Schema Reference

In AppView, events are structured according to one pattern, and metrics are structured according to another. These patterns are defined rigorously, in validatable JSON Schema.

Three definitions schemas govern the basic patterns. Then there is an individual schema for each event and metric, documented below. The definitions schemas define the elements that can be present in individual event and metric schemas, as well as the overall structures into which those elements fit.

When we say "the AppView schema," we mean the whole set of schemas. The AppView schema now in use was introduced in AppView 1.0.1.

A few event and metric schema elements, namely title and description, have placeholder values. In the future, we might make these more informative. They are essentially "internal documentation" within the schemas and do not affect how the schemas function in AppView. In the event that you develop any code that depends on AppView schemas, be aware that the content of title and description fields may evolve.

For more about how events and metrics work in AppView, see this overview.


console ^

Structure of the console event

Examples

{
  "type": "evt",
  "id": "eaf4d0598443-a.out-./a.out",
  "_channel": "8499188821284",
  "body": {
    "sourcetype": "console",
    "_time": 1643883251.376672,
    "source": "stderr",
    "host": "eaf4d0598443",
    "proc": "a.out",
    "cmd": "./a.out",
    "pid": 986,
    "data": {
      "message": "stderr hello world"
    }
  }
}
{
  "type": "evt",
  "id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
  "_channel": "13468365092424",
  "body": {
    "sourcetype": "console",
    "_time": 1643735941.602952,
    "source": "stdout",
    "host": "ubuntu",
    "proc": "sh",
    "cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
    "pid": 6545,
    "data": {
      "message": "/usr/bin/firefox\n"
    }
  }
}

console properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

console.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is console.

Value must be console.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Specifies whether AppView is capturing either stderr or stdout from console.

Possible values:
  • stderr
  • stdout
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

console.body.data properties

Property Description
message (string) The textual data written to a console or file.

dns.req ^

Structure of the dns.req event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470757294558",
  "body": {
    "sourcetype": "dns",
    "_time": 1643735942.526987,
    "source": "dns.req",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "domain": "detectportal.firefox.com"
    }
  }
}

dns.req properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

dns.req.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is DNS.

Value must be dns.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a Network DNS operation.

Value must be dns.req.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

dns.req.body.data properties

Property Description
domain required (string) The domain for which the viewed app made a DNS request.

dns.resp ^

Structure of the dns.resp event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470823778038",
  "body": {
    "sourcetype": "dns",
    "_time": 1643735942.552667,
    "source": "dns.resp",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "duration": 25,
      "domain": "detectportal.firefox.com",
      "addrs": [
        "34.107.221.82"
      ]
    }
  }
}

dns.resp properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

dns.resp.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is DNS.

Value must be dns.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a DNS response operation .

Value must be dns.resp.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

dns.resp.body.data properties

Property Description
duration (number) Duration in milliseconds.

Example:
55
domain (string) The domain for which the viewed app made a DNS request.
addrs (array) IP address(es) of the domain for which the viewed app sent a DNS request.

file ^

Structure of the file event

Example

{
  "type": "evt",
  "id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
  "_channel": "13468365092424",
  "body": {
    "sourcetype": "file",
    "_time": 1643735941.602952,
    "source": "/var/log/firefox.log",
    "host": "ubuntu",
    "proc": "sh",
    "cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
    "pid": 6545,
    "data": {
      "message": "/usr/bin/firefox\n"
    }
  }
}

file properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

file.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is file.

Value must be file.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) String that describes a file path.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

file.body.data properties

Property Description
message (string) The textual data written to a console or file.

fs.close ^

Structure of the fs.close event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890090429747",
  "body": {
    "sourcetype": "fs",
    "_time": 1643735835.455002,
    "source": "fs.close",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "proc": "accept01",
      "pid": 1933,
      "host": "8bc1398c19f3",
      "file": "/dev/shm/ltp_accept01_1931",
      "proc_uid": 0,
      "proc_gid": 0,
      "proc_cgroup": "0::/system.slice/containerd.service",
      "file_perms": 600,
      "file_owner": 0,
      "file_group": 0,
      "file_read_bytes": 0,
      "file_read_ops": 0,
      "file_write_bytes": 0,
      "file_write_ops": 0,
      "duration": 0,
      "op": "close"
    }
  }
}

fs.close properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.close.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is filesystem.

Value must be fs.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File Close operation.

Value must be fs.close.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.close.body.data properties

Property Description
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
host (string) Hostname for the host on which the viewed app was run.
file (string) The name of the file.
proc_uid (integer) The user ID of the user who started the viewed app.

Example:
0
proc_gid (integer) The group ID of the user who started the viewed app.

Example:
0
proc_cgroup (string) The control group used in container creation.

Example:
0::/user.slice/user-1000.slice/session-3.appview
file_perms (integer) The permissions of the file, in octal format.

Example:
777
file_owner (number) The user ID of the file owner.

Example:
0
file_group (number) The group ID of the file owner.

Example:
0
file_read_bytes (integer) The number of bytes of data read from a file.

Example:
512
file_read_ops (integer) Count of individual read operations aggregated.

Example:
5
file_write_bytes (integer) The number of bytes of data written to a file.

Example:
10
file_write_ops (integer) Count of individual write operations aggregated.

Example:
5
duration (number) Duration in milliseconds.

Example:
55
op (string) The close operation that was executed on the filesystem.

Possible values:
  • go_close
  • closedir
  • freopen
  • freopen64
  • close
  • fclose
  • close$NOCANCEL
  • guarded_close_np
  • close_nocancel

fs.delete ^

Structure of the fs.delete event

Example

{
  "type": "evt",
  "id": "b6209181773f-rm-rm test.txt",
  "_channel": "none",
  "body": {
    "sourcetype": "fs",
    "_time": 1643793922.040438,
    "source": "fs.delete",
    "host": "b6209181773f",
    "proc": "rm",
    "cmd": "rm test.txt",
    "pid": 306,
    "data": {
      "proc": "rm",
      "pid": 306,
      "host": "b6209181773f",
      "op": "unlinkat",
      "file": "test.txt",
      "unit": "operation"
    }
  }
}

fs.delete properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.delete.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is filesystem.

Value must be fs.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File Delete operation.

Value must be fs.delete.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.delete.body.data properties

Property Description
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
host (string) Hostname for the host on which the viewed app was run.
op (string) The delete operation that was executed on the filesystem.

Possible values:
  • go_unlinkat
  • unlink
  • unlinkat
file (string) The name of the file.
unit (string) Indicates that the metric's value is a number of operations.

Value must be operation.

fs.duration ^

Structure of the fs.duration event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091215105",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455057,
    "source": "fs.duration",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "fs.duration",
      "_metric_type": "histogram",
      "_value": 12,
      "proc": "accept01",
      "pid": 1933,
      "fd": 3,
      "op": "fgets_unlocked",
      "file": "/etc/passwd",
      "numops": 1,
      "unit": "microsecond"
    }
  }
}

fs.duration properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.duration.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File Duration operation.

Value must be fs.duration.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.duration.body.data properties

Property Description
_metric (string) Indicates that the Source is a File Duration operation.

Value must be fs.duration.
_metric_type (string) Indicates that the metric from the viewed app is a histogram.

Value must be histogram.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
op (string) The function that was executed.
file (string) The name of the file.
numops (number) Count of individual operations aggregated.
unit (string) Indicates that the metric's value is in microseconds.

Value must be microsecond.

fs.error ^

Structure of the fs.error event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890094642989",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.45777,
    "source": "fs.error",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1931,
    "data": {
      "_metric": "fs.error",
      "_metric_type": "counter",
      "_value": 1,
      "proc": "accept01",
      "pid": 1931,
      "op": "access",
      "file": "/dev/shm/ltp_accept01_1931",
      "class": "stat",
      "unit": "operation"
    }
  }
}

fs.error properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.error.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File Error operation.

Value must be fs.error.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.error.body.data properties

Property Description
_metric (string) Indicates that the Source is a File Error operation.

Value must be fs.error.
_metric_type (string) Indicates that the metric is a counter.

Value must be counter.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
op (string) The function that was executed.
file (string) The name of the file.
class (string) Subcategory of filesystem error.

Possible values:
  • open_close
  • read_write
  • stat
unit (string) Indicates that the metric's value is a number of operations.

Value must be operation.

fs.open ^

Structure of the fs.open event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890090429747",
  "body": {
    "sourcetype": "fs",
    "_time": 1643735835.454946,
    "source": "fs.open",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "proc": "accept01",
      "pid": 1933,
      "host": "8bc1398c19f3",
      "file": "/dev/shm/ltp_accept01_1931",
      "proc_uid": 0,
      "proc_gid": 0,
      "proc_cgroup": "0::/system.slice/containerd.service",
      "file_perms": 600,
      "file_owner": 0,
      "file_group": 0,
      "op": "open"
    }
  }
}

fs.open properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.open.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is filesystem.

Value must be fs.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File open operation.

Value must be fs.open.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.open.body.data properties

Property Description
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
host (string) Hostname for the host on which the viewed app was run.
file (string) The name of the file.
proc_uid (integer) The user ID of the user who started the viewed app.

Example:
0
proc_gid (integer) The group ID of the user who started the viewed app.

Example:
0
proc_cgroup (string) The control group used in container creation.

Example:
0::/user.slice/user-1000.slice/session-3.appview
file_perms (integer) The permissions of the file, in octal format.

Example:
777
file_owner (number) The user ID of the file owner.

Example:
0
file_group (number) The group ID of the file owner.

Example:
0
op (string) The open operation that was executed on the filesystem.

Possible values:
  • open
  • openat
  • opendir
  • creat
  • fopen
  • freopen
  • open64
  • openat64
  • __open64_2
  • __open_2
  • __openat_2
  • creat64
  • fopen64
  • freopen64
  • recvmsg
  • console output
  • console input

fs.read ^

Structure of the fs.read event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091215105",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455076,
    "source": "fs.read",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "fs.read",
      "_metric_type": "histogram",
      "_value": 4096,
      "proc": "accept01",
      "pid": 1933,
      "fd": 3,
      "op": "fgets_unlocked",
      "file": "/etc/passwd",
      "numops": 1,
      "unit": "byte"
    }
  }
}

fs.read properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.read.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File Read operation.

Value must be fs.read.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.read.body.data properties

Property Description
_metric (string) Indicates that the Source is a File Read operation.

Value must be fs.read.
_metric_type (string) Indicates that the metric from the viewed app is a histogram.

Value must be histogram.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
op (string) The read operation that was executed on the filesystem.

Possible values:
  • go_read
  • go_getdents
  • readdir
  • pread64
  • __pread64_chk
  • preadv
  • preadv2
  • preadv64v2
  • __pread_chk
  • __read_chk
  • __fread_unlocked_chk
  • read
  • readv
  • pread
  • fread
  • __fread_chk
  • fread_unlocked
  • fgets
  • __fgets_chk
  • fgets_unlocked
  • __fgetws_chk
  • fgetws
  • fgetwc
  • fgetc
  • fscanf
  • getline
  • getdelim
  • __getdelim
file (string) The name of the file.
numops (number) Count of individual operations aggregated.
unit (string) Indicates that the metric's value is in bytes.

Value must be byte.

fs.seek ^

Structure of the fs.seek event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-sh-/bin/sh ./file_x",
  "_channel": "5891441789884",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735836.805196,
    "source": "fs.seek",
    "host": "8bc1398c19f3",
    "proc": "sh",
    "cmd": "/bin/sh ./file_x",
    "pid": 2061,
    "data": {
      "_metric": "fs.seek",
      "_metric_type": "counter",
      "_value": 1,
      "proc": "sh",
      "pid": 2061,
      "fd": 3,
      "op": "lseek",
      "file": "./file_x",
      "unit": "operation"
    }
  }
}

fs.seek properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.seek.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File Seek operation.

Value must be fs.seek.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.seek.body.data properties

Property Description
_metric (string) Indicates that the Source is a File Seek operation.

Value must be fs.seek.
_metric_type (string) Indicates that the metric is a counter.

Value must be counter.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
op (string) The seek operation that was executed on the filesystem.

Possible values:
  • lseek64
  • fseek64
  • ftello64
  • fsetpos64
  • lseek
  • fseek
  • fseeko
  • ftell
  • ftello
  • rewind
  • fsetpos
  • fgetpos
  • fgetpos64
file (string) The name of the file.
unit (string) Indicates that the metric's value is a number of operations.

Value must be operation.

fs.stat ^

Structure of the fs.stat event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091777333",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.454905,
    "source": "fs.stat",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "fs.stat",
      "_metric_type": "counter",
      "_value": 1,
      "proc": "accept01",
      "pid": 1933,
      "op": "access",
      "file": "/dev/shm",
      "unit": "operation"
    }
  }
}

fs.stat properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.stat.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File Stat operation.

Value must be fs.stat.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.stat.body.data properties

Property Description
_metric (string) Indicates that the Source is a File Stat operation.

Value must be fs.stat.
_metric_type (string) Indicates that the metric is a counter.

Value must be counter.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
op (string) The stat operation that was executed on the filesystem.

Possible values:
  • statfs64
  • __xstat
  • __xstat64
  • __lxstat
  • __lxstat64
  • __fxstat
  • __fxstatat
  • __fxstatat64
  • statx
  • statfs
  • statvfs
  • statvfs64
  • access
  • faccessat
  • stat
  • lstat
  • fstatfs64
  • __fxstat
  • __fxstat64
  • fstatfs
  • fstatvfs
  • fstatvfs64
  • fstat
  • fstatat
file (string) The name of the file.
unit (string) Indicates that the metric's value is a number of operations.

Value must be operation.

fs.write ^

Structure of the fs.write event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-access02-/kernel/syscalls/access/access02",
  "_channel": "5891407740765",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735836.773249,
    "source": "fs.write",
    "host": "8bc1398c19f3",
    "proc": "access02",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/access/access02",
    "pid": 2058,
    "data": {
      "_metric": "fs.write",
      "_metric_type": "histogram",
      "_value": 10,
      "proc": "access02",
      "pid": 2058,
      "fd": 3,
      "op": "__write_libc",
      "file": "file_x",
      "numops": 1,
      "unit": "byte"
    }
  }
}

fs.write properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

fs.write.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a File Write operation.

Value must be fs.write.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

fs.write.body.data properties

Property Description
_metric (string) Indicates that the Source is a File Write operation.

Value must be fs.write.
_metric_type (string) Indicates that the metric from the viewed app is a histogram.

Value must be histogram.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
op (string) The write operation that was executed on the filesystem.

Possible values:
  • go_write
  • pwrite64
  • pwritev
  • pwritev64
  • pwritev2
  • pwritev64v2
  • __overflow
  • __write_libc
  • __write_pthread
  • fwrite_unlocked
  • __stdio_write
  • write
  • pwrite
  • writev
  • fwrite
  • puts
  • putchar
  • fputs
  • fputs_unlocked
  • fputc
  • fputc_unlocked
  • putwc
  • fputwc
file (string) The name of the file.
numops (number) Count of individual operations aggregated.
unit (string) Indicates that the metric's value is in bytes.

Value must be byte.

http.req ^

Structure of the http.req event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470846442500",
  "body": {
    "sourcetype": "http",
    "_time": 1643735942.588626,
    "source": "http.req",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "http_method": "GET",
      "http_target": "/canonical.html",
      "http_flavor": "1.1",
      "http_scheme": "http",
      "http_host": "detectportal.firefox.com",
      "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
      "net_transport": "IP.TCP",
      "net_peer_ip": "34.107.221.82",
      "net_peer_port": 80,
      "net_host_ip": "172.16.198.210",
      "net_host_port": 33712
    }
  }
}

http.req properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

http.req.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is HTTP.

Value must be http.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the event Source is an HTTP request.

Value must be http.req.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

http.req.body.data properties

Property Description
http_method (string) Specifies the method of an HTTP request in the data; e.g., GET, POST, PATCH, etc.
http_frame (string) Type of the HTTP/2 frame as described in RFC 7540.

Possible values:
  • HEADERS
  • PUSH_PROMISE
http_target (string) In a URL, the path or file after the FQDN.
http_flavor (string) Specifies whether an HTTP request or response is in HTTP/1.1 or HTTP/2.0.
http_stream (integer) HTTP/2 Stream Identifier.
http_scheme (string) Specifies whether data was unencrypted (HTTP) or encrypted (HTTPS).

Possible values:
  • http
  • https
http_host (string) Hostname of the host to which an HTTP request was sent; or, from which a response was received.
http_user_agent (string) HTTP header property describing the web client.
http_client_ip (string) IP address of the host that issued an HTTP request or received the response.
net_transport (string) Network layer used (before the dot) and transport layer used (after the dot).

Possible values:
  • IP.TCP
  • IP.UDP
  • IP.RAW
  • IP.RDM
  • IP.SEQPACKET
  • Unix.TCP
  • Unix.UDP
  • Unix.RAW
  • Unix.RDM
  • Unix.SEQPACKET
net_peer_ip (string) The IP address portion of the remote side of a network connection.
net_peer_port (integer) The port portion of the remote side of a network connection.
net_host_ip (string) The IP address portion of the local side of a network connection.
net_host_port (integer) The port portion of the local side of a network connection.
x_appview (string) Value of the x-appview HTTP header (if present).

Value must be x-appview.

http.resp ^

Structure of the http.resp event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470846442500",
  "body": {
    "sourcetype": "http",
    "_time": 1643735942.613892,
    "source": "http.resp",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "http_method": "GET",
      "http_target": "/canonical.html",
      "http_scheme": "http",
      "http_flavor": "1.1",
      "http_status_code": 200,
      "http_status_text": "OK",
      "http_server_duration": 26,
      "http_host": "detectportal.firefox.com",
      "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
      "net_transport": "IP.TCP",
      "net_peer_ip": "34.107.221.82",
      "net_peer_port": 80,
      "net_host_ip": "172.16.198.210",
      "net_host_port": 33712,
      "http_response_content_length": 90
    }
  }
}

http.resp properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

http.resp.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is HTTP.

Value must be http.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is an HTTP response.

Value must be http.resp.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

http.resp.body.data properties

Property Description
http_method (string) Specifies the method of an HTTP request in the data; e.g., GET, POST, PATCH, etc.
http_target (string) In a URL, the path or file after the FQDN.
http_stream (integer) HTTP/2 Stream Identifier.
http_scheme (string) Specifies whether data was unencrypted (HTTP) or encrypted (HTTPS).

Possible values:
  • http
  • https
http_flavor (string) Specifies whether an HTTP request or response is in HTTP/1.1 or HTTP/2.0.
http_status_code (integer) Specifies the status code of an HTTP response.

Possible values:
  • 100
  • 101
  • 102
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 226
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 307
  • 400
  • 401
  • 402
  • 403
  • 404
  • 405
  • 406
  • 407
  • 408
  • 409
  • 410
  • 411
  • 412
  • 413
  • 414
  • 415
  • 416
  • 417
  • 418
  • 421
  • 422
  • 423
  • 424
  • 426
  • 428
  • 429
  • 431
  • 444
  • 451
  • 499
  • 500
  • 501
  • 502
  • 503
  • 504
  • 505
  • 506
  • 507
http_status_text (string) The standard text that accompanies an HTTP response status code.

Possible values:
  • Continue
  • Switching Protocols
  • Processing
  • OK
  • Created
  • Accepted
  • Non-authoritative Information
  • No Content
  • Reset Content
  • Partial Content
  • Multi-Status
  • Already Reported
  • IM Used
  • Multiple Choices
  • Moved Permanently
  • Found
  • See Other
  • Not Modified
  • Use Proxy
  • Temporary Redirect
  • Permanent Redirect
  • Bad Request
  • Unauthorized
  • Payment Required
  • Forbidden
  • Not Found
  • Method Not Allowed
  • Not Acceptable
  • Proxy Authentication Required
  • Request Timeout
  • Conflict
  • Gone
  • Length Required
  • Precondition Failed
  • Payload Too Large
  • Request-URI Too Long
  • Unsupported Media Type
  • Requested Range Not Satisfiable
  • Expectation Failed
  • I'm a teapot
  • Misdirected Request
  • Unprocessable Entity
  • Locked
  • Failed Dependency
  • Upgrade Required
  • Precondition Required
  • Too Many Requests
  • Request Header Fields Too Large
  • Connection Closed Without Response
  • Unavailable For Legal Reasons
  • Client Closed Request
  • Internal Server Error
  • Not Implemented
  • Bad Gateway
  • Service Unavailable
  • Gateway Timeout
  • HTTP Version Not Supported
  • Variant Also Negotiates
  • Insufficient Storage
http_client_duration (number) Time elapsed between when a request was issued and when the response was received, in milliseconds.
http_server_duration (number) Time elapsed between when a request was received and when the response was issued, in milliseconds.
http_host (string) Hostname of the host to which an HTTP request was sent; or, from which a response was received.
http_user_agent (string) HTTP header property describing the web client.
net_transport (string) Network layer used (before the dot) and transport layer used (after the dot).

Possible values:
  • IP.TCP
  • IP.UDP
  • IP.RAW
  • IP.RDM
  • IP.SEQPACKET
  • Unix.TCP
  • Unix.UDP
  • Unix.RAW
  • Unix.RDM
  • Unix.SEQPACKET
net_peer_ip (string) The IP address portion of the remote side of a network connection.
net_peer_port (integer) The port portion of the remote side of a network connection.
net_host_ip (string) The IP address portion of the local side of a network connection.
net_host_port (integer) The port portion of the local side of a network connection.
http_response_content_length (number) Specifies the length in bytes of the HTTP response body.

net.app ^

Structure of the net.app event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470846442500",
  "body": {
    "sourcetype": "net",
    "_time": 1643735942.588594,
    "source": "net.app",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "proc": "firefox",
      "pid": 6544,
      "fd": 91,
      "host": "ubuntu",
      "protocol": "HTTP"
    }
  }
}

net.app properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.app.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is net (meaning network).

Value must be net.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a Network App (protocol detection) operation.

Value must be net.app.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.app.body.data properties

Property Description
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host (string) Hostname for the host on which the viewed app was run.
protocol (string) Protocol detected in data transmitted over a network connection.

Possible values:
  • HTTP

net.close ^

Structure of the net.close event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
  "_channel": "5912618970557",
  "body": {
    "sourcetype": "net",
    "_time": 1643735857.983449,
    "source": "net.close",
    "host": "8bc1398c19f3",
    "proc": "recvfrom01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
    "pid": 3793,
    "data": {
      "net_transport": "IP.TCP",
      "net_peer_ip": "0.0.0.0",
      "net_peer_port": 35533,
      "net_host_ip": "127.0.0.1",
      "net_host_port": 40184,
      "duration": 0,
      "net_bytes_sent": 0,
      "net_bytes_recv": 6,
      "net_close_reason": "local"
    }
  }
}

net.close properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.close.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is net (meaning network).

Value must be net.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a Network Close operation.

Value must be net.close.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.close.body.data properties

Property Description
net_transport (string) Network layer used (before the dot) and transport layer used (after the dot).

Possible values:
  • IP.TCP
  • IP.UDP
  • IP.RAW
  • IP.RDM
  • IP.SEQPACKET
  • Unix.TCP
  • Unix.UDP
  • Unix.RAW
  • Unix.RDM
  • Unix.SEQPACKET
net_peer_ip (string) The IP address portion of the remote side of a network connection.
net_peer_port (integer) The port portion of the remote side of a network connection.
net_host_ip (string) The IP address portion of the local side of a network connection.
net_host_port (integer) The port portion of the local side of a network connection.
net_protocol (string) First network protocol detected from data sent or received.

Value must be http.
unix_peer_inode (number) Inode number for the remote end of a UNIX domain socket.
unix_local_inode (number) Inode number for the local end of a UNIX domain socket.
duration (number) Duration in milliseconds.

Example:
55
net_bytes_sent (number) The number of bytes of data sent over a network connection.
net_bytes_recv (number) The number of bytes of data received over a network connection.
net_close_reason (string) Specifies which end of a network connection initiated the closing of the connection.

Possible values:
  • local
  • remote

net.duration ^

Structure of the net.duration event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-recvmsg01-ernel/syscalls/recvmsg/recvmsg01",
  "_channel": "5912681876432",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735858.046756,
    "source": "net.duration",
    "host": "8bc1398c19f3",
    "proc": "recvmsg01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvmsg/recvmsg01",
    "pid": 3798,
    "data": {
      "_metric": "net.duration",
      "_metric_type": "timer",
      "_value": 1,
      "proc": "recvmsg01",
      "pid": 3798,
      "fd": 4,
      "proto": "TCP",
      "port": 41482,
      "numops": 1,
      "unit": "millisecond"
    }
  }
}

net.duration properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.duration.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a counter that measures Network duration.

Value must be net.duration.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.duration.body.data properties

Property Description
_metric (string) Indicates that the Source is a counter that measures Network duration.

Value must be net.duration.
_metric_type (string) Indicates that the metric is a timer.

Value must be timer.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
numops (number) Count of individual operations aggregated.
unit (string) Indicates that the metric's value is in milliseconds.

Value must be millisecond.

net.error ^

Structure of the net.error event

Example

{
  "type": "evt",
  "id": "90aac4bb0722-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "2745569202700291",
  "body": {
    "sourcetype": "metric",
    "_time": 1643972258.00885,
    "source": "net.error",
    "host": "90aac4bb0722",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1934,
    "data": {
      "_metric": "net.error",
      "_metric_type": "counter",
      "_value": 1,
      "proc": "accept01",
      "pid": 1934,
      "op": "accept",
      "class": "connection",
      "unit": "operation"
    }
  }
}

net.error properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.error.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a Network Error operation.

Value must be net.error.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.error.body.data properties

Property Description
_metric (string) Indicates that the Source is a Network Error operation.

Value must be net.error.
_metric_type (string) Indicates that the metric is a counter.

Value must be counter.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
op (string) The function that was executed.
class (string) Subcategory of network error.

Value must be connection.
unit (string) Indicates that the metric's value is a number of operations.

Value must be operation.

net.open ^

Structure of the net.open event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept02-/kernel/syscalls/accept/accept02",
  "_channel": "5890157346952",
  "body": {
    "sourcetype": "net",
    "_time": 1643735835.521928,
    "source": "net.open",
    "host": "8bc1398c19f3",
    "proc": "accept02",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept02",
    "pid": 1936,
    "data": {
      "net_transport": "IP.TCP",
      "net_peer_ip": "127.0.0.1",
      "net_peer_port": 58625,
      "net_host_ip": "0.0.0.0",
      "net_host_port": 0
    }
  }
}

net.open properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.open.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is net (meaning network).

Value must be net.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a Network Open operation.

Value must be net.open.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.open.body.data properties

Property Description
net_transport (string) Network layer used (before the dot) and transport layer used (after the dot).

Possible values:
  • IP.TCP
  • IP.UDP
  • IP.RAW
  • IP.RDM
  • IP.SEQPACKET
  • Unix.TCP
  • Unix.UDP
  • Unix.RAW
  • Unix.RDM
  • Unix.SEQPACKET
net_peer_ip (string) The IP address portion of the remote side of a network connection.
net_peer_port (integer) The port portion of the remote side of a network connection.
net_host_ip (string) The IP address portion of the local side of a network connection.
net_host_port (integer) The port portion of the local side of a network connection.
unix_peer_inode (number) Inode number for the remote end of a UNIX domain socket.
unix_local_inode (number) Inode number for the local end of a UNIX domain socket.
net_protocol (string) First network protocol detected from data sent or received.

Value must be http.

net.other ^

Structure of the net.other event

Example

{
  "type": "evt",
  "id": "test_user-server_seqpacket-./server_seqpacket",
  "_channel": "11977632602680",
  "body": {
    "sourcetype": "metric",
    "_time": 1643886739.820863,
    "source": "net.other",
    "host": "test_user",
    "proc": "server_seqpacket",
    "cmd": "./server_seqpacket",
    "pid": 232570,
    "data": {
      "_metric": "net.other",
      "_metric_type": "gauge",
      "_value": 1,
      "proc": "server_seqpacket",
      "pid": 232570,
      "fd": 3,
      "proto": "SEQPACKET",
      "port": 0,
      "unit": "connection"
    }
  }
}

net.other properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.other.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a Network operation of an other-than-standard kind.

Value must be net.other.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.other.body.data properties

Property Description
_metric (string) Indicates that the Source is a Network operation of an other-than-standard kind.

Value must be net.other.
_metric_type (string) Indicates that the metric is a gauge.

Value must be gauge.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit (string) Indicates that the metric's value is a number of connections.

Value must be connection.

net.port ^

Structure of the net.port event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091645261",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455222,
    "source": "net.port",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "net.port",
      "_metric_type": "gauge",
      "_value": 1,
      "proc": "accept01",
      "pid": 1933,
      "fd": 4,
      "proto": "TCP",
      "port": 0,
      "unit": "instance"
    }
  }
}

net.port properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.port.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a gauge that identifies open ports.

Value must be net.port.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.port.body.data properties

Property Description
_metric (string) Indicates that the Source is a gauge that identifies open ports.

Value must be net.port.
_metric_type (string) Indicates that the metric is a gauge.

Value must be gauge.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit (string) Indicates that the metric's value is a number of instances.

Value must be instance.

net.rx ^

Structure of the net.rx event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
  "_channel": "5912618970557",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735857.983368,
    "source": "net.rx",
    "host": "8bc1398c19f3",
    "proc": "recvfrom01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
    "pid": 3793,
    "data": {
      "_metric": "net.rx",
      "_metric_type": "counter",
      "_value": 6,
      "proc": "recvfrom01",
      "pid": 3793,
      "fd": 4,
      "domain": "AF_INET",
      "proto": "TCP",
      "localip": "127.0.0.1",
      "localp": 40184,
      "remoteip": "0.0.0.0",
      "remotep": 35533,
      "data": "clear",
      "numops": 1,
      "unit": "byte"
    }
  }
}

net.rx properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.rx.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a Network receive operation.

Value must be net.rx.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.rx.body.data properties

Property Description
_metric (string) Indicates that the Source is a Network receive operation.

Value must be net.rx.
_metric_type (string) Indicates that the metric is a counter.

Value must be counter.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
domain (string) The domain for which the viewed app made a DNS request.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
localip (string) The IP address portion of the local end of a network connection.

Example:
127.0.0.1
localp (number) The port portion of the local end of a network connection.

Example:
9109
localn (number) Inode number for the local end of a UNIX domain socket.
remoteip (string) IP address for the remote end of a network socket.

Example:
192.158.1.38
remotep (number) Port for the remote end of a network socket.

Example:
9108
remoten (number) Inode number for the remote end of a UNIX domain socket.
data (string) Specifies whether data was unencrypted (clear) or encrypted (SSL).

Possible values:
  • ssl
  • clear
numops (number) Count of individual operations aggregated.
unit (string) Indicates that the metric's value is in bytes.

Value must be byte.

net.tcp ^

Structure of the net.tcp event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091645261",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455387,
    "source": "net.tcp",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "net.tcp",
      "_metric_type": "gauge",
      "_value": 0,
      "proc": "accept01",
      "pid": 1933,
      "fd": 4,
      "proto": "TCP",
      "port": 0,
      "unit": "connection"
    }
  }
}

net.tcp properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.tcp.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a gauge that shows the current count of open TCP ports.

Value must be net.tcp.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.tcp.body.data properties

Property Description
_metric (string) Indicates that the Source is a gauge that shows the current count of open TCP ports.

Value must be net.tcp.
_metric_type (string) Indicates that the metric is a gauge.

Value must be gauge.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
proto (string) The transmission protocol that the viewed app used to send data.

Value must be TCP.
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit (string) Indicates that the metric's value is a number of connections.

Value must be connection.

net.tx ^

Structure of the net.tx event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
  "_channel": "5912618642035",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735857.983059,
    "source": "net.tx",
    "host": "8bc1398c19f3",
    "proc": "recvfrom01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
    "pid": 3795,
    "data": {
      "_metric": "net.tx",
      "_metric_type": "counter",
      "_value": 6,
      "proc": "recvfrom01",
      "pid": 3795,
      "fd": 4,
      "domain": "AF_INET",
      "proto": "TCP",
      "localip": "0.0.0.0",
      "localp": 0,
      "remoteip": "127.0.0.1",
      "remotep": 40184,
      "data": "clear",
      "numops": 1,
      "unit": "byte"
    }
  }
}

net.tx properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.tx.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a Network transmit operation.

Value must be net.tx.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.tx.body.data properties

Property Description
_metric (string) Indicates that the Source is a Network transmit operation.

Value must be net.tx.
_metric_type (string) Indicates that the metric is a counter.

Value must be counter.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
domain (string) The domain for which the viewed app made a DNS request.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
localip (string) The IP address portion of the local end of a network connection.

Example:
127.0.0.1
localp (number) The port portion of the local end of a network connection.

Example:
9109
localn (number) Inode number for the local end of a UNIX domain socket.
remoteip (string) IP address for the remote end of a network socket.

Example:
192.158.1.38
remotep (number) Port for the remote end of a network socket.

Example:
9108
remoten (number) Inode number for the remote end of a UNIX domain socket.
data (string) Specifies whether data was unencrypted (clear) or encrypted (SSL).

Possible values:
  • ssl
  • clear
numops (number) Count of individual operations aggregated.
unit (string) Indicates that the metric's value is in bytes.

Value must be byte.

net.udp ^

Structure of the net.udp event

Example

{
  "type": "evt",
  "id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
  "_channel": "5890091656419",
  "body": {
    "sourcetype": "metric",
    "_time": 1643735835.455419,
    "source": "net.udp",
    "host": "8bc1398c19f3",
    "proc": "accept01",
    "cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "pid": 1933,
    "data": {
      "_metric": "net.udp",
      "_metric_type": "gauge",
      "_value": 0,
      "proc": "accept01",
      "pid": 1933,
      "fd": 5,
      "proto": "UDP",
      "port": 0,
      "unit": "connection"
    }
  }
}

net.udp properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

net.udp.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is a gauge that shows the current count of open UDP ports.

Value must be net.udp.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

net.udp.body.data properties

Property Description
_metric (string) Indicates that the Source is a gauge that shows the current count of open UDP ports.

Value must be net.udp.
_metric_type (string) Indicates that the metric is a gauge.

Value must be gauge.
_value (number) The value reported by the event or metric.

Example:
1
proc (string) The name of the viewed app's process.
pid (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
proto (string) The transmission protocol that the viewed app used to send data.

Value must be UDP.
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit (string) Indicates that the metric's value is a number of connections.

Value must be connection.

notice ^

Structure of the notice event

Example

{
  "type": "evt",
  "id": "9a721a6ad0be-htop-htop",
  "_channel": "13544129471303",
  "body": {
    "sourcetype": "metric",
    "_time": 1643888296.317304,
    "source": "notice",
    "host": "9a721a6ad0be",
    "proc": "htop",
    "cmd": "htop",
    "pid": 302,
    "data": "Truncated metrics. Your rate exceeded 10000 metrics per second"
  }
}

notice properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

notice.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is metric.

Value must be metric.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is an AppView notification.

Value must be notice.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (string) The data that the viewed app emitted as output.

sec.conn ^

Structure of the sec.conn event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470757294558",
  "body": {
    "sourcetype": "sec",
    "_time": 1643735942.526987,
    "source": "sec.conn",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "address": "8.23.2.2",
      "port": 22,
      "reason": "Connection requested to blacklisted IP address and/or Port"
    }
  }
}

sec.conn properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

sec.conn.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is sec (meaning security).

Value must be sec.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is connection security detection.

Value must be sec.conn.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

sec.conn.body.data properties

Property Description
address required (string) IP address(es) to which the viewed app made a connection.
port required (number) Network port opened before a connection was initiated, or closed after the connection closed.
reason required (string) Reason for event.

Example:
File not defined in allow list was accessed

sec.dns ^

Structure of the sec.dns event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470757294558",
  "body": {
    "sourcetype": "sec",
    "_time": 1643735942.526987,
    "source": "sec.dns",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "dns_name": "bad-exfil.net",
      "reason": "Exfiltration over DNS was detected"
    }
  }
}

sec.dns properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

sec.dns.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is sec (meaning security).

Value must be sec.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is DNS security detection.

Value must be sec.dns.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

sec.dns.body.data properties

Property Description
dns_name required (string) DNS name.
reason required (string) Reason for event.

Example:
File not defined in allow list was accessed

sec.file ^

Structure of the sec.file event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470757294558",
  "body": {
    "sourcetype": "sec",
    "_time": 1643735942.526987,
    "source": "sec.file",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "file": "/etc/passwd",
      "reason": "Write to system file",
      "write_bytes": 250
    }
  }
}

sec.file properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

sec.file.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is sec (meaning security).

Value must be sec.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is file security detection.

Value must be sec.file.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

sec.file.body.data properties

Property Description
file required (string) The name of the file.
reason required (string) Reason for event.

Example:
File not defined in allow list was accessed
write_bytes required (integer) The number of bytes of data written to a file.

Example:
10

sec.got ^

Structure of the sec.got event

Example

{
  "type": "evt",
  "id": "ubuntu-firefox-/usr/lib/firefox/firefox",
  "_channel": "13470757294558",
  "body": {
    "sourcetype": "sec",
    "_time": 1643735942.526987,
    "source": "sec.got",
    "host": "ubuntu",
    "proc": "firefox",
    "cmd": "/usr/lib/firefox/firefox",
    "pid": 6544,
    "data": {
      "function": "open",
      "reason": "Detected GOT hooking",
      "redirected_from": "0x111000",
      "redirected_to": "0x444000"
    }
  }
}

sec.got properties

Property Description
type required (string) Distinguishes events from metrics.

Value must be evt.
id required (string) Identifies the application that the process is associated with.
_channel required (string) Identifies the operation during whose lifetime the event or metric is emitted.
body required (object) body

Details below.

sec.got.body properties

Property Description
sourcetype required (string) Indicates that the Sourcetype is sec (meaning security).

Value must be sec.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777
source required (string) Indicates that the Source is GOT security detection.

Value must be sec.got.
host required (string) Hostname for the host on which the viewed app was run.
proc required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
pid required (integer) The process ID of the viewed app.

Example:
1000
data required (object) data

Details below.

sec.got.body.data properties

Property Description
function required (string) The function name in the codebase.
reason required (string) Reason for event.

Example:
File not defined in allow list was accessed
redirected_from required (string) Function redirected from.
redirected_to required (string) Function redirected to.

start.msg ^

Structure of the process-start message

Example

{
  "format": "ndjson",
  "info": {
    "process": {
      "libappviewver": "v1.3.0",
      "pid": 35673,
      "ppid": 3390,
      "gid": 1000,
      "groupname": "test_user",
      "uid": 1000,
      "username": "test_user",
      "hostname": "test_user",
      "procname": "ls",
      "cmd": "ls --color=auto",
      "id": "test_user-ls-ls --color=auto",
      "cgroup": "9:cpuset:/",
      "machine_id": "a1e2ada5a5b1b273b4b5c0c2c1c4f5d1",
      "uuid": "da845a9b-a55d-4c42-893d-08b54ee6e999"
    },
    "configuration": {
      "current": {
        "metric": {
          "enable": "true",
          "transport": {
            "type": "udp",
            "host": "127.0.0.1",
            "port": "8125",
            "tls": {
              "enable": "false",
              "validateserver": "true",
              "cacertpath": ""
            }
          },
          "format": {
            "type": "statsd",
            "statsdprefix": "",
            "statsdmaxlen": 512,
            "verbosity": 4
          },
          "watch": [
            {
              "type": "fs"
            },
            {
              "type": "net"
            },
            {
              "type": "http"
            },
            {
              "type": "dns"
            },
            {
              "type": "process"
            },
            {
              "type": "statsd"
            }
          ]
        },
        "libappview": {
          "log": {
            "level": "info",
            "transport": {
              "type": "file",
              "path": "/tmp/appview.log",
              "buffering": "line"
            }
          },
          "snapshot": {
            "coredump": "false",
            "backtrace": "false"
          },
          "configevent": "true",
          "summaryperiod": 10,
          "commanddir": "/tmp"
        },
        "event": {
          "enable": "true",
          "transport": {
            "type": "tcp",
            "host": "127.0.0.1",
            "port": "9109",
            "tls": {
              "enable": "false",
              "validateserver": "true",
              "cacertpath": ""
            }
          },
          "format": {
            "type": "ndjson",
            "maxeventpersec": 10000,
            "enhancefs": "true"
          },
          "watch": [
            {
              "type": "file",
              "name": "(\\/logs?\\/)|(\\.log$)|(\\.log[.\\d])",
              "field": ".*",
              "value": ".*"
            },
            {
              "type": "console",
              "name": "(stdout)|(stderr)",
              "field": ".*",
              "value": ".*",
              "allowbinary": "true"
            },
            {
              "type": "http",
              "name": ".*",
              "field": ".*",
              "value": ".*",
              "headers": []
            },
            {
              "type": "net",
              "name": ".*",
              "field": ".*",
              "value": ".*"
            },
            {
              "type": "fs",
              "name": ".*",
              "field": ".*",
              "value": ".*"
            },
            {
              "type": "dns",
              "name": ".*",
              "field": ".*",
              "value": ".*"
            }
          ]
        },
        "payload": {
          "enable": "false",
          "dir": "/tmp"
        },
        "tags": {},
        "protocol": [],
        "cribl": {
          "enable": "false",
          "transport": {
            "type": "edge"
          },
          "authtoken": ""
        }
      }
    },
    "environment": {}
  }
}

start.msg properties

Property Description
authtoken (string) Token used for authenticating to Cribl Edge or Stream.
format required (string) Specifies the format for output of events and metrics from AppView. See appview.yml.

