Event structure

Metricbeat sends two types of event:

  • Regular events containing the fetched metrics
  • Error events when the service is down/unreachable

Irrespective of the type of event, all events have the same basic structure and contain the following fields as a minimum, irrespective of the type of module that's enabled:

  • @timestamp: Time when the event was captured
  • host.hostname: Hostname of the server on which Beat is running
  • host.os: Operating system details of the server where Beat is running
  • agent.type: Name given to Beat 
  • agent.version: The Beat version
  • event.module: Name of the module that the data is from
  • event.dataset: Name of the metricset that the data is from

In the case of error events, an error field such as error.message, containing the error message, code, and type, will be appended to the event. 

An example of a regular event is as follows:

{"@timestamp" : "2019-04-22T12:40:16.608Z",
"service" : {
  "type" : "system"
},
"system" : {
  "uptime" : {
    "duration" : {
      "ms" : 830231705
    }
  }
},
"event" : {
  "module" : "system",
  "duration" : 221012700,
  "dataset" : "system.uptime"
},
"metricset" : {
  "name" : "uptime"
},
"agent" : {
  "type" : "metricbeat",
  "ephemeral_id" : "1956888d-7da0-469f-9a38-ab8b9ad52e07",
  "hostname" : "madsh01-I21350",
  "id" : "5b28d885-1389-4e32-a3a9-3c5e8f9063b0",
  "version" : "7.0.0"
},
"ecs" : {
  "version" : "1.0.0"
},
"host" : {
  "name" : "madsh01-I21350",
  "os" : {
    "kernel" : "6.1.7601.24408 (win7sp1_ldr_escrow.190320-1700)",
    "build" : "7601.24411",
    "platform" : "windows",
    "version" : "6.1",
    "family" : "windows",
    "name" : "Windows 7 Enterprise"
  },
  "id" : "254667db-4667-46f9-8cf5-0d52ccf2beb9",
  "hostname" : "madsh01-I21350",
  "architecture" : "x86_64"
}
}

An example of an error event when mongodb is not reachable is as follows: 

{
  "@timestamp": "2019-04-02T11:53:08.056Z",
  "metricset": {
    "host": "localhost:27017",
    "rtt": 1003057,
    "module": "mongodb",
    "name": "status"
  },
  "error": {
    "message": "no reachable servers"
  },
  "mongodb": {
    "status": {}
}

Along with the minimum fields (the basic structure of the event) that Metricbeat ships with, it ships fields related to the modules that are enabled. The complete list of fields it ships with per module can be obtained at https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields.html.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset