules`>> |{modules-command-short-desc}.
 endif::[]
 |<<run-command,`run`>> |{run-command-short-desc}.
 |<<setup-command,`setup`>> |{setup-command-short-desc}.
 |<<test-command,`test`>> |{test-command-short-desc}.
-ifeval::[("{beatname_lc}"=="functionbeat")]
+ifeval::["{beatname_lc}"=="functionbeat"]
 |<<update-command,`update`>> |{update-command-short-desc}.
 endif::[]
 |<<version-command,`version`>> |{version-command-short-desc}.
@@ -104,7 +104,7 @@ endif::[]
 
 Also see <<global-flags,Global flags>>.
 
-ifeval::[("{beatname_lc}"=="functionbeat")]
+ifeval::["{beatname_lc}"=="functionbeat"]
 [[deploy-command]]
 ==== `deploy` command
 
@@ -302,7 +302,7 @@ Shows help for the `keystore` command.
 
 See <<keystore>> for more examples.
 
-ifeval::[("{beatname_lc}"=="functionbeat")]
+ifeval::["{beatname_lc}"=="functionbeat"]
 [[package-command]]
 ==== `package` command
 
@@ -364,7 +364,7 @@ Shows help for the `remove` command.
 -----
 endif::[]
 
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="metricbeat")]
+ifdef::has_modules_command[]
 [[modules-command]]
 ==== `modules` command
 
@@ -717,7 +717,7 @@ ifeval::["{beatname_lc}"=="metricbeat"]
 -----
 endif::[]
 
-ifeval::[("{beatname_lc}"=="functionbeat")]
+ifeval::["{beatname_lc}"=="functionbeat"]
 [[update-command]]
 ==== `update` command
 
diff --git a/libbeat/docs/monitoring/monitoring-beats.asciidoc b/libbeat/docs/monitoring/monitoring-beats.asciidoc
index 112adcb1e1a..1d1c0fb0b09 100644
--- a/libbeat/docs/monitoring/monitoring-beats.asciidoc
+++ b/libbeat/docs/monitoring/monitoring-beats.asciidoc
@@ -36,31 +36,28 @@ information, see
 . Add the `xpack.monitoring` settings in the {beatname_uc} configuration file. If you
 configured {es} output, specify the following minimal configuration:
 +
---
 [source, yml]
---------------------
+----
 xpack.monitoring.enabled: true
---------------------
-
+----
++
 If you configured a different output, such as {ls}, you must specify additional
 configuration options. For example:
-
++
 ["source","yml",subs="attributes"]
---------------------
+----
 xpack.monitoring:
   enabled: true
   elasticsearch:
     hosts: ["https://example.com:9200", "https://example2.com:9200"]
     username: {beat_monitoring_user}
     password: somepassword
---------------------
-
+----
++
 NOTE: Currently you must send monitoring data to the same cluster as all other events.
 If you configured {es} output, do not specify additional hosts in the monitoring
 configuration.
 
---
-
 . {kibana-ref}/monitoring-xpack-kibana.html[Configure monitoring in {kib}].
 
 . To verify your monitoring configuration, point your web browser at your {kib}
diff --git a/libbeat/docs/outputconfig.asciidoc b/libbeat/docs/outputconfig.asciidoc
index 2c080fa767e..9e939bf2bde 100644
--- a/libbeat/docs/outputconfig.asciidoc
+++ b/libbeat/docs/outputconfig.asciidoc
@@ -441,21 +441,17 @@ endif::[]
 
 ===== `max_retries`
 
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="winlogbeat")]
-
+ifdef::ignores_max_retries[]
 {beatname_uc} ignores the `max_retries` setting and retries indefinitely.
-
 endif::[]
 
-ifeval::[("{beatname_lc}"!="filebeat") and ("{beatname_lc}"!="winlogbeat")]
-
+ifndef::ignores_max_retries[]
 The number of times to retry publishing an event after a publishing failure.
 After the specified number of retries, the events are typically dropped.
 
 Set `max_retries` to a value less than 0 to retry until all events are published.
 
 The default is 3.
-
 endif::[]
 
 
@@ -717,21 +713,17 @@ The number of seconds to wait for responses from the Logstash server before timi
 
 ===== `max_retries`
 
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="winlogbeat")]
-
+ifdef::ignores_max_retries[]
 {beatname_uc} ignores the `max_retries` setting and retries indefinitely.
-
 endif::[]
 
-ifeval::[("{beatname_lc}"!="filebeat") and ("{beatname_lc}"!="winlogbeat")]
-
+ifndef::ignores_max_retries[]
 The number of times to retry publishing an event after a publishing failure.
 After the specified number of retries, the events are typically dropped.
 
 Set `max_retries` to a value less than 0 to retry until all events are published.
 
 The default is 3.
-
 endif::[]
 
 ===== `bulk_max_size`
@@ -947,21 +939,17 @@ brokers, topics, partition, and active leaders to use for publishing.
 
 ===== `max_retries`
 
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="winlogbeat")]
-
+ifdef::ignores_max_retries[]
 {beatname_uc} ignores the `max_retries` setting and retries indefinitely.
-
 endif::[]
 
-ifeval::[("{beatname_lc}"!="filebeat") and ("{beatname_lc}"!="winlogbeat")]
-
+ifndef::ignores_max_retries[]
 The number of times to retry publishing an event after a publishing failure.
 After the specified number of retries, the events are typically dropped.
 
 Set `max_retries` to a value less than 0 to retry until all events are published.
 
 The default is 3.
-
 endif::[]
 
 ===== `bulk_max_size`
@@ -1211,21 +1199,17 @@ Redis after a network error. The default is 60s.
 
 ===== `max_retries`
 
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="winlogbeat")]
-
+ifdef::ignores_max_retries[]
 {beatname_uc} ignores the `max_retries` setting and retries indefinitely.
-
 endif::[]
 
-ifeval::["{beatname_lc}"!="filebeat" and "{beatname_lc}"!="winlogbeat"]
-
+ifndef::ignores_max_retries[]
 The number of times to retry publishing an event after a publishing failure.
 After the specified number of retries, the events are typically dropped.
 
 Set `max_retries` to a value less than 0 to retry until all events are published.
 
 The default is 3.
-
 endif::[]
 
 
diff --git a/libbeat/docs/processors-using.asciidoc b/libbeat/docs/processors-using.asciidoc
index 895d4f13bbd..629fa19e2d1 100644
--- a/libbeat/docs/processors-using.asciidoc
+++ b/libbeat/docs/processors-using.asciidoc
@@ -41,7 +41,11 @@ ifeval::["{beatname_lc}"=="filebeat"]
 :processor-scope: input
 endif::[]
 
-ifeval::["{beatname_lc}"=="auditbeat" or "{beatname_lc}"=="metricbeat"]
+ifeval::["{beatname_lc}"=="auditbeat"]
+:processor-scope: module
+endif::[]
+
+ifeval::["{beatname_lc}"=="metricbeat"]
 :processor-scope: module
 endif::[]
 
diff --git a/libbeat/docs/reference-yml.asciidoc b/libbeat/docs/reference-yml.asciidoc
index 44361b4fe55..6aa17c217f2 100644
--- a/libbeat/docs/reference-yml.asciidoc
+++ b/libbeat/docs/reference-yml.asciidoc
@@ -12,14 +12,14 @@ The contents of the file are included here for your convenience.
 
 ifndef::has_xpack[]
 [source,yaml]
---
+----
 include::../../{beatname_lc}/{beatname_lc}.reference.yml[]
---
+----
 endif::has_xpack[]
 
 ifdef::has_xpack[]
 [source,yaml]
---
+----
 include::../../x-pack/{beatname_lc}/{beatname_lc}.reference.yml[]
---
+----
 endif::has_xpack[]
diff --git a/libbeat/docs/security/securing-beats.asciidoc b/libbeat/docs/security/securing-beats.asciidoc
index 7d068544106..df80cf66457 100644
--- a/libbeat/docs/security/securing-beats.asciidoc
+++ b/libbeat/docs/security/securing-beats.asciidoc
@@ -2,6 +2,7 @@
 [[securing-beats]]
 == Configure {beatname_uc} to use {security}
 
+[subs="attributes"]
 ++++
 <titleabbrev>Use {security}</titleabbrev>
 ++++
diff --git a/libbeat/docs/shared-central-management.asciidoc b/libbeat/docs/shared-central-management.asciidoc
index e921379bc59..39dd219eafd 100644
--- a/libbeat/docs/shared-central-management.asciidoc
+++ b/libbeat/docs/shared-central-management.asciidoc
@@ -2,10 +2,6 @@
 [role="xpack"]
 = {beats} central management
 
-++++
-<titleabbrev>Central management</titleabbrev>
-++++
-
 [partintro]
 --
 
@@ -144,7 +140,7 @@ ifndef::no_dashboards[]
 <<load-kibana-dashboards,load the dashboards>> before enrolling the
 Beat.
 endif::[]
-ifeval::[("{beatname_lc}"=="filebeat")]
+ifeval::["{beatname_lc}"=="filebeat"]
 * If you plan to define module configurations in central management, set up the
 ingest pipelines before enrolling the Beat. For more information, see
 <<load-ingest-pipelines>>.
diff --git a/libbeat/docs/shared-docker.asciidoc b/libbeat/docs/shared-docker.asciidoc
index 39bda11d61a..214e0a72aca 100644
--- a/libbeat/docs/shared-docker.asciidoc
+++ b/libbeat/docs/shared-docker.asciidoc
@@ -44,7 +44,37 @@ endif::[]
 Running {beatname_uc} with the setup command will create the index pattern and
 load visualizations, dashboards, and machine learning jobs.  Run this command:
 
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="metricbeat") or ("{beatname_lc}"=="heartbeat") or ("{beatname_lc}"=="journalbeat")]
+ifeval::["{beatname_lc}"=="filebeat"]
+["source", "sh", subs="attributes"]
+--------------------------------------------
+docker run \
+{dockerimage} \
+setup -E setup.kibana.host=kibana:5601 \
+-E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+--------------------------------------------
+endif::[]
+
+ifeval::["{beatname_lc}"=="metricbeat"]
+["source", "sh", subs="attributes"]
+--------------------------------------------
+docker run \
+{dockerimage} \
+setup -E setup.kibana.host=kibana:5601 \
+-E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+--------------------------------------------
+endif::[]
+
+ifeval::["{beatname_lc}"=="heartbeat"]
+["source", "sh", subs="attributes"]
+--------------------------------------------
+docker run \
+{dockerimage} \
+setup -E setup.kibana.host=kibana:5601 \
+-E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+--------------------------------------------
+endif::[]
+
+ifeval::["{beatname_lc}"=="journalbeat"]
 ["source", "sh", subs="attributes"]
 --------------------------------------------
 docker run \
@@ -109,7 +139,7 @@ curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/docke
 One way to configure {beatname_uc} on Docker is to provide +{beatname_lc}.docker.yml+ via a volume mount.
 With +docker run+, the volume mount can be specified like this:
 
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="journalbeat")]
+ifeval::["{beatname_lc}"=="filebeat"]
 ["source", "sh", subs="attributes"]
 --------------------------------------------
 docker run -d \
@@ -123,6 +153,24 @@ docker run -d \
 --------------------------------------------
 endif::[]
 
+ifeval::["{beatname_lc}"=="journalbeat"]
+Make sure you include the path to the host's journal. The path might be
+`/var/log/journal` or `/run/log/journal`.
+
+["source", "sh", subs="attributes"]
+--------------------------------------------
+sudo docker run -d \
+  --name={beatname_lc} \
+  --user=root \
+  --volume="/var/log/journal:/var/log/journal" \
+  --volume="/etc/machine-id:/etc/machine-id" \
+  --volume="/run/systemd:/run/systemd" \
+  --volume="/etc/hostname:/etc/hostname:ro" \
+  {dockerimage} {beatname_lc} -e -strict.perms=false \
+  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+--------------------------------------------
+endif::[]
+
 ifeval::["{beatname_lc}"=="metricbeat"]
 ["source", "sh", subs="attributes"]
 --------------------------------------------
@@ -184,6 +232,19 @@ docker run -d \
 --------------------------------------------
 endif::[]
 
+ifeval::["{beatname_lc}"=="apm-server"]
+["source", "sh", subs="attributes"]
+--------------------------------------------
+docker run -d \
+  --name={beatname_lc} \
+  --user={beatname_lc} \
+  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
+  {dockerimage} \
+  --strict.perms=false -e \
+  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
+--------------------------------------------
+endif::[]
+
 <1> Substitute your Elasticsearch hosts and ports.
 <2> If you are using the hosted Elasticsearch Service in Elastic Cloud, replace
 the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password
@@ -191,8 +252,7 @@ using the syntax shown earlier.
 