Possible values:
  • appview
  • ndjson
breaker (string) Specifies an Event Breaker for Cribl Edge or Stream to use.

Value must be Cribl - Do Not Break Ruleset.
info required (object) The principal container for start-message information, in the form of nested process, configuration, and environment objects.

Details below.

start.msg.info properties

Property Description
process required (object) Describes the process associated with the viewed app.

Details below.
configuration required (object) Container for configurations. For now, describes current configuration only.

Details below.
environment required (object) Environment variables present when the current configuration was loaded.

Details below.

start.msg.info.process properties

Property Description
libappviewver required (string) Version of the AppView library that is currently loaded.

Example:
v1.0.0
pid required (integer) The process ID of the viewed app.

Example:
1000
ppid required (integer) The process ID of the parent process of the viewed app.
gid required (integer) Group ID of the user who created the process.

Example:
0
groupname required (string) Groupname of the user who created the process.

Example:
root
uid required (integer) User ID of the user who created the process.

Example:
0
username required (string) Username of the user who created the process.

Example:
root
hostname required (string) Hostname for the host on which the viewed app was run.
procname required (string) The name of the viewed app's process.
cmd required (string) The command that was run to start the viewed app.

Example:
top
id required (string) An ID that concatenates (possibly truncated) the viewed app's hostname, procname, and command, to facilitate correlation of similar processes when searching, graphing, or aggregating.
cgroup required (string) The cgroup for the process.
machine_id required (string) A unique identifier for a machine.
uuid required (string) A unique identifier for a process.

start.msg.info.configuration properties

Property Description
current (object) Describes the current configuration.

Details below.

start.msg.info.environment properties

Property Description

start.msg.info.configuration.current properties

Property Description
metric (object) Settings for metrics. See appview.yml.

Details below.
libappview (object) Specifies how to set up the AppView library. See appview.yml.

Details below.
event (object) Settings for events. See appview.yml.

Details below.
payload (object) Settings for enabling and storing payloads. See appview.yml.

Details below.
tags (object) User-defined tags which become fields in generated events and metrics. See appview.yml.

Details below.
protocol (array) List whose entries define protocols that AppView should detect in network payloads, and how to handle matches. See appview.yml.
cribl (object) Settings for the cribl backend. See appview.yml.

Details below.

start.msg.info.configuration.current.metric properties

Property Description
enable (string) Specifies whether a feature or some functionality is enabled or disabled overall.

Possible values:
  • true
  • false
transport (object) Backend connection for metrics or events. See appview.yml.

Details below.
format (object) Settings for the format of metric data. See appview.yml.

Details below.
watch (array) Array containing objects that enable different categories of metrics. See appview.yml.

start.msg.info.configuration.current.libappview properties

Property Description
log (object) Logging settings for the AppView library. See appview.yml.

Details below.
configevent (string) When enabled, AppView guarantees that a process start message is the first event sent over the current connection.

Possible values:
  • true
  • false
summaryperiod (integer) Time interval over which to perform aggregation. See appview.yml.
commanddir (string) The directory AppView polls for a appview.<pid> file, as explained in the Dynamic Configuration section of the Using the CLI page of the AppView docs.
snapshot (object) Settings to specify content of the snapshot AppView creates for crash analysis.

Details below.

start.msg.info.configuration.current.event properties

Property Description
enable (string) Specifies whether a feature or some functionality is enabled or disabled overall.

Possible values:
  • true
  • false
transport (object) Backend connection for events. See appview.yml.

Details below.
format (object) Settings for the format of event data. See appview.yml.

Details below.
watch (array) Array containing objects that enable different categories of events. See appview.yml.

start.msg.info.configuration.current.payload properties

Property Description
enable (string) Specifies whether a feature or some functionality is enabled or disabled overall.

Possible values:
  • true
  • false
dir (string) Specifies director where payload data should be written. Applies only when payloads are enabled and a backend other than cribl is used. See appview.yml.

start.msg.info.configuration.current.tags properties

Property Description

start.msg.info.configuration.current.cribl properties

Property Description
enable (string) Specifies whether a feature or some functionality is enabled or disabled overall.

Possible values:
  • true
  • false
transport (object) Backend connection to Cribl Edge or Stream. See appview.yml.

Details below.
authtoken (string) Token used for authenticating to Cribl Edge or Stream.

start.msg.info.configuration.current.metric.transport properties

Property Description
type (string) Specifies the transport mechanism on which to send and/or receive data. See appview.yml.

Possible values:
  • tcp
  • udp
  • unix
  • file
  • edge
host (string) Hostname for the host on which the viewed app was run.
port (string) Connection port. See appview.yml.
path (string) File or UNIX domain socket path. See appview.yml.

Example:
/tmp/appview.log
buffering (string) File buffering. See appview.yml.

Possible values:
  • line
  • full
tls (object) TLS connection settings. See appview.yml.

Details below.

start.msg.info.configuration.current.metric.format properties

Property Description
type (string) Specifies the format of metric data. See appview.yml.

Possible values:
  • statsd
  • ndjson
statsdprefix (string) Specifies a prefix to prepend the metric name. See appview.yml.
statsdmaxlen (integer) Specifies the maximum length for a string that expresses a StatsD metric. See appview.yml.
verbosity (integer) Controls the tag cardinality and aggregation of a metric. See appview.yml.

start.msg.info.configuration.current.libappview.log properties

Property Description
level (string) Specifies log level. See appview.yml.

Possible values:
  • debug
  • info
  • warning
  • error
  • none
transport (object) Backend connection for AppView library logging. See appview.yml.

Details below.

start.msg.info.configuration.current.libappview.snapshot properties

Property Description
coredump (string) When true, AppView captures a core dump whenever the kernel sends the viewed app a fatal signal (i.e., illegal instruction, bus error, segmentation fault, or floating point exception).

Possible values:
  • true
  • false
backtrace (string) When true, AppView captures a backtrace (a.k.a. stack trace) whenever the kernel sends the viewed app a fatal signal (i.e., illegal instruction, bus error, segmentation fault, or floating point exception).

Possible values:
  • true
  • false

start.msg.info.configuration.current.event.transport properties

Property Description
type (string) Specifies the transport mechanism on which to send and/or receive data. See appview.yml.

Possible values:
  • tcp
  • udp
  • unix
  • file
  • edge
host (string) Hostname for the host on which the viewed app was run.
port (string) Connection port. See appview.yml.
path (string) File or UNIX domain socket path. See appview.yml.

Example:
/tmp/appview.log
buffering (string) File buffering. See appview.yml.

Possible values:
  • line
  • full
tls (object) Specifies whether to enable TLS for the metrics backend. See appview.yml.

Details below.

start.msg.info.configuration.current.event.format properties

Property Description
type (string) Specifies the format of metric data. See appview.yml.

Possible values:
  • statsd
  • ndjson
maxeventpersec (integer) Specifies a rate limit for events. See appview.yml.
enhancefs (string) Specifies whether to display full information about fs events.

Possible values:
  • true
  • false

start.msg.info.configuration.current.cribl.transport properties

Property Description
type (string) Specifies the transport mechanism on which to send and/or receive data. See appview.yml.

Possible values:
  • tcp
  • udp
  • unix
  • file
  • edge
host (string) Hostname for the host on which the viewed app was run.
port (string) Connection port. See appview.yml.
path (string) File or UNIX domain socket path. See appview.yml.

Example:
/tmp/appview.log
buffering (string) File buffering. See appview.yml.

Possible values:
  • line
  • full
tls (object) TLS settings for the Cribl backend. See appview.yml.

Details below.

start.msg.info.configuration.current.metric.transport.tls properties

Property Description
enable (string) Specifies whether a feature or some functionality is enabled or disabled overall.

Possible values:
  • true
  • false
validateserver (string) Specifies whether to validate the TLS server certificate. See appview.yml.

Possible values:
  • true
  • false
cacertpath (string) CA Certificate Path. See appview.yml.

start.msg.info.configuration.current.libappview.log.transport properties

Property Description
type (string) Specifies the transport mechanism on which to send and/or receive data. See appview.yml.

Possible values:
  • tcp
  • udp
  • unix
  • file
  • edge
host (string) Hostname for the host on which the viewed app was run.
port (string) Connection port. See appview.yml.
path (string) File or UNIX domain socket path. See appview.yml.