 ===== Customize your configuration
 
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="metricbeat")]
-
+ifdef::has_docker_label_ex[]
 The +{beatname_lc}.docker.yml+ file you downloaded earlier is configured to deploy Beats modules based on the Docker labels applied to your containers.  See <<configuration-autodiscover-hints>> for more details. Add labels to your application Docker containers, and they will be picked up by the Beats autodiscover feature when they are deployed.  Here is an example command for an Apache HTTP Server container with labels to configure the Filebeat and Metricbeat modules for the Apache HTTP Server:
 
 ["source", "sh", subs="attributes"]
@@ -209,11 +269,9 @@ docker run \
   -p 8080:80 \
   httpd:2.4
 --------------------------------------------
-
 endif::[]
 
-ifeval::[("{beatname_lc}"!="filebeat") and ("{beatname_lc}"!="metricbeat")]
-
+ifndef::has_docker_label_ex[]
 The +{beatname_lc}.docker.yml+ downloaded earlier should be customized for your environment. See <<configuring-howto-{beatname_lc}>> for more details. Edit the configuration file and customize it to match your environment then re-deploy your {beatname_uc} container.
 endif::[]
 
diff --git a/libbeat/docs/shared-path-config.asciidoc b/libbeat/docs/shared-path-config.asciidoc
index d85cdb8b593..119b9260dcc 100644
--- a/libbeat/docs/shared-path-config.asciidoc
+++ b/libbeat/docs/shared-path-config.asciidoc
@@ -17,7 +17,7 @@ The `path` section of the +{beatname_lc}.yml+ config file contains configuration
 options that define where {beatname_uc} looks for its files. For example, {beatname_uc}
 looks for the Elasticsearch template file in the configuration path and writes
 log files in the logs path.
-ifeval::["{beatname_lc}"=="filebeat" or "{beatname_lc}"=="winlogbeat"]
+ifdef::has_registry[]
 {beatname_uc} looks for its registry files in the data path.
 endif::[]
 
diff --git a/libbeat/docs/step-configure-output.asciidoc b/libbeat/docs/step-configure-output.asciidoc
index d607ff074d6..b50673990dc 100644
--- a/libbeat/docs/step-configure-output.asciidoc
+++ b/libbeat/docs/step-configure-output.asciidoc
@@ -7,12 +7,10 @@ to {es}, or to {ls} for additional processing.
 To send output directly to {es} (without using {ls}), set the location of the
 {es} installation:
 +
---
 endif::only-elasticsearch[]
 ifdef::only-elasticsearch[]
 . Configure the  {es} output by setting the location of the {es} installation:
 +
---
 endif::only-elasticsearch[]
 endif::has_module_steps[]
 * If you're running our
@@ -33,18 +31,11 @@ output.elasticsearch:
   hosts: ["myEShost:9200"]
 ----------------------------------------------------------------------
 ifndef::has_module_steps[]
---
 +
 ifndef::only-elasticsearch[]
-ifeval::["{beatname_lc}"!="filebeat" and "{beatname_lc}"!="winlogbeat"]
 To send output to {ls}, 
 <<logstash-output,Configure the {ls} output>> instead. For all other
 outputs, see <<configuring-output>>.
-endif::[]
-ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="winlogbeat")]
-To send output to {ls}, make sure you configure the Logstash output in
-<<config-{beatname_lc}-logstash>>. For all other outputs, see <<configuring-output>>.
-endif::[]
 endif::only-elasticsearch[]
 ifdef::only-elasticsearch[]
 {es} is currently the only output supported by {beatname_uc}.
diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py
index 8346d6ef10f..2abf1d68401 100644
--- a/libbeat/scripts/generate_fields_docs.py
+++ b/libbeat/scripts/generate_fields_docs.py
@@ -11,7 +11,8 @@ def document_fields(output, section, sections, path):
         output.write("{}\n".format(section["prefix"]))
 
     # Intermediate level titles
-    if "description" in section and "prefix" not in section and "anchor" not in section:
+    if ("description" in section and "prefix" not in section and
+            "anchor" not in section):
         output.write("[float]\n")
 
     if "description" in section:
@@ -70,10 +71,12 @@ def document_field(output, field, field_path):
         if not field["enabled"]:
             output.write("{}\n\n".format("Object is not enabled."))
 
+    output.write("--\n\n")
+
     if "multi_fields" in field:
         for subfield in field["multi_fields"]:
-            document_field(output, subfield, field_path + "." + subfield["name"])
-    output.write("--\n\n")
+            document_field(output, subfield, field_path + "." +
+                           subfield["name"])
 
 
 def fields_to_asciidoc(input, output, beat):
@@ -129,8 +132,10 @@ def fields_to_asciidoc(input, output, beat):
         description="Generates the documentation for a Beat.")
     parser.add_argument("path", help="Path to the beat folder")
     parser.add_argument("beattitle", help="The beat title")
-    parser.add_argument("es_beats", help="The path to the general beats folder")
-    parser.add_argument("--output_path", default="", dest="output_path", help="Output path, if different from path")
+    parser.add_argument("es_beats",
+                        help="The path to the general beats folder")
+    parser.add_argument("--output_path", default="", dest="output_path",
+                        help="Output path, if different from path")
 
     args = parser.parse_args()
 
diff --git a/metricbeat/docs/index.asciidoc b/metricbeat/docs/index.asciidoc
index 41af77ab88d..7de3a955677 100644
--- a/metricbeat/docs/index.asciidoc
+++ b/metricbeat/docs/index.asciidoc
@@ -16,6 +16,8 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 :has_ml_jobs: yes
 :has_central_config:
 :has_solutions:
+:has_docker_label_ex:
+:has_modules_command:
 :deb_os:
 :rpm_os:
 :mac_os:
diff --git a/metricbeat/docs/modules_list.asciidoc b/metricbeat/docs/modules_list.asciidoc
index 8544717c5ad..c3659bde93c 100644
--- a/metricbeat/docs/modules_list.asciidoc
+++ b/metricbeat/docs/modules_list.asciidoc
@@ -3,7 +3,7 @@ This file is generated! See scripts/docs_collector.py
 ////
 
 [options="header"]
-|===================================
+|===
 |Modules   |Dashboards   |Metricsets   
 |<<metricbeat-module-aerospike,Aerospike>>     |image:./images/icon-no.png[No prebuilt dashboards]    |  
 .1+| .1+|  |<<metricbeat-metricset-aerospike-namespace,namespace>>   
@@ -152,7 +152,7 @@ This file is generated! See scripts/docs_collector.py
 |<<metricbeat-module-zookeeper,ZooKeeper>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
 .2+| .2+|  |<<metricbeat-metricset-zookeeper-mntr,mntr>>   
 |<<metricbeat-metricset-zookeeper-server,server>>   
-|================================
+|===
 
 --
 
diff --git a/metricbeat/scripts/docs_collector.py b/metricbeat/scripts/docs_collector.py
index ea66f23c443..1f9f6ee5c29 100644
--- a/metricbeat/scripts/docs_collector.py
+++ b/metricbeat/scripts/docs_collector.py
@@ -191,7 +191,7 @@ def collect(beat_name):
     module_list_output = generated_note
 
     module_list_output += '[options="header"]\n'
-    module_list_output += '|===================================\n'
+    module_list_output += '|===\n'
     module_list_output += '|Modules   |Dashboards   |Metricsets   \n'
 
     for key, m in sorted(six.iteritems(modules_list)):
@@ -218,7 +218,7 @@ def collect(beat_name):
 
             module_list_output += '|{} {}  \n'.format(ms["link"], release_label)
 
-    module_list_output += '|================================'
+    module_list_output += '|==='
 
     module_list_output += "\n\n--\n\n"
     for key, m in sorted(six.iteritems(modules_list)):
diff --git a/packetbeat/docs/packetbeat-filtering.asciidoc b/packetbeat/docs/packetbeat-filtering.asciidoc
index 54057d48fb5..c4a65ec7f06 100644
--- a/packetbeat/docs/packetbeat-filtering.asciidoc
+++ b/packetbeat/docs/packetbeat-filtering.asciidoc
@@ -7,7 +7,7 @@ For example, the following configuration includes a subset of the Packetbeat DNS
 requests and their response codes are reported:
 
 [source, yaml]
------------------------------------------------------
+----
 processors:
   - include_fields:
       fields:
@@ -18,12 +18,12 @@ processors:
         - dns.question.name
         - dns.question.etld_plus_one
         - dns.response_code
------------------------------------------------------
+----
 
 The filtered event would look something like this:
 
 [source,shell]
------------------------------------------------------
+----
 {
   "@timestamp": "2016-03-28T14:48:21.732Z",
   "bytes_in": 32,
@@ -39,12 +39,12 @@ The filtered event would look something like this:
   "ip": "8.8.8.8",
   "type": "dns"
 }
------------------------------------------------------
+----
 
 If you would like to drop all the successful transactions, you can use the following configuration:
 
 [source,yaml]
-------------
+----
 processors:
  - drop_event:
      when:
@@ -56,13 +56,13 @@ processors:
 If you don't want to export raw data for the successful transactions:
 
 [source,yaml]
-------------
+----
 processors:
  - drop_fields:
      when:
         equals:
            http.response.code: 200
      fields: ["request", "response"]
-------------
+----
 
 include::{libbeat-dir}/docs/processors-using.asciidoc[]
diff --git a/winlogbeat/docs/index.asciidoc b/winlogbeat/docs/index.asciidoc
index 6daae177612..7654b557f02 100644
--- a/winlogbeat/docs/index.asciidoc
+++ b/winlogbeat/docs/index.asciidoc
@@ -14,6 +14,9 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 :discuss_forum: beats/{beatname_lc}
 :beat_default_index_prefix: {beatname_lc}
 :has_ml_jobs: yes
+:has_registry:
+:ignores_max_retries:
+:has_script_processor:
 :win_os:
 :win_only:
 

From 340e1652fc2786b2b727bbdf280fb0d8f0363aa9 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Wed, 4 Sep 2019 16:52:08 -0700
Subject: [PATCH 2/6] Run make update

---
 auditbeat/docs/fields.asciidoc |   27 +-
 filebeat/docs/fields.asciidoc  | 8096 --------------------------------
 heartbeat/docs/fields.asciidoc |    4 +-
 3 files changed, 6 insertions(+), 8121 deletions(-)

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
index 7fca4cc2ca9..23ce242a71c 100644
--- a/auditbeat/docs/fields.asciidoc
+++ b/auditbeat/docs/fields.asciidoc
@@ -2886,16 +2886,7 @@ The name of the module's dataset that generated the event.
 
 --
 
-<<<<<<< HEAD
 *`event.action`*::
-=======
-An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
-
-
---
-
-*`file.origin.raw`*::
->>>>>>> 99e4fbe40... [7.1][DOCS] Backport: Fix asciidoctor build (#13460)
 +
 --
 type: keyword
@@ -2906,19 +2897,9 @@ Action describes the change that triggered the event.
 For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
 
 
-<<<<<<< HEAD
 --
 
 *`event.id`*::
-=======
-[float]
-== selinux fields
-
-The SELinux identity of the file.
-
-
-*`file.selinux.user`*::
->>>>>>> 99e4fbe40... [7.1][DOCS] Backport: Fix asciidoctor build (#13460)
 +
 --
 type: keyword
@@ -3080,6 +3061,8 @@ type: text
 
 The path to the file.
 
+--
+
 *`file.path.raw`*::
 +
 --
@@ -3088,8 +3071,6 @@ type: keyword
 The path to the file. This is a non-analyzed field that is useful for aggregations.
 
 
---
-
 --
 
 *`file.target_path`*::
@@ -3233,6 +3214,8 @@ type: text
 An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
 
 
+--
+
 *`file.origin.raw`*::
 +
 --
@@ -3241,8 +3224,6 @@ type: keyword
 This is a non-analyzed field that is useful for aggregations on the origin data.
 
 
---
-
 --
 
 [float]
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index 1b96a3a988d..4c59d4113f9 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -4501,8103 +4501,7 @@ The slow query.
 --
 type: long
 
-<<<<<<< HEAD
 The connection or thread ID for the query.
-=======
---
-
-*`elasticsearch.slowlog.total_hits`*::
-+
---
-type: keyword
-
-example: 42
-
-Total hits
-
---
-
-*`elasticsearch.slowlog.total_shards`*::
-+
---
-type: keyword
-
-example: 22
-
-Total queried shards
-
---
-
-*`elasticsearch.slowlog.routing`*::
-+
---
-type: keyword
-
-example: s01HZ2QBk9jw4gtgaFtn
-
-Routing
-
---
-
-*`elasticsearch.slowlog.id`*::
-+
---
-type: keyword
-
-example: 
-
-Id
-
---
-
-*`elasticsearch.slowlog.type`*::
-+
---
-type: keyword
-
-example: doc
-
-Type
-
---
-
-[[exported-fields-haproxy]]
-== haproxy fields
-
-haproxy Module
-
-
-
-[float]
-== haproxy fields
-
-
-
-
-*`haproxy.frontend_name`*::
-+
---
-Name of the frontend (or listener) which received and processed the connection.
-
---
-
-*`haproxy.backend_name`*::
-+
---
-Name of the backend (or listener) which was selected to manage the connection to the server.
-
---
-
-*`haproxy.server_name`*::
-+
---
-Name of the last server to which the connection was sent.
-
---
-
-*`haproxy.total_waiting_time_ms`*::
-+
---
-type: long
-
-Total time in milliseconds spent waiting in the various queues
-
---
-
-*`haproxy.connection_wait_time_ms`*::
-+
---
-type: long
-
-Total time in milliseconds spent waiting for the connection to establish to the final server
-
---
-
-*`haproxy.bytes_read`*::
-+
---
-type: long
-
-Total number of bytes transmitted to the client when the log is emitted.
-
---
-
-*`haproxy.time_queue`*::
-+
---
-type: long
-
-Total time in milliseconds spent waiting in the various queues.
-
---
-
-*`haproxy.time_backend_connect`*::
-+
---
-type: long
-
-Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.
-
---
-
-*`haproxy.server_queue`*::
-+
---
-type: long
-
-Total number of requests which were processed before this one in the server queue.
-
---
-
-*`haproxy.backend_queue`*::
-+
---
-type: long
-
-Total number of requests which were processed before this one in the backend's global queue.
-
---
-
-*`haproxy.bind_name`*::
-+
---
-Name of the listening address which received the connection.
-
---
-
-*`haproxy.error_message`*::
-+
---
-type: text
-
-Error message logged by HAProxy in case of error.
-
---
-
-*`haproxy.source`*::
-+
---
-type: keyword
-
-The HAProxy source of the log
-
---
-
-*`haproxy.termination_state`*::
-+
---
-Condition the session was in when the session ended.
-
---
-
-*`haproxy.mode`*::
-+
---
-type: keyword
-
-mode that the frontend is operating (TCP or HTTP)
-
---
-
-[float]
-== connections fields
-
-Contains various counts of connections active in the process.
-
-
-*`haproxy.connections.active`*::
-+
---
-type: long
-
-Total number of concurrent connections on the process when the session was logged.
-
---
-
-*`haproxy.connections.frontend`*::
-+
---
-type: long
-
-Total number of concurrent connections on the frontend when the session was logged.
-
---
-
-*`haproxy.connections.backend`*::
-+
---
-type: long
-
-Total number of concurrent connections handled by the backend when the session was logged.
-
---
-
-*`haproxy.connections.server`*::
-+
---
-type: long
-
-Total number of concurrent connections still active on the server when the session was logged.
-
---
-
-*`haproxy.connections.retries`*::
-+
---
-type: long
-
-Number of connection retries experienced by this session when trying to connect to the server.
-
---
-
-[float]
-== client fields
-
-Information about the client doing the request
-
-
-*`haproxy.client.ip`*::
-+
---
-type: alias
-
-alias to: source.address
-
---
-
-*`haproxy.client.port`*::
-+
---
-type: alias
-
-alias to: source.port
-
---
-
-*`haproxy.process_name`*::
-+
---
-type: alias
-
-alias to: process.name
-
---
-
-*`haproxy.pid`*::
-+
---
-type: alias
-
-alias to: process.pid
-
---
-
-[float]
-== destination fields
-
-Destination information
-
-
-*`haproxy.destination.port`*::
-+
---
-type: alias
-
-alias to: destination.port
-
---
-
-*`haproxy.destination.ip`*::
-+
---
-type: alias
-
-alias to: destination.ip
-
---
-
-[float]
-== geoip fields
-
-Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.
-
-
-
-*`haproxy.geoip.continent_name`*::
-+
---
-type: alias
-
-alias to: source.geo.continent_name
-
---
-
-*`haproxy.geoip.country_iso_code`*::
-+
---
-type: alias
-
-alias to: source.geo.country_iso_code
-
---
-
-*`haproxy.geoip.location`*::
-+
---
-type: alias
-
-alias to: source.geo.location
-
---
-
-*`haproxy.geoip.region_name`*::
-+
---
-type: alias
-
-alias to: source.geo.region_name
-
---
-
-*`haproxy.geoip.city_name`*::
-+
---
-type: alias
-
-alias to: source.geo.city_name
-
---
-
-*`haproxy.geoip.region_iso_code`*::
-+
---
-type: alias
-
-alias to: source.geo.region_iso_code
-
---
-
-[float]
-== http fields
-
-Please add description
-
-
-[float]
-== response fields
-
-Fields related to the HTTP response
-
-
-*`haproxy.http.response.captured_cookie`*::
-+
---
-Optional "name=value" entry indicating that the client had this cookie in the response.
-
-
---
-
-*`haproxy.http.response.captured_headers`*::
-+
---
-type: keyword
-
-List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.
-
-
---
-
-*`haproxy.http.response.status_code`*::
-+
---
-type: alias
-
-alias to: http.response.status_code
-
---
-
-[float]
-== request fields
-
-Fields related to the HTTP request
-
-
-*`haproxy.http.request.captured_cookie`*::
-+
---
-Optional "name=value" entry indicating that the server has returned a cookie with its request.
-
-
---
-
-*`haproxy.http.request.captured_headers`*::
-+
---
-type: keyword
-
-List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.
-
-
---
-
-*`haproxy.http.request.raw_request_line`*::
-+
---
-type: keyword
-
-Complete HTTP request line, including the method, request and HTTP version string.
-
---
-
-*`haproxy.http.request.time_wait_without_data_ms`*::
-+
---
-type: long
-
-Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.
-
---
-
-*`haproxy.http.request.time_wait_ms`*::
-+
---
-type: long
-
-Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.
-
---
-
-[float]
-== tcp fields
-
-TCP log format
-
-
-*`haproxy.tcp.connection_waiting_time_ms`*::
-+
---
-type: long
-
-Total time in milliseconds elapsed between the accept and the last close
-
---
-
-[[exported-fields-host-processor]]
-== Host fields
-
-Info collected for the host machine.
-
-
-
-
-*`host.containerized`*::
-+
---
-type: boolean
-
-If the host is a container.
-
-
---
-
-*`host.os.build`*::
-+
---
-type: keyword
-
-example: 18D109
-
-OS build information.
-
-
---
-
-[[exported-fields-icinga]]
-== Icinga fields
-
-Icinga Module
-
-
-
-[float]
-== icinga fields
-
-
-
-
-[float]
-== debug fields
-
-Contains fields for the Icinga debug logs.
-
-
-
-*`icinga.debug.facility`*::
-+
---
-type: keyword
-
-Specifies what component of Icinga logged the message.
-
-
---
-
-*`icinga.debug.severity`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`icinga.debug.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-[float]
-== main fields
-
-Contains fields for the Icinga main logs.
-
-
-
-*`icinga.main.facility`*::
-+
---
-type: keyword
-
-Specifies what component of Icinga logged the message.
-
-
---
-
-*`icinga.main.severity`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`icinga.main.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-[float]
-== startup fields
-
-Contains fields for the Icinga startup logs.
-
-
-
-*`icinga.startup.facility`*::
-+
---
-type: keyword
-
-Specifies what component of Icinga logged the message.
-
-
---
-
-*`icinga.startup.severity`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`icinga.startup.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-[[exported-fields-iis]]
-== IIS fields
-
-Module for parsing IIS log files.
-
-
-
-[float]
-== iis fields
-
-Fields from IIS log files.
-
-
-
-[float]
-== access fields
-
-Contains fields for IIS access logs.
-
-
-
-*`iis.access.sub_status`*::
-+
---
-type: long
-
-The HTTP substatus code.
-
-
---
-
-*`iis.access.win32_status`*::
-+
---
-type: long
-
-The Windows status code.
-
-
---
-
-*`iis.access.site_name`*::
-+
---
-type: keyword
-
-The site name and instance number.
-
-
---
-
-*`iis.access.server_name`*::
-+
---
-type: keyword
-
-The name of the server on which the log file entry was generated.
-
-
---
-
-*`iis.access.cookie`*::
-+
---
-type: keyword
-
-The content of the cookie sent or received, if any.
-
-
---
-
-*`iis.access.body_received.bytes`*::
-+
---
-type: alias
-
-alias to: http.request.body.bytes
-
---
-
-*`iis.access.body_sent.bytes`*::
-+
---
-type: alias
-
-alias to: http.response.body.bytes
-
---
-
-*`iis.access.server_ip`*::
-+
---
-type: alias
-
-alias to: destination.address
-
---
-
-*`iis.access.method`*::
-+
---
-type: alias
-
-alias to: http.request.method
-
---
-
-*`iis.access.url`*::
-+
---
-type: alias
-
-alias to: url.path
-
---
-
-*`iis.access.query_string`*::
-+
---
-type: alias
-
-alias to: url.query
-
---
-
-*`iis.access.port`*::
-+
---
-type: alias
-
-alias to: destination.port
-
---
-
-*`iis.access.user_name`*::
-+
---
-type: alias
-
-alias to: user.name
-
---
-
-*`iis.access.remote_ip`*::
-+
---
-type: alias
-
-alias to: source.address
-
---
-
-*`iis.access.referrer`*::
-+
---
-type: alias
-
-alias to: http.request.referrer
-
---
-
-*`iis.access.response_code`*::
-+
---
-type: alias
-
-alias to: http.response.status_code
-
---
-
-*`iis.access.http_version`*::
-+
---
-type: alias
-
-alias to: http.version
-
---
-
-*`iis.access.hostname`*::
-+
---
-type: alias
-
-alias to: host.hostname
-
---
-
-
-*`iis.access.user_agent.device`*::
-+
---
-type: alias
-
-alias to: user_agent.device.name
-
---
-
-*`iis.access.user_agent.name`*::
-+
---
-type: alias
-
-alias to: user_agent.name
-
---
-
-*`iis.access.user_agent.os`*::
-+
---
-type: alias
-
-alias to: user_agent.os.full_name
-
---
-
-*`iis.access.user_agent.os_name`*::
-+
---
-type: alias
-
-alias to: user_agent.os.name
-
---
-
-*`iis.access.user_agent.original`*::
-+
---
-type: alias
-
-alias to: user_agent.original
-
---
-
-
-*`iis.access.geoip.continent_name`*::
-+
---
-type: alias
-
-alias to: source.geo.continent_name
-
---
-
-*`iis.access.geoip.country_iso_code`*::
-+
---
-type: alias
-
-alias to: source.geo.country_iso_code
-
---
-
-*`iis.access.geoip.location`*::
-+
---
-type: alias
-
-alias to: source.geo.location
-
---
-
-*`iis.access.geoip.region_name`*::
-+
---
-type: alias
-
-alias to: source.geo.region_name
-
---
-
-*`iis.access.geoip.city_name`*::
-+
---
-type: alias
-
-alias to: source.geo.city_name
-
---
-
-*`iis.access.geoip.region_iso_code`*::
-+
---
-type: alias
-
-alias to: source.geo.region_iso_code
-
---
-
-[float]
-== error fields
-
-Contains fields for IIS error logs.
-
-
-
-*`iis.error.reason_phrase`*::
-+
---
-type: keyword
-
-The HTTP reason phrase.
-
-
---
-
-*`iis.error.queue_name`*::
-+
---
-type: keyword
-
-The IIS application pool name.
-
-
---
-
-*`iis.error.remote_ip`*::
-+
---
-type: alias
-
-alias to: source.address
-
---
-
-*`iis.error.remote_port`*::
-+
---
-type: alias
-
-alias to: source.port
-
---
-
-*`iis.error.server_ip`*::
-+
---
-type: alias
-
-alias to: destination.address
-
---
-
-*`iis.error.server_port`*::
-+
---
-type: alias
-
-alias to: destination.port
-
---
-
-*`iis.error.http_version`*::
-+
---
-type: alias
-
-alias to: http.version
-
---
-
-*`iis.error.method`*::
-+
---
-type: alias
-
-alias to: http.request.method
-
---
-
-*`iis.error.url`*::
-+
---
-type: alias
-
-alias to: url.original
-
---
-
-*`iis.error.response_code`*::
-+
---
-type: alias
-
-alias to: http.response.status_code
-
---
-
-
-*`iis.error.geoip.continent_name`*::
-+
---
-type: alias
-
-alias to: source.geo.continent_name
-
---
-
-*`iis.error.geoip.country_iso_code`*::
-+
---
-type: alias
-
-alias to: source.geo.country_iso_code
-
---
-
-*`iis.error.geoip.location`*::
-+
---
-type: alias
-
-alias to: source.geo.location
-
---
-
-*`iis.error.geoip.region_name`*::
-+
---
-type: alias
-
-alias to: source.geo.region_name
-
---
-
-*`iis.error.geoip.city_name`*::
-+
---
-type: alias
-
-alias to: source.geo.city_name
-
---
-
-*`iis.error.geoip.region_iso_code`*::
-+
---
-type: alias
-
-alias to: source.geo.region_iso_code
-
---
-
-[[exported-fields-iptables]]
-== iptables fields
-
-Module for handling the iptables logs.
-
-
-
-[float]
-== iptables fields
-
-Fields from the iptables logs.
-
-
-
-*`iptables.ether_type`*::
-+
---
-type: long
-
-Value of the ethernet type field identifying the network layer protocol.
-
-
---
-
-*`iptables.flow_label`*::
-+
---
-type: integer
-
-IPv6 flow label.
-
-
---
-
-*`iptables.fragment_flags`*::
-+
---
-type: keyword
-
-IP fragment flags. A combination of CE, DF and MF.
-
-
---
-
-*`iptables.fragment_offset`*::
-+
---
-type: long
-
-Offset of the current IP fragment.
-
-
---
-
-[float]
-== icmp fields
-
-ICMP fields.
-
-
-
-*`iptables.icmp.code`*::
-+
---
-type: long
-
-ICMP code.
-
-
---
-
-*`iptables.icmp.id`*::
-+
---
-type: long
-
-ICMP ID.
-
-
---
-
-*`iptables.icmp.parameter`*::
-+
---
-type: long
-
-ICMP parameter.
-
-
---
-
-*`iptables.icmp.redirect`*::
-+
---
-type: ip
-
-ICMP redirect address.
-
-
---
-
-*`iptables.icmp.seq`*::
-+
---
-type: long
-
-ICMP sequence number.
-
-
---
-
-*`iptables.icmp.type`*::
-+
---
-type: long
-
-ICMP type.
-
-
---
-
-*`iptables.id`*::
-+
---
-type: long
-
-Packet identifier.
-
-
---
-
-*`iptables.incomplete_bytes`*::
-+
---
-type: long
-
-Number of incomplete bytes.
-
-
---
-
-*`iptables.input_device`*::
-+
---
-type: keyword
-
-Device that received the packet.
-
-
---
-
-*`iptables.precedence_bits`*::
-+
---
-type: short
-
-IP precedence bits.
-
-
---
-
-*`iptables.tos`*::
-+
---
-type: long
-
-IP Type of Service field.
-
-
---
-
-*`iptables.length`*::
-+
---
-type: long
-
-Packet length.
-
-
---
-
-*`iptables.output_device`*::
-+
---
-type: keyword
-
-Device that output the packet.
-
-
---
-
-[float]
-== tcp fields
-
-TCP fields.
-
-
-
-*`iptables.tcp.flags`*::
-+
---
-type: keyword
-
-TCP flags.
-
-
---
-
-*`iptables.tcp.reserved_bits`*::
-+
---
-type: short
-
-TCP reserved bits.
-
-
---
-
-*`iptables.tcp.seq`*::
-+
---
-type: long
-
-TCP sequence number.
-
-
---
-
-*`iptables.tcp.ack`*::
-+
---
-type: long
-
-TCP Acknowledgment number.
-
-
---
-
-*`iptables.tcp.window`*::
-+
---
-type: long
-
-Advertised TCP window size.
-
-
---
-
-*`iptables.ttl`*::
-+
---
-type: integer
-
-Time To Live field.
-
-
---
-
-[float]
-== udp fields
-
-UDP fields.
-
-
-
-*`iptables.udp.length`*::
-+
---
-type: long
-
-Length of the UDP header and payload.
-
-
---
-
-[float]
-== ubiquiti fields
-
-Fields for Ubiquiti network devices.
-
-
-
-*`iptables.ubiquiti.input_zone`*::
-+
---
-type: keyword
-
-Input zone.
-
-
---
-
-*`iptables.ubiquiti.output_zone`*::
-+
---
-type: keyword
-
-Output zone.
-
-
---
-
-*`iptables.ubiquiti.rule_number`*::
-+
---
-type: keyword
-
-The rule number within the rule set.
-
---
-
-*`iptables.ubiquiti.rule_set`*::
-+
---
-type: keyword
-
-The rule set name.
-
---
-
-[[exported-fields-kafka]]
-== Kafka fields
-
-Kafka module
-
-
-
-[float]
-== kafka fields
-
-
-
-
-[float]
-== log fields
-
-Kafka log lines.
-
-
-
-*`kafka.log.level`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`kafka.log.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-*`kafka.log.component`*::
-+
---
-type: keyword
-
-Component the log is coming from.
-
-
---
-
-*`kafka.log.class`*::
-+
---
-type: keyword
-
-Java class the log is coming from.
-
-
---
-
-[float]
-== trace fields
-
-Trace in the log line.
-
-
-
-*`kafka.log.trace.class`*::
-+
---
-type: keyword
-
-Java class the trace is coming from.
-
-
---
-
-*`kafka.log.trace.message`*::
-+
---
-type: text
-
-Message part of the trace.
-
-
---
-
-[[exported-fields-kibana]]
-== kibana fields
-
-kibana Module
-
-
-
-[float]
-== kibana fields
-
-
-
-
-[float]
-== log fields
-
-Kafka log lines.
-
-
-
-*`kibana.log.tags`*::
-+
---
-type: keyword
-