Example:
/tmp/appview.log
buffering (string) File buffering. See appview.yml.

Possible values:
  • line
  • full
tls (object) TLS settings for backend used by the AppView library. See appview.yml.

Details below.

start.msg.info.configuration.current.event.transport.tls properties

Property Description
enable (string) Specifies whether a feature or some functionality is enabled or disabled overall.

Possible values:
  • true
  • false
validateserver (string) Specifies whether to validate the TLS server certificate. See appview.yml.

Possible values:
  • true
  • false
cacertpath (string) CA Certificate Path. See appview.yml.

start.msg.info.configuration.current.cribl.transport.tls properties

Property Description
enable (string) Specifies whether a feature or some functionality is enabled or disabled overall.

Possible values:
  • true
  • false
validateserver (string) Specifies whether to validate the TLS server certificate. See appview.yml.

Possible values:
  • true
  • false
cacertpath (string) CA Certificate Path. See appview.yml.

start.msg.info.configuration.current.libappview.log.transport.tls properties

Property Description
enable (string) Specifies whether a feature or some functionality is enabled or disabled overall.

Possible values:
  • true
  • false
validateserver (string) Specifies whether to validate the TLS server certificate. See appview.yml.

Possible values:
  • true
  • false
cacertpath (string) CA Certificate Path. See appview.yml.

dns.req ^

Structure of the dns.req metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "dns.req",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "lt-curl",
    "pid": 31,
    "host": "2a6bc132b07a",
    "unit": "request",
    "summary": "true",
    "_time": 1643832467.795134
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "dns.req",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "lt-curl",
    "pid": 2485,
    "host": "2a6bc132b07a",
    "domain": "cribl.io",
    "duration": 0,
    "unit": "request",
    "_time": 1643832569.764219
  }
}

dns.req properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

dns.req.body properties

Property Description
_metric required (string) Indicates that the Source is a Network DNS operation.

Value must be dns.req.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
domain (string) The domain for which the viewed app made a DNS request.
duration (number) Duration in milliseconds.

Example:
55
unit required (string) Indicates that the metric's value is a number of a requests.

Value must be request.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

fs.close ^

Structure of the fs.close metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.close",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13687,
    "host": "1f0ec6c8a7bc",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826403.121424
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "fs.close",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "close",
    "file": "/dev/shm/ltp_accept01_9870",
    "unit": "operation",
    "_time": 1643826292.07658
  }
}

fs.close properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

fs.close.body properties

Property Description
_metric required (string) Indicates that the Source is a File Close operation.

Value must be fs.close.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
op (string) The close operation that was executed on the filesystem.

Possible values:
  • go_close
  • closedir
  • freopen
  • freopen64
  • close
  • fclose
  • close$NOCANCEL
  • guarded_close_np
  • close_nocancel
file (string) The name of the file.
unit required (string) Indicates that the metric's value is a number of operations.

Value must be operation.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

fs.duration ^

Structure of the fs.duration metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.duration",
    "_metric_type": "histogram",
    "_value": 1,
    "proc": "access01",
    "pid": 13697,
    "host": "1f0ec6c8a7bc",
    "unit": "microsecond",
    "summary": "true",
    "_time": 1643826404.006442
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "fs.duration",
    "_metric_type": "histogram",
    "_value": 16,
    "proc": "accept01",
    "pid": 9871,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "fgets_unlocked",
    "file": "/etc/passwd",
    "numops": 1,
    "unit": "microsecond",
    "_time": 1643826292.076675
  }
}

fs.duration properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

fs.duration.body properties

Property Description
_metric required (string) Indicates that the Source is a File Duration operation.

Value must be fs.duration.
_metric_type required (string) Indicates that the metric from the viewed app is a histogram.

Value must be histogram.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
op (string) The function that was executed.
file (string) The name of the file.
numops (number) Count of individual operations aggregated.
unit required (string) Indicates that the metric's value is in microseconds.

Value must be microsecond.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

fs.error ^

Structure of the fs.error metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.error",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13686,
    "host": "1f0ec6c8a7bc",
    "class": "stat",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826403.123802
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "fs.error",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept02",
    "pid": 9872,
    "host": "1f0ec6c8a7bc",
    "op": "readdir",
    "file": "/tmp/QxbCjC",
    "class": "read_write",
    "unit": "operation",
    "_time": 1643826292.14466
  }
}

fs.error properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

fs.error.body properties

Property Description
_metric required (string) Indicates that the Source is a File Error operation.

Value must be fs.error.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
op (string) The function that was executed.
file (string) The name of the file.
class required (string) Subcategory of filesystem error.

Possible values:
  • open_close
  • read_write
  • stat
unit required (string) Indicates that the metric's value is a number of operations.

Value must be operation.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

fs.open ^

Structure of the fs.open metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.open",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13687,
    "host": "1f0ec6c8a7bc",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826403.121411
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "fs.open",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "open",
    "file": "/dev/shm/ltp_accept01_9870",
    "unit": "operation",
    "_time": 1643826292.076503
  }
}

fs.open properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

fs.open.body properties

Property Description
_metric required (string) Indicates that the Source is a File open operation.

Value must be fs.open.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
op (string) The open operation that was executed on the filesystem.

Possible values:
  • open
  • openat
  • opendir
  • creat
  • fopen
  • freopen
  • open64
  • openat64
  • __open64_2
  • __open_2
  • __openat_2
  • creat64
  • fopen64
  • freopen64
  • recvmsg
  • console output
  • console input
file (string) The name of the file.
unit required (string) Indicates that the metric's value is a number of operations.

Value must be operation.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

fs.read ^

Structure of the fs.read metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.read",
    "_metric_type": "counter",
    "_value": 13312,
    "proc": "access01",
    "pid": 13697,
    "host": "1f0ec6c8a7bc",
    "unit": "byte",
    "summary": "true",
    "_time": 1643826404.006381
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "fs.read",
    "_metric_type": "counter",
    "_value": 4096,
    "proc": "accept01",
    "pid": 9871,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "fgets_unlocked",
    "file": "/etc/passwd",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826292.076709
  }
}

fs.read properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

fs.read.body properties

Property Description
_metric required (string) Indicates that the Source is a File Read operation.

Value must be fs.read.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
op (string) The read operation that was executed on the filesystem.

Possible values:
  • go_read
  • go_getdents
  • readdir
  • pread64
  • __pread64_chk
  • preadv
  • preadv2
  • preadv64v2
  • __pread_chk
  • __read_chk
  • __fread_unlocked_chk
  • read
  • readv
  • pread
  • fread
  • __fread_chk
  • fread_unlocked
  • fgets
  • __fgets_chk
  • fgets_unlocked
  • __fgetws_chk
  • fgetws
  • fgetwc
  • fgetc
  • fscanf
  • getline
  • getdelim
  • __getdelim
file (string) The name of the file.
numops (number) Count of individual operations aggregated.
unit required (string) Indicates that the metric's value is in bytes.

Value must be byte.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

fs.seek ^

Structure of the fs.seek metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.seek",
    "_metric_type": "counter",
    "_value": 3,
    "proc": "sh",
    "pid": 13810,
    "host": "1f0ec6c8a7bc",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826404.175738
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "fs.seek",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "sh",
    "pid": 9994,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "lseek",
    "file": "./file_x",
    "unit": "operation",
    "_time": 1643826293.407508
  }
}

fs.seek properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

fs.seek.body properties

Property Description
_metric required (string) Indicates that the Source is a File Seek operation.

Value must be fs.seek.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
op (string) The function that was executed.
file (string) The name of the file.
unit required (string) Indicates that the metric's value is a number of operations.

Value must be operation.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

fs.stat ^

Structure of the fs.stat metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.stat",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13686,
    "host": "1f0ec6c8a7bc",
    "unit": "operation",
    "summary": "true",
    "_time": 1643826403.123752
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "fs.stat",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "host": "1f0ec6c8a7bc",
    "op": "access",
    "file": "/dev/shm",
    "unit": "operation",
    "_time": 1643826292.076446
  }
}

fs.stat properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

fs.stat.body properties

Property Description
_metric required (string) Indicates that the Source is a File Stat operation.

Value must be fs.stat.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
op (string) The function that was executed.
file (string) The name of the file.
unit required (string) Indicates that the metric's value is a number of operations.