-Kibana logging tags.
-
-
---
-
-*`kibana.log.state`*::
-+
---
-type: keyword
-
-Current state of Kibana.
-
-
---
-
-*`kibana.log.meta`*::
-+
---
-type: object
-
---
-
-*`kibana.log.kibana.log.meta.req.headers.referer`*::
-+
---
-type: alias
-
-alias to: http.request.referrer
-
---
-
-*`kibana.log.kibana.log.meta.req.referer`*::
-+
---
-type: alias
-
-alias to: http.request.referrer
-
---
-
-*`kibana.log.kibana.log.meta.req.headers.user-agent`*::
-+
---
-type: alias
-
-alias to: user_agent.original
-
---
-
-*`kibana.log.kibana.log.meta.req.remoteAddress`*::
-+
---
-type: alias
-
-alias to: source.address
-
---
-
-*`kibana.log.kibana.log.meta.req.url`*::
-+
---
-type: alias
-
-alias to: url.original
-
---
-
-*`kibana.log.kibana.log.meta.statusCode`*::
-+
---
-type: alias
-
-alias to: http.response.status_code
-
---
-
-*`kibana.log.kibana.log.meta.method`*::
-+
---
-type: alias
-
-alias to: http.request.method
-
---
-
-[[exported-fields-kubernetes-processor]]
-== Kubernetes fields
-
-Kubernetes metadata added by the kubernetes processor
-
-
-
-
-*`kubernetes.pod.name`*::
-+
---
-type: keyword
-
-Kubernetes pod name
-
-
---
-
-*`kubernetes.pod.uid`*::
-+
---
-type: keyword
-
-Kubernetes Pod UID
-
-
---
-
-*`kubernetes.namespace`*::
-+
---
-type: keyword
-
-Kubernetes namespace
-
-
---
-
-*`kubernetes.node.name`*::
-+
---
-type: keyword
-
-Kubernetes node name
-
-
---
-
-*`kubernetes.labels.*`*::
-+
---
-type: object
-
-Kubernetes labels map
-
-
---
-
-*`kubernetes.annotations.*`*::
-+
---
-type: object
-
-Kubernetes annotations map
-
-
---
-
-*`kubernetes.container.name`*::
-+
---
-type: keyword
-
-Kubernetes container name
-
-
---
-
-*`kubernetes.container.image`*::
-+
---
-type: keyword
-
-Kubernetes container image
-
-
---
-
-[[exported-fields-log]]
-== Log file content fields
-
-Contains log file lines.
-
-
-
-*`log.file.path`*::
-+
---
-type: keyword
-
-required: False
-
-The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`.
-
-
---
-
-*`log.source.address`*::
-+
---
-type: keyword
-
-required: False
-
-Source address from which the log event was read / sent from.
-
-
---
-
-*`log.offset`*::
-+
---
-type: long
-
-required: False
-
-The file offset the reported line starts at.
-
-
---
-
-*`stream`*::
-+
---
-type: keyword
-
-required: False
-
-Log stream when reading container logs, can be 'stdout' or 'stderr'
-
-
---
-
-*`input.type`*::
-+
---
-required: True
-
-The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file.
-
-
---
-
-*`syslog.facility`*::
-+
---
-type: long
-
-required: False
-
-The facility extracted from the priority.
-
-
---
-
-*`syslog.priority`*::
-+
---
-type: long
-
-required: False
-
-The priority of the syslog event.
-
-
---
-
-*`syslog.severity_label`*::
-+
---
-type: keyword
-
-required: False
-
-The human readable severity.
-
-
---
-
-*`syslog.facility_label`*::
-+
---
-type: keyword
-
-required: False
-
-The human readable facility.
-
-
---
-
-*`process.program`*::
-+
---
-type: keyword
-
-required: False
-
-The name of the program.
-
-
---
-
-*`log.flags`*::
-+
---
-This field contains the flags of the event.
-
-
---
-
-*`http.response.content_length`*::
-+
---
-type: alias
-
-alias to: http.response.body.bytes
-
---
-
-
-
-*`user_agent.os.full_name`*::
-+
---
-type: keyword
-
---
-
-*`fileset.name`*::
-+
---
-type: keyword
-
-The Filebeat fileset that generated this event.
-
-
---
-
-*`fileset.module`*::
-+
---
-type: alias
-
-alias to: event.module
-
---
-
-*`read_timestamp`*::
-+
---
-type: alias
-
-alias to: event.created
-
---
-
-[[exported-fields-logstash]]
-== logstash fields
-
-logstash Module
-
-
-
-[float]
-== logstash fields
-
-
-
-
-[float]
-== log fields
-
-Fields from the Logstash logs.
-
-
-
-*`logstash.log.module`*::
-+
---
-type: keyword
-
-The module or class where the event originate.
-
-
---
-
-*`logstash.log.thread`*::
-+
---
-type: keyword
-
-Information about the running thread where the log originate.
-
-
---
-
-*`logstash.log.thread.text`*::
-+
---
-type: text
-
---
-
-*`logstash.log.log_event`*::
-+
---
-type: object
-
-key and value debugging information.
-
-
---
-
-*`logstash.log.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-*`logstash.log.level`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-[float]
-== slowlog fields
-
-slowlog
-
-
-
-*`logstash.slowlog.module`*::
-+
---
-type: keyword
-
-The module or class where the event originate.
-
-
---
-
-*`logstash.slowlog.thread`*::
-+
---
-type: keyword
-
-Information about the running thread where the log originate.
-
-
---
-
-*`logstash.slowlog.thread.text`*::
-+
---
-type: text
-
---
-
-*`logstash.slowlog.event`*::
-+
---
-type: keyword
-
-Raw dump of the original event
-
-
---
-
-*`logstash.slowlog.event.text`*::
-+
---
-type: text
-
---
-
-*`logstash.slowlog.plugin_name`*::
-+
---
-type: keyword
-
-Name of the plugin
-
-
---
-
-*`logstash.slowlog.plugin_type`*::
-+
---
-type: keyword
-
-Type of the plugin: Inputs, Filters, Outputs or Codecs.
-
-
---
-
-*`logstash.slowlog.took_in_millis`*::
-+
---
-type: long
-
-Execution time for the plugin in milliseconds.
-
-
---
-
-*`logstash.slowlog.plugin_params`*::
-+
---
-type: keyword
-
-String value of the plugin configuration
-
-
---
-
-*`logstash.slowlog.plugin_params.text`*::
-+
---
-type: text
-
---
-
-*`logstash.slowlog.plugin_params_object`*::
-+
---
-type: object
-
-key -> value of the configuration used by the plugin.
-
-
---
-
-*`logstash.slowlog.level`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`logstash.slowlog.took_in_nanos`*::
-+
---
-type: alias
-
-alias to: event.duration
-
---
-
-[[exported-fields-mongodb]]
-== mongodb fields
-
-Module for parsing MongoDB log files.
-
-
-
-[float]
-== mongodb fields
-
-Fields from MongoDB logs.
-
-
-
-[float]
-== log fields
-
-Contains fields from MongoDB logs.
-
-
-
-*`mongodb.log.component`*::
-+
---
-type: keyword
-
-example: COMMAND
-
-Functional categorization of message
-
-
---
-
-*`mongodb.log.context`*::
-+
---
-type: keyword
-
-example: initandlisten
-
-Context of message
-
-
---
-
-*`mongodb.log.severity`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`mongodb.log.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-[[exported-fields-mysql]]
-== MySQL fields
-
-Module for parsing the MySQL log files.
-
-
-
-[float]
-== mysql fields
-
-Fields from the MySQL log files.
-
-
-
-*`mysql.thread_id`*::
-+
---
-type: long
-
-The connection or thread ID for the query.
-
-
---
-
-[float]
-== error fields
-
-Contains fields from the MySQL error logs.
-
-
-
-*`mysql.error.thread_id`*::
-+
---
-type: alias
-
-alias to: mysql.thread_id
-
---
-
-*`mysql.error.level`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`mysql.error.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-[float]
-== slowlog fields
-
-Contains fields from the MySQL slow logs.
-
-
-
-*`mysql.slowlog.lock_time.sec`*::
-+
---
-type: float
-
-The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number.
-
-
---
-
-*`mysql.slowlog.rows_sent`*::
-+
---
-type: long
-
-The number of rows returned by the query.
-
-
---
-
-*`mysql.slowlog.rows_examined`*::
-+
---
-type: long
-
-The number of rows scanned by the query.
-
-
---
-
-*`mysql.slowlog.rows_affected`*::
-+
---
-type: long
-
-The number of rows modified by the query.
-
-
---
-
-*`mysql.slowlog.bytes_sent`*::
-+
---
-type: long
-
-format: bytes
-
-The size of the query result.
-
-
---
-
-*`mysql.slowlog.query`*::
-+
---
-The slow query.
-
-
---
-
-*`mysql.slowlog.id`*::
-+
---
-type: alias
-
-alias to: mysql.thread_id
-
---
-
-*`mysql.slowlog.schema`*::
-+
---
-type: keyword
-
-The schema where the slow query was executed.
-
-
---
-
-*`mysql.slowlog.current_user`*::
-+
---
-type: keyword
-
-Current authenticated user, used to determine access privileges. Can differ from the value for user.
-
-
---
-
-*`mysql.slowlog.last_errno`*::
-+
---
-type: keyword
-
-Last SQL error seen.
-
-
---
-
-*`mysql.slowlog.killed`*::
-+
---
-type: keyword
-
-Code of the reason if the query was killed.
-
-
---
-
-*`mysql.slowlog.query_cache_hit`*::
-+
---
-type: boolean
-
-Whether the query cache was hit.
-
-
---
-
-*`mysql.slowlog.tmp_table`*::
-+
---
-type: boolean
-
-Whether a temporary table was used to resolve the query.
-
-
---
-
-*`mysql.slowlog.tmp_table_on_disk`*::
-+
---
-type: boolean
-
-Whether the query needed temporary tables on disk.
-
-
---
-
-*`mysql.slowlog.tmp_tables`*::
-+
---
-type: long
-
-Number of temporary tables created for this query
-
-
---
-
-*`mysql.slowlog.tmp_disk_tables`*::
-+
---
-type: long
-
-Number of temporary tables created on disk for this query.
-
-
---
-
-*`mysql.slowlog.tmp_table_sizes`*::
-+
---
-type: long
-
-format: bytes
-
-Size of temporary tables created for this query.
-
---
-
-*`mysql.slowlog.filesort`*::
-+
---
-type: boolean
-
-Whether filesort optimization was used.
-
-
---
-
-*`mysql.slowlog.filesort_on_disk`*::
-+
---
-type: boolean
-
-Whether filesort optimization was used and it needed temporary tables on disk.
-
-
---
-
-*`mysql.slowlog.priority_queue`*::
-+
---
-type: boolean
-
-Whether a priority queue was used for filesort.
-
-
---
-
-*`mysql.slowlog.full_scan`*::
-+
---
-type: boolean
-
-Whether a full table scan was needed for the slow query.
-
-
---
-
-*`mysql.slowlog.full_join`*::
-+
---
-type: boolean
-
-Whether a full join was needed for the slow query (no indexes were used for joins).
-
-
---
-
-*`mysql.slowlog.merge_passes`*::
-+
---
-type: long
-
-Number of merge passes executed for the query.
-
-
---
-
-*`mysql.slowlog.log_slow_rate_type`*::
-+
---
-type: keyword
-
-Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query.
-
-
---
-
-*`mysql.slowlog.log_slow_rate_limit`*::
-+
---
-type: keyword
-
-Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged.
-
-
---
-
-[float]
-== innodb fields
-
-Contains fields relative to InnoDB engine
-
-
-
-*`mysql.slowlog.innodb.trx_id`*::
-+
---
-type: keyword
-
-Transaction ID
-
-
---
-
-*`mysql.slowlog.innodb.io_r_ops`*::
-+
---
-type: long
-
-Number of page read operations.
-
-
---
-
-*`mysql.slowlog.innodb.io_r_bytes`*::
-+
---
-type: long
-
-format: bytes
-
-Bytes read during page read operations.
-
-
---
-
-*`mysql.slowlog.innodb.io_r_wait.sec`*::
-+
---
-type: long
-
-How long it took to read all needed data from storage.
-
-
---
-
-*`mysql.slowlog.innodb.rec_lock_wait.sec`*::
-+
---
-type: long
-
-How long the query waited for locks.
-
-
---
-
-*`mysql.slowlog.innodb.queue_wait.sec`*::
-+
---
-type: long
-
-How long the query waited to enter the InnoDB queue and to be executed once in the queue.
-
-
---
-
-*`mysql.slowlog.innodb.pages_distinct`*::
-+
---
-type: long
-
-Approximated count of pages accessed to execute the query.
-
-
---
-
-*`mysql.slowlog.user`*::
-+
---
-type: alias
-
-alias to: user.name
-
---
-
-*`mysql.slowlog.host`*::
-+
---
-type: alias
-
-alias to: source.domain
-
---
-
-*`mysql.slowlog.ip`*::
-+
---
-type: alias
-
-alias to: source.ip
-
---
-
-[[exported-fields-netflow]]
-== NetFlow fields
-
-Fields from NetFlow and IPFIX flows.
-
-
-
-[float]
-== netflow fields
-
-Fields from NetFlow and IPFIX.
-
-
-
-*`netflow.type`*::
-+
---
-type: keyword
-
-The type of NetFlow record described by this event.
-
-
---
-
-[float]
-== exporter fields
-
-Metadata related to the exporter device that generated this record.
-
-
-
-*`netflow.exporter.address`*::
-+
---
-type: keyword
-
-Exporter's network address in IP:port format.
-
-
---
-
-*`netflow.exporter.source_id`*::
-+
---
-type: long
-
-Observation domain ID to which this record belongs.
-
-
---
-
-*`netflow.exporter.timestamp`*::
-+
---
-type: date
-
-Time and date of export.
-
-
---
-
-*`netflow.exporter.uptime_millis`*::
-+
---
-type: long
-
-How long the exporter process has been running, in milliseconds.
-
-
---
-
-*`netflow.exporter.version`*::
-+
---
-type: long
-
-NetFlow version used.
-
-
---
-
-*`netflow.octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.packet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.delta_flow_count`*::
-+
---
-type: long
-
---
-
-*`netflow.protocol_identifier`*::
-+
---
-type: short
-
---
-
-*`netflow.ip_class_of_service`*::
-+
---
-type: short
-
---
-
-*`netflow.tcp_control_bits`*::
-+
---
-type: integer
-
---
-
-*`netflow.source_transport_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.source_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.source_ipv4_prefix_length`*::
-+
---
-type: short
-
---
-
-*`netflow.ingress_interface`*::
-+
---
-type: long
-
---
-
-*`netflow.destination_transport_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.destination_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.destination_ipv4_prefix_length`*::
-+
---
-type: short
-
---
-
-*`netflow.egress_interface`*::
-+
---
-type: long
-
---
-
-*`netflow.ip_next_hop_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.bgp_source_as_number`*::
-+
---
-type: long
-
---
-
-*`netflow.bgp_destination_as_number`*::
-+
---
-type: long
-
---
-
-*`netflow.bgp_next_hop_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.post_mcast_packet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.post_mcast_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_end_sys_up_time`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_start_sys_up_time`*::
-+
---
-type: long
-
---
-
-*`netflow.post_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.post_packet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.minimum_ip_total_length`*::
-+
---
-type: long
-
---
-
-*`netflow.maximum_ip_total_length`*::
-+
---
-type: long
-
---
-
-*`netflow.source_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.destination_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.source_ipv6_prefix_length`*::
-+
---
-type: short
-
---
-
-*`netflow.destination_ipv6_prefix_length`*::
-+
---
-type: short
-
---
-
-*`netflow.flow_label_ipv6`*::
-+
---
-type: long
-
---
-
-*`netflow.icmp_type_code_ipv4`*::
-+
---
-type: integer
-
---
-
-*`netflow.igmp_type`*::
-+
---
-type: short
-
---
-
-*`netflow.sampling_interval`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_algorithm`*::
-+
---
-type: short
-
---
-
-*`netflow.flow_active_timeout`*::
-+
---
-type: integer
-
---
-
-*`netflow.flow_idle_timeout`*::
-+
---
-type: integer
-
---
-
-*`netflow.engine_type`*::
-+
---
-type: short
-
---
-
-*`netflow.engine_id`*::
-+
---
-type: short
-
---
-
-*`netflow.exported_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.exported_message_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.exported_flow_record_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.ipv4_router_sc`*::
-+
---
-type: ip
-
---
-
-*`netflow.source_ipv4_prefix`*::
-+
---
-type: ip
-
---
-
-*`netflow.destination_ipv4_prefix`*::
-+
---
-type: ip
-
---
-
-*`netflow.mpls_top_label_type`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_top_label_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.sampler_id`*::
-+
---
-type: short
-
---
-
-*`netflow.sampler_mode`*::
-+
---
-type: short
-
---
-
-*`netflow.sampler_random_interval`*::
-+
---
-type: long
-
---
-
-*`netflow.class_id`*::
-+
---
-type: short
-
---
-
-*`netflow.minimum_ttl`*::
-+
---
-type: short
-
---
-
-*`netflow.maximum_ttl`*::
-+
---
-type: short
-
---
-
-*`netflow.fragment_identification`*::
-+
---
-type: long
-
---
-
-*`netflow.post_ip_class_of_service`*::
-+
---
-type: short
-
---
-
-*`netflow.source_mac_address`*::
-+
---
-type: keyword
-
---
-
-*`netflow.post_destination_mac_address`*::
-+
---
-type: keyword
-
---
-
-*`netflow.vlan_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.post_vlan_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.ip_version`*::
-+
---
-type: short
-
---
-
-*`netflow.flow_direction`*::
-+
---
-type: short
-
---
-
-*`netflow.ip_next_hop_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.bgp_next_hop_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.ipv6_extension_headers`*::
-+
---
-type: long
-
---
-
-*`netflow.mpls_top_label_stack_section`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section2`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section3`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section4`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section5`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section6`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section7`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section8`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section9`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section10`*::
-+
---
-type: short
-
---
-
-*`netflow.destination_mac_address`*::
-+
---
-type: keyword
-
---
-
-*`netflow.post_source_mac_address`*::
-+
---
-type: keyword
-
---
-
-*`netflow.interface_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.interface_description`*::
-+
---
-type: keyword
-
---
-
-*`netflow.sampler_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.flags_and_sampler_id`*::
-+
---
-type: long
-
---
-
-*`netflow.fragment_offset`*::
-+
---
-type: integer
-
---
-
-*`netflow.forwarding_status`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_vpn_route_distinguisher`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_top_label_prefix_length`*::
-+
---
-type: short
-
---
-
-*`netflow.src_traffic_index`*::
-+
---
-type: long
-
---
-
-*`netflow.dst_traffic_index`*::
-+
---
-type: long
-
---
-
-*`netflow.application_description`*::
-+
---
-type: keyword
-
---
-
-*`netflow.application_id`*::
-+
---
-type: short
-
---
-
-*`netflow.application_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.post_ip_diff_serv_code_point`*::
-+
---
-type: short
-
---
-
-*`netflow.multicast_replication_factor`*::
-+
---
-type: long
-
---
-
-*`netflow.class_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.classification_engine_id`*::
-+
---
-type: short
-
---
-
-*`netflow.layer2packet_section_offset`*::
-+
---
-type: integer
-
---
-
-*`netflow.layer2packet_section_size`*::
-+
---
-type: integer
-
---
-
-*`netflow.layer2packet_section_data`*::
-+
---
-type: short
-
---
-
-*`netflow.bgp_next_adjacent_as_number`*::
-+
---
-type: long
-
---
-
-*`netflow.bgp_prev_adjacent_as_number`*::
-+
---
-type: long
-
---
-
-*`netflow.exporter_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.exporter_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.dropped_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.dropped_packet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.dropped_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.dropped_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_end_reason`*::
-+
---
-type: short
-
---
-
-*`netflow.common_properties_id`*::
-+
---
-type: long
-
---
-
-*`netflow.observation_point_id`*::
-+
---
-type: long
-
---
-
-*`netflow.icmp_type_code_ipv6`*::
-+
---
-type: integer
-
---
-
-*`netflow.mpls_top_label_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.line_card_id`*::
-+
---
-type: long
-
---
-
-*`netflow.port_id`*::
-+
---
-type: long
-
---
-
-*`netflow.metering_process_id`*::
-+
---
-type: long
-
---
-
-*`netflow.exporting_process_id`*::
-+
---
-type: long
-
---
-
-*`netflow.template_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.wlan_channel_id`*::
-+
---
-type: short
-
---
-
-*`netflow.wlan_ssid`*::
-+
---
-type: keyword
-
---
-
-*`netflow.flow_id`*::
-+
---
-type: long
-
---
-
-*`netflow.observation_domain_id`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_start_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_end_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_start_milliseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_end_milliseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_start_microseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_end_microseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_start_nanoseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_end_nanoseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_start_delta_microseconds`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_end_delta_microseconds`*::
-+
---
-type: long
-
---
-
-*`netflow.system_init_time_milliseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.flow_duration_milliseconds`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_duration_microseconds`*::
-+
---
-type: long
-
---
-
-*`netflow.observed_flow_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.ignored_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.ignored_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.not_sent_flow_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.not_sent_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.not_sent_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.destination_ipv6_prefix`*::
-+
---
-type: ip
-
---
-
-*`netflow.source_ipv6_prefix`*::
-+
---
-type: ip
-
---
-
-*`netflow.post_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.post_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_key_indicator`*::
-+
---
-type: long
-
---
-
-*`netflow.post_mcast_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.post_mcast_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.icmp_type_ipv4`*::
-+
---
-type: short
-
---
-
-*`netflow.icmp_code_ipv4`*::
-+
---
-type: short
-
---
-
-*`netflow.icmp_type_ipv6`*::
-+
---
-type: short
-
---
-
-*`netflow.icmp_code_ipv6`*::
-+
---
-type: short
-
---
-
-*`netflow.udp_source_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.udp_destination_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.tcp_source_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.tcp_destination_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.tcp_sequence_number`*::
-+
---
-type: long
-
---
-
-*`netflow.tcp_acknowledgement_number`*::
-+
---
-type: long
-
---
-
-*`netflow.tcp_window_size`*::
-+
---
-type: integer
-
---
-
-*`netflow.tcp_urgent_pointer`*::
-+
---
-type: integer
-
---
-
-*`netflow.tcp_header_length`*::
-+
---
-type: short
-
---
-
-*`netflow.ip_header_length`*::
-+
---
-type: short
-
---
-
-*`netflow.total_length_ipv4`*::
-+
---
-type: integer
-
---
-
-*`netflow.payload_length_ipv6`*::
-+
---
-type: integer
-
---
-
-*`netflow.ip_ttl`*::
-+
---
-type: short
-
---
-
-*`netflow.next_header_ipv6`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_payload_length`*::
-+
---
-type: long
-
---
-
-*`netflow.ip_diff_serv_code_point`*::
-+
---
-type: short
-
---
-
-*`netflow.ip_precedence`*::
-+
---
-type: short
-
---
-
-*`netflow.fragment_flags`*::
-+
---
-type: short
-
---
-
-*`netflow.octet_delta_sum_of_squares`*::
-+
---
-type: long
-
---
-
-*`netflow.octet_total_sum_of_squares`*::
-+
---
-type: long
-
---
-
-*`netflow.mpls_top_label_ttl`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_length`*::
-+
---
-type: long
-
---
-
-*`netflow.mpls_label_stack_depth`*::
-+
---
-type: long
-
---
-
-*`netflow.mpls_top_label_exp`*::
-+
---
-type: short
-
---
-
-*`netflow.ip_payload_length`*::
-+
---
-type: long
-
---
-
-*`netflow.udp_message_length`*::
-+
---
-type: integer
-
---
-
-*`netflow.is_multicast`*::
-+
---
-type: short
-
---
-
-*`netflow.ipv4_ihl`*::
-+
---
-type: short
-
---
-
-*`netflow.ipv4_options`*::
-+
---
-type: long
-
---
-
-*`netflow.tcp_options`*::
-+
---
-type: long
-
---
-
-*`netflow.padding_octets`*::
-+
---
-type: short
-
---
-
-*`netflow.collector_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.collector_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.export_interface`*::
-+
---
-type: long
-
---
-
-*`netflow.export_protocol_version`*::
-+
---
-type: short
-
---
-
-*`netflow.export_transport_protocol`*::
-+
---
-type: short
-
---
-
-*`netflow.collector_transport_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.exporter_transport_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.tcp_syn_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.tcp_fin_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.tcp_rst_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.tcp_psh_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.tcp_ack_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.tcp_urg_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.ip_total_length`*::
-+
---
-type: long
-
---
-
-*`netflow.post_nast_ource_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.post_nadt_estination_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.post_napst_ource_transport_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.post_napdt_estination_transport_port`*::
-+
---
-type: integer
-
---
-
-*`netflow.nat_originating_address_realm`*::
-+
---
-type: short
-
---
-
-*`netflow.nat_event`*::
-+
---
-type: short
-
---
-
-*`netflow.initiator_octets`*::
-+
---
-type: long
-
---
-
-*`netflow.responder_octets`*::
-+
---
-type: long
-
---
-
-*`netflow.firewall_event`*::
-+
---
-type: short
-
---
-
-*`netflow.ingress_vrfid`*::
-+
---
-type: long
-
---
-
-*`netflow.egress_vrfid`*::
-+
---
-type: long
-
---
-
-*`netflow.vr_fname`*::
-+
---
-type: keyword
-
---
-
-*`netflow.post_mpls_top_label_exp`*::
-+
---
-type: short
-
---
-
-*`netflow.tcp_window_scale`*::
-+
---
-type: integer
-
---
-
-*`netflow.biflow_direction`*::
-+
---
-type: short
-
---
-
-*`netflow.ethernet_header_length`*::
-+
---
-type: short
-
---
-
-*`netflow.ethernet_payload_length`*::
-+
---
-type: integer
-
---
-
-*`netflow.ethernet_total_length`*::
-+
---
-type: integer
-
---
-
-*`netflow.dot1q_vlan_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.dot1q_priority`*::
-+
---
-type: short
-
---
-
-*`netflow.dot1q_customer_vlan_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.dot1q_customer_priority`*::
-+
---
-type: short
-
---
-
-*`netflow.metro_evc_id`*::
-+
---
-type: keyword
-
---
-
-*`netflow.metro_evc_type`*::
-+
---
-type: short
-
---
-
-*`netflow.pseudo_wire_id`*::
-+
---
-type: long
-
---
-
-*`netflow.pseudo_wire_type`*::
-+
---
-type: integer
-
---
-
-*`netflow.pseudo_wire_control_word`*::
-+
---
-type: long
-
---
-
-*`netflow.ingress_physical_interface`*::
-+
---
-type: long
-
---
-
-*`netflow.egress_physical_interface`*::
-+
---
-type: long
-
---
-
-*`netflow.post_dot1q_vlan_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.post_dot1q_customer_vlan_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.ethernet_type`*::
-+
---
-type: integer
-
---
-
-*`netflow.post_ip_precedence`*::
-+
---
-type: short
-
---
-
-*`netflow.collection_time_milliseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.export_sctp_stream_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.max_export_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.max_flow_end_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.message_md5_checksum`*::
-+
---
-type: short
-
---
-
-*`netflow.message_scope`*::
-+
---
-type: short
-
---
-
-*`netflow.min_export_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.min_flow_start_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.opaque_octets`*::
-+
---
-type: short
-
---
-
-*`netflow.session_scope`*::
-+
---
-type: short
-
---
-
-*`netflow.max_flow_end_microseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.max_flow_end_milliseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.max_flow_end_nanoseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.min_flow_start_microseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.min_flow_start_milliseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.min_flow_start_nanoseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.collector_certificate`*::
-+
---
-type: short
-
---
-
-*`netflow.exporter_certificate`*::
-+
---
-type: short
-
---
-
-*`netflow.data_records_reliability`*::
-+
---
-type: boolean
-
---
-
-*`netflow.observation_point_type`*::
-+
---
-type: short
-
---
-
-*`netflow.new_connection_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.connection_sum_duration_seconds`*::
-+
---
-type: long
-
---
-
-*`netflow.connection_transaction_id`*::
-+
---
-type: long
-
---
-
-*`netflow.post_nast_ource_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.post_nadt_estination_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.nat_pool_id`*::
-+
---
-type: long
-
---
-
-*`netflow.nat_pool_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.anonymization_flags`*::
-+
---
-type: integer
-
---
-
-*`netflow.anonymization_technique`*::
-+
---
-type: integer
-
---
-
-*`netflow.information_element_index`*::
-+
---
-type: integer
-
---
-
-*`netflow.p2p_technology`*::
-+
---
-type: keyword
-
---
-
-*`netflow.tunnel_technology`*::
-+
---
-type: keyword
-
---
-
-*`netflow.encrypted_technology`*::
-+
---
-type: keyword
-
---
-
-*`netflow.bgp_validity_state`*::
-+
---
-type: short
-
---
-
-*`netflow.ip_sec_spi`*::
-+
---
-type: long
-
---
-
-*`netflow.gre_key`*::
-+
---
-type: long
-
---
-
-*`netflow.nat_type`*::
-+
---
-type: short
-
---
-
-*`netflow.initiator_packets`*::
-+
---
-type: long
-
---
-
-*`netflow.responder_packets`*::
-+
---
-type: long
-
---
-
-*`netflow.observation_domain_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.selection_sequence_id`*::
-+
---
-type: long
-
---
-
-*`netflow.selector_id`*::
-+
---
-type: long
-
---
-
-*`netflow.information_element_id`*::
-+
---
-type: integer
-
---
-
-*`netflow.selector_algorithm`*::
-+
---
-type: integer
-
---
-
-*`netflow.sampling_packet_interval`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_packet_space`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_time_interval`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_time_space`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_size`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_population`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_probability`*::
-+
---
-type: double
-
---
-
-*`netflow.data_link_frame_size`*::
-+
---
-type: integer
-
---
-
-*`netflow.ip_header_packet_section`*::
-+
---
-type: short
-
---
-
-*`netflow.ip_payload_packet_section`*::
-+
---
-type: short
-
---
-
-*`netflow.data_link_frame_section`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_label_stack_section`*::
-+
---
-type: short
-
---
-
-*`netflow.mpls_payload_packet_section`*::
-+
---
-type: short
-
---
-
-*`netflow.selector_id_total_pkts_observed`*::
-+
---
-type: long
-
---
-
-*`netflow.selector_id_total_pkts_selected`*::
-+
---
-type: long
-
---
-
-*`netflow.absolute_error`*::
-+
---
-type: double
-
---
-
-*`netflow.relative_error`*::
-+
---
-type: double
-
---
-
-*`netflow.observation_time_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.observation_time_milliseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.observation_time_microseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.observation_time_nanoseconds`*::
-+
---
-type: date
-
---
-
-*`netflow.digest_hash_value`*::
-+
---
-type: long
-
---
-
-*`netflow.hash_ipp_ayload_offset`*::
-+
---
-type: long
-
---
-
-*`netflow.hash_ipp_ayload_size`*::
-+
---
-type: long
-
---
-
-*`netflow.hash_output_range_min`*::
-+
---
-type: long
-
---
-
-*`netflow.hash_output_range_max`*::
-+
---
-type: long
-
---
-
-*`netflow.hash_selected_range_min`*::
-+
---
-type: long
-
---
-
-*`netflow.hash_selected_range_max`*::
-+
---
-type: long
-
---
-
-*`netflow.hash_digest_output`*::
-+
---
-type: boolean
-
---
-
-*`netflow.hash_initialiser_value`*::
-+
---
-type: long
-
---
-
-*`netflow.selector_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.upper_cli_imit`*::
-+
---
-type: double
-
---
-
-*`netflow.lower_cli_imit`*::
-+
---
-type: double
-
---
-
-*`netflow.confidence_level`*::
-+
---
-type: double
-
---
-
-*`netflow.information_element_data_type`*::
-+
---
-type: short
-
---
-
-*`netflow.information_element_description`*::
-+
---
-type: keyword
-
---
-
-*`netflow.information_element_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.information_element_range_begin`*::
-+
---
-type: long
-
---
-
-*`netflow.information_element_range_end`*::
-+
---
-type: long
-
---
-
-*`netflow.information_element_semantics`*::
-+
---
-type: short
-
---
-
-*`netflow.information_element_units`*::
-+
---
-type: integer
-
---
-
-*`netflow.private_enterprise_number`*::
-+
---
-type: long
-
---
-
-*`netflow.virtual_station_interface_id`*::
-+
---
-type: short
-
---
-
-*`netflow.virtual_station_interface_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.virtual_station_uuid`*::
-+
---
-type: short
-
---
-
-*`netflow.virtual_station_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.layer2_segment_id`*::
-+
---
-type: long
-
---
-
-*`netflow.layer2_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.layer2_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.ingress_unicast_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.ingress_multicast_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.ingress_broadcast_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.egress_unicast_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.egress_broadcast_packet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.monitoring_interval_start_milli_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.monitoring_interval_end_milli_seconds`*::
-+
---
-type: date
-
---
-
-*`netflow.port_range_start`*::
-+
---
-type: integer
-
---
-
-*`netflow.port_range_end`*::
-+
---
-type: integer
-
---
-
-*`netflow.port_range_step_size`*::
-+
---
-type: integer
-
---
-
-*`netflow.port_range_num_ports`*::
-+
---
-type: integer
-
---
-
-*`netflow.sta_mac_address`*::
-+
---
-type: keyword
-
---
-
-*`netflow.sta_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.wtp_mac_address`*::
-+
---
-type: keyword
-
---
-
-*`netflow.ingress_interface_type`*::
-+
---
-type: long
-
---
-
-*`netflow.egress_interface_type`*::
-+
---
-type: long
-
---
-
-*`netflow.rtp_sequence_number`*::
-+
---
-type: integer
-
---
-
-*`netflow.user_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.application_category_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.application_sub_category_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.application_group_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.original_flows_present`*::
-+
---
-type: long
-
---
-
-*`netflow.original_flows_initiated`*::
-+
---
-type: long
-
---
-
-*`netflow.original_flows_completed`*::
-+
---
-type: long
-
---
-
-*`netflow.distinct_count_of_sourc_eipa_ddress`*::
-+
---
-type: long
-
---
-
-*`netflow.distinct_count_of_destinatio_nipa_ddress`*::
-+
---
-type: long
-
---
-
-*`netflow.distinct_count_of_source_ipv4_address`*::
-+
---
-type: long
-
---
-
-*`netflow.distinct_count_of_destination_ipv4_address`*::
-+
---
-type: long
-
---
-
-*`netflow.distinct_count_of_source_ipv6_address`*::
-+
---
-type: long
-
---
-
-*`netflow.distinct_count_of_destination_ipv6_address`*::
-+
---
-type: long
-
---
-
-*`netflow.value_distribution_method`*::
-+
---
-type: short
-
---
-
-*`netflow.rfc3550_jitter_milliseconds`*::
-+
---
-type: long
-
---
-
-*`netflow.rfc3550_jitter_microseconds`*::
-+
---
-type: long
-
---
-
-*`netflow.rfc3550_jitter_nanoseconds`*::
-+
---
-type: long
-
---
-
-*`netflow.dot1q_dei`*::
-+
---
-type: boolean
-
---
-
-*`netflow.dot1q_customer_dei`*::
-+
---
-type: boolean
-
---
-
-*`netflow.flow_selector_algorithm`*::
-+
---
-type: integer
-
---
-
-*`netflow.flow_selected_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_selected_packet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_selected_flow_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.selector_itd_otal_flows_observed`*::
-+
---
-type: long
-
---
-
-*`netflow.selector_itd_otal_flows_selected`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_flow_interval`*::
-+
---
-type: long
-
---
-
-*`netflow.sampling_flow_spacing`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_sampling_time_interval`*::
-+
---
-type: long
-
---
-
-*`netflow.flow_sampling_time_spacing`*::
-+
---
-type: long
-
---
-
-*`netflow.hash_flow_domain`*::
-+
---
-type: integer
-
---
-
-*`netflow.transport_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.transport_packet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.original_exporter_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.original_exporter_ipv6_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.original_observation_domain_id`*::
-+
---
-type: long
-
---
-
-*`netflow.intermediate_process_id`*::
-+
---
-type: long
-
---
-
-*`netflow.ignored_data_record_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.data_link_frame_type`*::
-+
---
-type: integer
-
---
-
-*`netflow.section_offset`*::
-+
---
-type: integer
-
---
-
-*`netflow.section_exported_octets`*::
-+
---
-type: integer
-
---
-
-*`netflow.dot1q_service_instance_tag`*::
-+
---
-type: short
-
---
-
-*`netflow.dot1q_service_instance_id`*::
-+
---
-type: long
-
---
-
-*`netflow.dot1q_service_instance_priority`*::
-+
---
-type: short
-
---
-
-*`netflow.dot1q_customer_source_mac_address`*::
-+
---
-type: keyword
-
---
-
-*`netflow.dot1q_customer_destination_mac_address`*::
-+
---
-type: keyword
-
---
-
-*`netflow.post_layer2_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.post_mcast_layer2_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.post_layer2_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.post_mcast_layer2_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.minimum_layer2_total_length`*::
-+
---
-type: long
-
---
-
-*`netflow.maximum_layer2_total_length`*::
-+
---
-type: long
-
---
-
-*`netflow.dropped_layer2_octet_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.dropped_layer2_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.ignored_layer2_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.not_sent_layer2_octet_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.layer2_octet_delta_sum_of_squares`*::
-+
---
-type: long
-
---
-
-*`netflow.layer2_octet_total_sum_of_squares`*::
-+
---
-type: long
-
---
-
-*`netflow.layer2_frame_delta_count`*::
-+
---
-type: long
-
---
-
-*`netflow.layer2_frame_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.pseudo_wire_destination_ipv4_address`*::
-+
---
-type: ip
-
---
-
-*`netflow.ignored_layer2_frame_total_count`*::
-+
---
-type: long
-
---
-
-*`netflow.mib_object_value_integer`*::
-+
---
-type: integer
-
---
-
-*`netflow.mib_object_value_octet_string`*::
-+
---
-type: short
-
---
-
-*`netflow.mib_object_value_oid`*::
-+
---
-type: short
-
---
-
-*`netflow.mib_object_value_bits`*::
-+
---
-type: short
-
---
-
-*`netflow.mib_object_valuei_pa_ddress`*::
-+
---
-type: ip
-
---
-
-*`netflow.mib_object_value_counter`*::
-+
---
-type: long
-
---
-
-*`netflow.mib_object_value_gauge`*::
-+
---
-type: long
-
---
-
-*`netflow.mib_object_value_time_ticks`*::
-+
---
-type: long
-
---
-
-*`netflow.mib_object_value_unsigned`*::
-+
---
-type: long
-
---
-
-*`netflow.mib_object_identifier`*::
-+
---
-type: short
-
---
-
-*`netflow.mib_sub_identifier`*::
-+
---
-type: long
-
---
-
-*`netflow.mib_index_indicator`*::
-+
---
-type: long
-
---
-
-*`netflow.mib_capture_time_semantics`*::
-+
---
-type: short
-
---
-
-*`netflow.mib_context_engine_id`*::
-+
---
-type: short
-
---
-
-*`netflow.mib_context_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.mib_object_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.mib_object_description`*::
-+
---
-type: keyword
-
---
-
-*`netflow.mib_object_syntax`*::
-+
---
-type: keyword
-
---
-
-*`netflow.mib_module_name`*::
-+
---
-type: keyword
-
---
-
-*`netflow.mobile_imsi`*::
-+
---
-type: keyword
-
---
-
-*`netflow.mobile_msisdn`*::
-+
---
-type: keyword
-
---
-
-*`netflow.http_status_code`*::
-+
---
-type: integer
-
---
-
-*`netflow.source_transport_ports_limit`*::
-+
---
-type: integer
-
---
-
-*`netflow.http_request_method`*::
-+
---
-type: keyword
-
---
-
-*`netflow.http_request_host`*::
-+
---
-type: keyword
-
---
-
-*`netflow.http_request_target`*::
-+
---
-type: keyword
-
---
-
-*`netflow.http_message_version`*::
-+
---
-type: keyword
-
---
-
-*`netflow.nat_instance_id`*::
-+
---
-type: long
-
---
-
-*`netflow.internal_address_realm`*::
-+
---
-type: short
-
---
-
-*`netflow.external_address_realm`*::
-+
---
-type: short
-
---
-
-*`netflow.nat_quota_exceeded_event`*::
-+
---
-type: long
-
---
-
-*`netflow.nat_threshold_event`*::
-+
---
-type: long
-
---
-
-*`netflow.http_user_agent`*::
-+
---
-type: keyword
-
---
-
-*`netflow.http_content_type`*::
-+
---
-type: keyword
-
---
-
-*`netflow.http_reason_phrase`*::
-+
---
-type: keyword
-
---
-
-*`netflow.max_session_entries`*::
-+
---
-type: long
-
---
-
-*`netflow.max_bieb_ntries`*::
-+
---
-type: long
-
---
-
-*`netflow.max_entries_per_user`*::
-+
---
-type: long
-
---
-
-*`netflow.max_subscribers`*::
-+
---
-type: long
-
---
-
-*`netflow.max_fragments_pending_reassembly`*::
-+
---
-type: long
-
---
-
-*`netflow.address_pool_high_threshold`*::
-+
---
-type: long
-
---
-
-*`netflow.address_pool_low_threshold`*::
-+
---
-type: long
-
---
-
-*`netflow.address_port_mapping_high_threshold`*::
-+
---
-type: long
-
---
-
-*`netflow.address_port_mapping_low_threshold`*::
-+
---
-type: long
-
---
-
-*`netflow.address_port_mapping_per_user_high_threshold`*::
-+
---
-type: long
-
---
-
-*`netflow.global_address_mapping_high_threshold`*::
-+
---
-type: long
-
---
-
-*`netflow.vpn_identifier`*::
-+
---
-type: short
-
---
-
-[[exported-fields-nginx]]
-== Nginx fields
-
-Module for parsing the Nginx log files.
-
-
-
-[float]
-== nginx fields
-
-Fields from the Nginx log files.
-
-
-
-[float]
-== access fields
-
-Contains fields for the Nginx access logs.
-
-
-
-*`nginx.access.remote_ip_list`*::
-+
---
-type: array
-
-An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.
-
-
---
-
-*`nginx.access.body_sent.bytes`*::
-+
---
-type: alias
-
-alias to: http.response.body.bytes
-
---
-
-*`nginx.access.remote_ip`*::
-+
---
-type: alias
-
-alias to: source.address
-
---
-
-*`nginx.access.user_name`*::
-+
---
-type: alias
-
-alias to: user.name
-
---
-
-*`nginx.access.method`*::
-+
---
-type: alias
-
-alias to: http.request.method
-
---
-
-*`nginx.access.url`*::
-+
---
-type: alias
-
-alias to: url.original
-
---
-
-*`nginx.access.http_version`*::
-+
---
-type: alias
-
-alias to: http.version
-
---
-
-*`nginx.access.response_code`*::
-+
---
-type: alias
-
-alias to: http.response.status_code
-
---
-
-*`nginx.access.referrer`*::
-+
---
-type: alias
-
-alias to: http.request.referrer
-
---
-
-*`nginx.access.agent`*::
-+
---
-type: alias
-
-alias to: user_agent.original
-
---
-
-
-*`nginx.access.user_agent.device`*::
-+
---
-type: alias
-
-alias to: user_agent.device.name
-
---
-
-*`nginx.access.user_agent.name`*::
-+
---
-type: alias
-
-alias to: user_agent.name
-
---
-
-*`nginx.access.user_agent.os`*::
-+
---
-type: alias
-
-alias to: user_agent.os.full_name
-
---
-
-*`nginx.access.user_agent.os_name`*::
-+
---
-type: alias
-
-alias to: user_agent.os.name
-
---
-
-*`nginx.access.user_agent.original`*::
-+
---
-type: alias
-
-alias to: user_agent.original
-
---
-
-
-*`nginx.access.geoip.continent_name`*::
-+
---
-type: alias
-
-alias to: source.geo.continent_name
-
---
-
-*`nginx.access.geoip.country_iso_code`*::
-+
---
-type: alias
-
-alias to: source.geo.country_iso_code
-
---
-
-*`nginx.access.geoip.location`*::
-+
---
-type: alias
-
-alias to: source.geo.location
-
---
-
-*`nginx.access.geoip.region_name`*::
-+
---
-type: alias
-
-alias to: source.geo.region_name
-
---
-
-*`nginx.access.geoip.city_name`*::
-+
---
-type: alias
-
-alias to: source.geo.city_name
-
---
-
-*`nginx.access.geoip.region_iso_code`*::
-+
---
-type: alias
-
-alias to: source.geo.region_iso_code
-
---
-
-[float]
-== error fields
-
-Contains fields for the Nginx error logs.
-
-
-
-*`nginx.error.connection_id`*::
-+
---
-type: long
-
-Connection identifier.
-
-
---
-
-*`nginx.error.level`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`nginx.error.pid`*::
-+
---
-type: alias
-
-alias to: process.pid
-
---
-
-*`nginx.error.tid`*::
-+
---
-type: alias
-
-alias to: process.thread.id
-
---
-
-*`nginx.error.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-[[exported-fields-osquery]]
-== Osquery fields
-
-Fields exported by the `osquery` module
-
-
-
-[float]
-== osquery fields
-
-
-
-
-[float]
-== result fields
-
-Common fields exported by the result metricset.
-
-
-
-*`osquery.result.name`*::
-+
---
-type: keyword
-
-The name of the query that generated this event.
-
-
---
-
-*`osquery.result.action`*::
-+
---
-type: keyword
-
-For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot".
-
-
---
-
-*`osquery.result.host_identifier`*::
-+
---
-type: keyword
-
-The identifier for the host on which the osquery agent is running. Normally the hostname.
-
-
---
-
-*`osquery.result.unix_time`*::
-+
---
-type: long
-
-Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.
-
-
---
-
-*`osquery.result.calendar_time`*::
-+
---
-String representation of the collection time, as formatted by osquery.
-
-
---
-
-[[exported-fields-postgresql]]
-== PostgreSQL fields
-
-Module for parsing the PostgreSQL log files.
-
-
-
-[float]
-== postgresql fields
-
-Fields from PostgreSQL logs.
-
-
-
-[float]
-== log fields
-
-Fields from the PostgreSQL log files.
-
-
-
-*`postgresql.log.timestamp`*::
-+
---
-The timestamp from the log line.
-
-
---
-
-*`postgresql.log.core_id`*::
-+
---
-type: long
-
-Core id
-
-
---
-
-*`postgresql.log.database`*::
-+
---
-example: mydb
-
-Name of database
-
---
-
-*`postgresql.log.query`*::
-+
---
-example: SELECT * FROM users;
-
-Query statement.
-
---
-
-*`postgresql.log.timezone`*::
-+
---
-type: alias
-
-alias to: event.timezone
-
---
-
-*`postgresql.log.thread_id`*::
-+
---
-type: alias
-
-alias to: process.pid
-
---
-
-*`postgresql.log.user`*::
-+
---
-type: alias
-
-alias to: user.name
-
---
-
-*`postgresql.log.level`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`postgresql.log.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-[[exported-fields-process]]
-== Process fields
-
-Process metadata fields
-
-
-
-
-*`process.exe`*::
-+
---
-type: alias
-
-alias to: process.executable
-
---
-
-[[exported-fields-redis]]
-== Redis fields
-
-Redis Module
-
-
-
-[float]
-== redis fields
-
-
-
-
-[float]
-== log fields
-
-Redis log files
-
-
-
-*`redis.log.role`*::
-+
---
-type: keyword
-
-The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`.
-
-
---
-
-*`redis.log.pid`*::
-+
---
-type: alias
-
-alias to: process.pid
-
---
-
-*`redis.log.level`*::
-+
---
-type: alias
-
-alias to: log.level
-
---
-
-*`redis.log.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-[float]
-== slowlog fields
-
-Slow logs are retrieved from Redis via a network connection.
-
-
-
-*`redis.slowlog.cmd`*::
-+
---
-type: keyword
-
-The command executed.
-
-
---
-
-*`redis.slowlog.duration.us`*::
-+
---
-type: long
-
-How long it took to execute the command in microseconds.
-
-
---
-
-*`redis.slowlog.id`*::
-+
---
-type: long
-
-The ID of the query.
-
-
---
-
-*`redis.slowlog.key`*::
-+
---
-type: keyword
-
-The key on which the command was executed.
-
-
---
-
-*`redis.slowlog.args`*::
-+
---
-type: keyword
-
-The arguments with which the command was called.
-
-
---
-
-[[exported-fields-santa]]
-== Google Santa fields
-
-Santa Module
-
-
-
-[float]
-== santa fields
-
-
-
-
-*`santa.action`*::
-+
---
-type: keyword
-
-example: EXEC
-
-Action
-
---
-
-*`santa.decision`*::
-+
---
-type: keyword
-
-example: ALLOW
-
-Decision that santad took.
-
---
-
-*`santa.reason`*::
-+
---
-type: keyword
-
-example: CERT
-
-Reason for the decsision.
-
---
-
-*`santa.mode`*::
-+
---
-type: keyword
-
-example: M
-
-Operating mode of Santa.
-
---
-
-[float]
-== disk fields
-
-Fields for DISKAPPEAR actions.
-
-
-*`santa.disk.volume`*::
-+
---
-The volume name.
-
---
-
-*`santa.disk.bus`*::
-+
---
-The disk bus protocol.
-
---
-
-*`santa.disk.serial`*::
-+
---
-The disk serial number.
-
---
-
-*`santa.disk.bsdname`*::
-+
---
-example: disk1s3
-
-The disk BSD name.
-
---
-
-*`santa.disk.model`*::
-+
---
-example: APPLE SSD SM0512L
-
-The disk model.
-
---
-
-*`santa.disk.fs`*::
-+
---
-example: apfs
-
-The disk volume kind (filesystem type).
-
---
-
-*`santa.disk.mount`*::
-+
---
-The disk volume path.
-
---
-
-*`certificate.common_name`*::
-+
---
-type: keyword
-
-Common name from code signing certificate.
-
---
-
-*`certificate.sha256`*::
-+
---
-type: keyword
-
-SHA256 hash of code signing certificate.
-
---
-
-*`hash.sha256`*::
-+
---
-type: keyword
-
-Hash of process executable.
-
---
-
-[[exported-fields-suricata]]
-== Suricata fields
-
-Module for handling the EVE JSON logs produced by Suricata.
-
-
-
-[float]
-== suricata fields
-
-Fields from the Suricata EVE log file.
-
-
-
-[float]
-== eve fields
-
-Fields exported by the EVE JSON logs
-
-
-
-*`suricata.eve.event_type`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.app_proto_orig`*::
-+
---
-type: keyword
-
---
-
-
-*`suricata.eve.tcp.tcp_flags`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tcp.psh`*::
-+
---
-type: boolean
-
---
-
-*`suricata.eve.tcp.tcp_flags_tc`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tcp.ack`*::
-+
---
-type: boolean
-
---
-
-*`suricata.eve.tcp.syn`*::
-+
---
-type: boolean
-
---
-
-*`suricata.eve.tcp.state`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tcp.tcp_flags_ts`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tcp.rst`*::
-+
---
-type: boolean
-
---
-
-*`suricata.eve.tcp.fin`*::
-+
---
-type: boolean
-
---
-
-
-*`suricata.eve.fileinfo.sha1`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.fileinfo.filename`*::
-+
---
-type: alias
-
-alias to: file.path
-
---
-
-*`suricata.eve.fileinfo.tx_id`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.fileinfo.state`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.fileinfo.stored`*::
-+
---
-type: boolean
-
---
-
-*`suricata.eve.fileinfo.gaps`*::
-+
---
-type: boolean
-
---
-
-*`suricata.eve.fileinfo.sha256`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.fileinfo.md5`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.fileinfo.size`*::
-+
---
-type: alias
-
-alias to: file.size
-
---
-
-*`suricata.eve.icmp_type`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.dest_port`*::
-+
---
-type: alias
-
-alias to: destination.port
-
---
-
-*`suricata.eve.src_port`*::
-+
---
-type: alias
-
-alias to: source.port
-
---
-
-*`suricata.eve.proto`*::
-+
---
-type: alias
-
-alias to: network.transport
-
---
-
-*`suricata.eve.pcap_cnt`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.src_ip`*::
-+
---
-type: alias
-
-alias to: source.ip
-
---
-
-
-*`suricata.eve.dns.type`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.dns.rrtype`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.dns.rrname`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.dns.rdata`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.dns.tx_id`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.dns.ttl`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.dns.rcode`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.dns.id`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.flow_id`*::
-+
---
-type: keyword
-
---
-
-
-*`suricata.eve.email.status`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.dest_ip`*::
-+
---
-type: alias
-
-alias to: destination.ip
-
---
-
-*`suricata.eve.icmp_code`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.http.status`*::
-+
---
-type: alias
-
-alias to: http.response.status_code
-
---
-
-*`suricata.eve.http.redirect`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.http.http_user_agent`*::
-+
---
-type: alias
-
-alias to: user_agent.original
-
---
-
-*`suricata.eve.http.protocol`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.http.http_refer`*::
-+
---
-type: alias
-
-alias to: http.request.referrer
-
---
-
-*`suricata.eve.http.url`*::
-+
---
-type: alias
-
-alias to: url.original
-
---
-
-*`suricata.eve.http.hostname`*::
-+
---
-type: alias
-
-alias to: url.domain
-
---
-
-*`suricata.eve.http.length`*::
-+
---
-type: alias
-
-alias to: http.response.body.bytes
-
---
-
-*`suricata.eve.http.http_method`*::
-+
---
-type: alias
-
-alias to: http.request.method
-
---
-
-*`suricata.eve.http.http_content_type`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.timestamp`*::
-+
---
-type: alias
-
-alias to: @timestamp
-
---
-
-*`suricata.eve.in_iface`*::
-+
---
-type: keyword
-
---
-
-
-*`suricata.eve.alert.category`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.alert.severity`*::
-+
---
-type: alias
-
-alias to: event.severity
-
---
-
-*`suricata.eve.alert.rev`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.alert.gid`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.alert.signature`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.alert.action`*::
-+
---
-type: alias
-
-alias to: event.outcome
-
---
-
-*`suricata.eve.alert.signature_id`*::
-+
---
-type: long
-
---
-
-
-
-*`suricata.eve.ssh.client.proto_version`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.ssh.client.software_version`*::
-+
---
-type: keyword
-
---
-
-
-*`suricata.eve.ssh.server.proto_version`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.ssh.server.software_version`*::
-+
---
-type: keyword
-
---
-
-
-
-*`suricata.eve.stats.capture.kernel_packets`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.capture.kernel_drops`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.capture.kernel_ifdrops`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.uptime`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.detect.alert`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.http.memcap`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.http.memuse`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.file_store.open_files`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.defrag.max_frag_hits`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.defrag.ipv4.timeouts`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.defrag.ipv4.fragments`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.defrag.ipv4.reassembled`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.defrag.ipv6.timeouts`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.defrag.ipv6.fragments`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.defrag.ipv6.reassembled`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.flow.tcp_reuse`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.udp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.memcap`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.emerg_mode_entered`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.emerg_mode_over`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.tcp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.icmpv6`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.icmpv4`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.spare`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow.memuse`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.tcp.pseudo_failed`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.ssn_memcap_drop`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.insert_data_overlap_fail`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.sessions`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.pseudo`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.synack`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.insert_data_normal_fail`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.syn`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.memuse`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.invalid_checksum`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.segment_memcap_drop`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.overlap`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.insert_list_fail`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.rst`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.stream_depth_reached`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.reassembly_memuse`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.reassembly_gap`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.overlap_diff_data`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.tcp.no_flow`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.decoder.avg_pkt_size`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.bytes`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.tcp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.raw`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.ppp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.vlan_qinq`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.null`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.decoder.ltnull.unsupported_type`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.invalid`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.gre`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.ipv4`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.ipv6`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.pkts`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.ipv6_in_ipv6`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.pppoe`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.udp`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.decoder.dce.pkt_too_small`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.vlan`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.sctp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.max_pkt_size`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.teredo`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.mpls`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.sll`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.icmpv6`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.icmpv4`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.erspan`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.ethernet`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.ipv4_in_ipv6`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.decoder.ieee8021ah`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.dns.memcap_global`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.dns.memcap_state`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.dns.memuse`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.flow_mgr.rows_busy`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.flows_timeout`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.flows_notimeout`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.rows_skipped`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.closed_pruned`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.new_pruned`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.flows_removed`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.bypassed_pruned`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.est_pruned`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.flows_checked`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.rows_maxlen`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.rows_checked`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.flow_mgr.rows_empty`*::
-+
---
-type: long
-
---
-
-
-
-*`suricata.eve.stats.app_layer.flow.tls`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.ftp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.http`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.failed_udp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.dns_udp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.dns_tcp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.smtp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.failed_tcp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.msn`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.ssh`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.imap`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.flow.smb`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.stats.app_layer.tx.tls`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.ftp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.http`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.dns_udp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.dns_tcp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.smtp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.ssh`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.stats.app_layer.tx.smb`*::
-+
---
-type: long
-
---
-
-
-*`suricata.eve.tls.notbefore`*::
-+
---
-type: date
-
---
-
-*`suricata.eve.tls.issuerdn`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tls.sni`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tls.version`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tls.session_resumed`*::
-+
---
-type: boolean
-
---
-
-*`suricata.eve.tls.fingerprint`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tls.serial`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.tls.notafter`*::
-+
---
-type: date
-
---
-
-*`suricata.eve.tls.subject`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.app_proto_ts`*::
-+
---
-type: keyword
-
---
-
-
-*`suricata.eve.flow.bytes_toclient`*::
-+
---
-type: alias
-
-alias to: destination.bytes
-
---
-
-*`suricata.eve.flow.start`*::
-+
---
-type: alias
-
-alias to: event.start
-
---
-
-*`suricata.eve.flow.pkts_toclient`*::
-+
---
-type: alias
-
-alias to: destination.packets
-
---
-
-*`suricata.eve.flow.age`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.flow.state`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.flow.bytes_toserver`*::
-+
---
-type: alias
-
-alias to: source.bytes
-
---
-
-*`suricata.eve.flow.reason`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.flow.pkts_toserver`*::
-+
---
-type: alias
-
-alias to: source.packets
-
---
-
-*`suricata.eve.flow.end`*::
-+
---
-type: date
-
---
-
-*`suricata.eve.flow.alerted`*::
-+
---
-type: boolean
-
---
-
-*`suricata.eve.app_proto`*::
-+
---
-type: alias
-
-alias to: network.protocol
-
---
-
-*`suricata.eve.tx_id`*::
-+
---
-type: long
-
---
-
-*`suricata.eve.app_proto_tc`*::
-+
---
-type: keyword
-
---
-
-
-*`suricata.eve.smtp.rcpt_to`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.smtp.mail_from`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.smtp.helo`*::
-+
---
-type: keyword
-
---
-
-*`suricata.eve.app_proto_expected`*::
-+
---
-type: keyword
-
---
-
-[[exported-fields-system]]
-== System fields
-
-Module for parsing system log files.
-
-
-
-[float]
-== system fields
-
-Fields from the system log files.
-
-
-
-[float]
-== auth fields
-
-Fields from the Linux authorization logs.
-
-
-
-*`system.auth.timestamp`*::
-+
---
-type: alias
-
-alias to: @timestamp
-
---
-
-*`system.auth.hostname`*::
-+
---
-type: alias
-
-alias to: host.hostname
-
---
-
-*`system.auth.program`*::
-+
---
-type: alias
-
-alias to: process.name
-
---
-
-*`system.auth.pid`*::
-+
---
-type: alias
-
-alias to: process.pid
-
---
-
-*`system.auth.message`*::
-+
---
-type: alias
-
-alias to: message
-
---
-
-*`system.auth.user`*::
-+
---
-type: alias
-
-alias to: user.name
-
---
-
-
-*`system.auth.ssh.method`*::
-+
---
-The SSH authentication method. Can be one of "password" or "publickey".
-
-
---
-
-*`system.auth.ssh.signature`*::
-+
---
-The signature of the client public key.
-
-
---
-
-*`system.auth.ssh.dropped_ip`*::
-+
---
-type: ip
-
-The client IP from SSH connections that are open and immediately dropped.
-
-
---
-
-*`system.auth.ssh.event`*::
-+
---
-example: Accepted
-
-The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
-
-
---
-
-*`system.auth.ssh.ip`*::
-+
---
-type: alias
->>>>>>> 99e4fbe40... [7.1][DOCS] Backport: Fix asciidoctor build (#13460)
 
 
 --
diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc
index ceaf8d43087..385df837416 100644
--- a/heartbeat/docs/fields.asciidoc
+++ b/heartbeat/docs/fields.asciidoc
@@ -625,6 +625,8 @@ type: text
 Service url used by monitor.
 
 
+--
+
 *`http.url.raw`*::
 +
 --
@@ -633,8 +635,6 @@ type: keyword
 The service url used by monitor. This is a non-analyzed field that is useful for aggregations.
 
 
---
-
 --
 
 [float]

From 9c32dc6cf331e1fb8ea7c8a7c3cf1fa462a0ef32 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Wed, 4 Sep 2019 17:06:44 -0700
Subject: [PATCH 3/6] Fix code formatting

---
 packetbeat/docs/packetbeat-filtering.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packetbeat/docs/packetbeat-filtering.asciidoc b/packetbeat/docs/packetbeat-filtering.asciidoc
index c4a65ec7f06..df1087e3b54 100644
--- a/packetbeat/docs/packetbeat-filtering.asciidoc
+++ b/packetbeat/docs/packetbeat-filtering.asciidoc
@@ -50,7 +50,7 @@ processors:
      when:
         equals:
            http.response.code: 200
------------
+----
 
 
 If you don't want to export raw data for the successful transactions:

From 3f664d8fde5e587167c6ceac558d01c8d8b40e0a Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Wed, 4 Sep 2019 17:08:51 -0700
Subject: [PATCH 4/6] Remove attributes not used in this branch

---
 filebeat/docs/index.asciidoc    | 2 --
 journalbeat/docs/index.asciidoc | 2 --
 winlogbeat/docs/index.asciidoc  | 1 -
 3 files changed, 5 deletions(-)

diff --git a/filebeat/docs/index.asciidoc b/filebeat/docs/index.asciidoc
index 3ecf681b06b..a544d201a6b 100644
--- a/filebeat/docs/index.asciidoc
+++ b/filebeat/docs/index.asciidoc
@@ -18,8 +18,6 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 :has_solutions:
 :ignores_max_retries:
 :has_docker_label_ex:
-:has_decode_csv_fields_processor:
-:has_script_processor:
 :has_modules_command:
 :has_registry:
 :deb_os:
diff --git a/journalbeat/docs/index.asciidoc b/journalbeat/docs/index.asciidoc
index 1a56e4913f3..c8967c01664 100644
--- a/journalbeat/docs/index.asciidoc
+++ b/journalbeat/docs/index.asciidoc
@@ -13,8 +13,6 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 :github_repo_name: beats
 :discuss_forum: beats/{beatname_lc}
 :beat_default_index_prefix: {beatname_lc}
-:has_decode_csv_fields_processor:
-:has_script_processor:
 :deb_os:
 :rpm_os:
 :linux_os:
diff --git a/winlogbeat/docs/index.asciidoc b/winlogbeat/docs/index.asciidoc
index 7654b557f02..ede4e08f9d8 100644
--- a/winlogbeat/docs/index.asciidoc
+++ b/winlogbeat/docs/index.asciidoc
@@ -16,7 +16,6 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 :has_ml_jobs: yes
 :has_registry:
 :ignores_max_retries:
-:has_script_processor:
 :win_os:
 :win_only:
 

From 97a205a4ecbf2d89def1cc3e76588ea0f37691b4 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Wed, 4 Sep 2019 17:15:27 -0700
Subject: [PATCH 5/6] Remove unwanted section added during backport

---
 libbeat/docs/shared-docker.asciidoc | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/libbeat/docs/shared-docker.asciidoc b/libbeat/docs/shared-docker.asciidoc
index 214e0a72aca..6fafc397d08 100644
--- a/libbeat/docs/shared-docker.asciidoc
+++ b/libbeat/docs/shared-docker.asciidoc
@@ -232,19 +232,6 @@ docker run -d \
 --------------------------------------------
 endif::[]
 
-ifeval::["{beatname_lc}"=="apm-server"]
-["source", "sh", subs="attributes"]
---------------------------------------------
-docker run -d \
-  --name={beatname_lc} \
-  --user={beatname_lc} \
-  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
-  {dockerimage} \
-  --strict.perms=false -e \
-  -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
---------------------------------------------
-endif::[]
-
 <1> Substitute your Elasticsearch hosts and ports.
 <2> If you are using the hosted Elasticsearch Service in Elastic Cloud, replace
 the `-E output.elasticsearch.hosts` line with the Cloud ID and elastic password

From bc6a311c7193553840ce7b9b546b1eaf79f767d1 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Wed, 4 Sep 2019 17:49:54 -0700
Subject: [PATCH 6/6] Revert to 6.8 version of journalbeat example

---
 libbeat/docs/shared-docker.asciidoc | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/libbeat/docs/shared-docker.asciidoc b/libbeat/docs/shared-docker.asciidoc
index 6fafc397d08..1e4287a62fa 100644
--- a/libbeat/docs/shared-docker.asciidoc
+++ b/libbeat/docs/shared-docker.asciidoc
@@ -154,18 +154,14 @@ docker run -d \
 endif::[]
 
 ifeval::["{beatname_lc}"=="journalbeat"]
-Make sure you include the path to the host's journal. The path might be
-`/var/log/journal` or `/run/log/journal`.
-
 ["source", "sh", subs="attributes"]
 --------------------------------------------
-sudo docker run -d \
+docker run -d \
   --name={beatname_lc} \
   --user=root \
-  --volume="/var/log/journal:/var/log/journal" \
-  --volume="/etc/machine-id:/etc/machine-id" \
-  --volume="/run/systemd:/run/systemd" \
-  --volume="/etc/hostname:/etc/hostname:ro" \
+  --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
+  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
+  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
   {dockerimage} {beatname_lc} -e -strict.perms=false \
   -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
 --------------------------------------------