Value must be operation.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

fs.write ^

Structure of the fs.write metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "fs.write",
    "_metric_type": "counter",
    "_value": 10,
    "proc": "access02",
    "pid": 13806,
    "host": "1f0ec6c8a7bc",
    "unit": "byte",
    "summary": "true",
    "_time": 1643826404.234963
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "fs.write",
    "_metric_type": "counter",
    "_value": 10,
    "proc": "access02",
    "pid": 9991,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "op": "__write_libc",
    "file": "file_x",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826293.385378
  }
}

fs.write properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

fs.write.body properties

Property Description
_metric required (string) Indicates that the Source is a File Write operation.

Value must be fs.write.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
op (string) The write operation that was executed on the filesystem.

Possible values:
  • go_write
  • pwrite64
  • pwritev
  • pwritev64
  • pwritev2
  • pwritev64v2
  • __overflow
  • __write_libc
  • __write_pthread
  • fwrite_unlocked
  • __stdio_write
  • write
  • pwrite
  • writev
  • fwrite
  • puts
  • putchar
  • fputs
  • fputs_unlocked
  • fputc
  • fputc_unlocked
  • putwc
  • fputwc
file (string) The name of the file.
numops (number) Count of individual operations aggregated.
unit required (string) Indicates that the metric's value is in bytes.

Value must be byte.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

http.duration.client ^

Structure of the http.duration.client metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "http.duration.client",
    "_metric_type": "timer",
    "_value": 6,
    "http_target": "/",
    "numops": 1,
    "proc": "lt-curl",
    "pid": 788,
    "host": "c067d78736db",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643924553.681483
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "http.duration.client",
    "_metric_type": "timer",
    "_value": 7,
    "http_target": "/",
    "numops": 1,
    "proc": "lt-curl",
    "pid": 30,
    "host": "c067d78736db",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643924472.648148
  }
}

http.duration.client properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

http.duration.client.body properties

Property Description
_metric required (string) Indicates that the Source is a counter that measures HTTP client duration.

Value must be http.duration.client.
_metric_type required (string) Indicates that the metric is a timer.

Value must be timer.
_value required (number) The value reported by the event or metric.

Example:
1
http_target required (string) In a URL, the path or file after the FQDN.
numops required (number) Count of individual operations aggregated.
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is in milliseconds.

Value must be millisecond.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

http.duration.server ^

Structure of the http.duration.server metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "http.duration.server",
    "_metric_type": "timer",
    "_value": 0,
    "http_target": "/",
    "numops": 1,
    "proc": "httpd",
    "pid": 2260,
    "host": "c067d78736db",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643924563.450939
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "http.duration.server",
    "_metric_type": "timer",
    "_value": 1,
    "http_target": "/",
    "numops": 1,
    "proc": "httpd",
    "pid": 648,
    "host": "c067d78736db",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643924498.350866
  }
}

http.duration.server properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

http.duration.server.body properties

Property Description
_metric required (string) Indicates that the Source is a counter that measures HTTP server duration.

Value must be http.duration.server.
_metric_type required (string) Indicates that the metric is a timer.

Value must be timer.
_value required (number) The value reported by the event or metric.

Example:
1
http_target required (string) In a URL, the path or file after the FQDN.
numops required (number) Count of individual operations aggregated.
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is in milliseconds.

Value must be millisecond.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

http.req ^

Structure of the http.req metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "http.req",
    "_metric_type": "counter",
    "_value": 1,
    "http_target": "/",
    "http_status_code": 200,
    "proc": "lt-curl",
    "pid": 788,
    "host": "c067d78736db",
    "unit": "request",
    "summary": "true",
    "_time": 1643924553.681441
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "http.req",
    "_metric_type": "counter",
    "_value": 1,
    "http_target": "/",
    "http_status_code": 200,
    "proc": "lt-curl",
    "pid": 30,
    "host": "c067d78736db",
    "unit": "request",
    "summary": "true",
    "_time": 1643924472.64811
  }
}

http.req properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

http.req.body properties

Property Description
_metric required (string) Indicates that the metric Source aggregates HTTP requests and responses.

Value must be http.req.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
http_target required (string) In a URL, the path or file after the FQDN.
http_status_code required (integer) Specifies the status code of an HTTP response.

Possible values:
  • 100
  • 101
  • 102
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 226
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 307
  • 400
  • 401
  • 402
  • 403
  • 404
  • 405
  • 406
  • 407
  • 408
  • 409
  • 410
  • 411
  • 412
  • 413
  • 414
  • 415
  • 416
  • 417
  • 418
  • 421
  • 422
  • 423
  • 424
  • 426
  • 428
  • 429
  • 431
  • 444
  • 451
  • 499
  • 500
  • 501
  • 502
  • 503
  • 504
  • 505
  • 506
  • 507
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is a number of a requests.

Value must be request.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

http.req.content_length ^

Structure of the http.req.content_length metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "http.req.content_length",
    "_metric_type": "counter",
    "_value": 38,
    "http_target": "/echo/post/json",
    "numops": 1,
    "proc": "curl",
    "pid": 525,
    "host": "272cc69a120a",
    "unit": "byte",
    "summary": "true",
    "_time": 1644230452.63037
  }
}

http.req.content_length properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

http.req.content_length.body properties

Property Description
_metric required (string) Indicates that the Source is a counter that measures HTTP request content length.

Value must be http.req.content_length.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
http_target required (string) In a URL, the path or file after the FQDN.
numops required (number) Count of individual operations aggregated.
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is in bytes.

Value must be byte.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

http.resp.content_length ^

Structure of the http.resp.content_length metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "http.resp.content_length",
    "_metric_type": "counter",
    "_value": 58896,
    "http_target": "/",
    "numops": 1,
    "proc": "lt-curl",
    "pid": 788,
    "host": "c067d78736db",
    "unit": "byte",
    "summary": "true",
    "_time": 1643924553.6815
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "http.resp.content_length",
    "_metric_type": "counter",
    "_value": 58896,
    "http_target": "/",
    "numops": 1,
    "proc": "lt-curl",
    "pid": 30,
    "host": "c067d78736db",
    "unit": "byte",
    "summary": "true",
    "_time": 1643924472.648165
  }
}

http.resp.content_length properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

http.resp.content_length.body properties

Property Description
_metric required (string) Indicates that the Source is a counter that measures HTTP response content length.

Value must be http.resp.content_length.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
http_target required (string) In a URL, the path or file after the FQDN.
numops required (number) Count of individual operations aggregated.
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is in bytes.

Value must be byte.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.close ^

Structure of the net.close metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.close",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13687,
    "host": "1f0ec6c8a7bc",
    "unit": "connection",
    "summary": "true",
    "_time": 1643826403.12145
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.close",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "fd": 5,
    "host": "1f0ec6c8a7bc",
    "proto": "UDP",
    "port": 0,
    "unit": "connection",
    "_time": 1643826292.077388
  }
}

net.close properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.close.body properties

Property Description
_metric required (string) Indicates that the Source is a Network Close operation.

Value must be net.close.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
op (string) The function that was executed.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string) Indicates that the metric's value is a number of connections.

Value must be connection.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.duration ^

Structure of the net.duration metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.duration",
    "_metric_type": "timer",
    "_value": 1,
    "proc": "sendfile06_64",
    "pid": 15385,
    "host": "1f0ec6c8a7bc",
    "unit": "millisecond",
    "summary": "true",
    "_time": 1643826428.960074
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.duration",
    "_metric_type": "timer",
    "_value": 53,
    "proc": "send02",
    "pid": 11555,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "proto": "UDP",
    "port": 0,
    "numops": 1,
    "unit": "millisecond",
    "_time": 1643826318.65727
  }
}

net.duration properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.duration.body properties

Property Description
_metric required (string) Indicates that the Source is a counter that measures Network duration.

Value must be net.duration.
_metric_type required (string) Indicates that the metric is a timer.

Value must be timer.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
numops (number) Count of individual operations aggregated.
unit required (string) Indicates that the metric's value is in milliseconds.

Value must be millisecond.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.error ^

Structure of the net.error metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.error",
    "_metric_type": "counter",
    "_value": 6,
    "proc": "accept01",
    "pid": 5920,
    "host": "7cb66c7f77dd",
    "op": "summary",
    "class": "connection",
    "unit": "operation",
    "_time": 1643749774.573214
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.error",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "recv01",
    "pid": 3593,
    "host": "7cb66c7f77dd",
    "op": "recv",
    "class": "rx_tx",
    "unit": "operation",
    "_time": 1643749590.518109
  }
}

net.error properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.error.body properties

Property Description
_metric required (string) Indicates that the Source is a Network Error operation.

Value must be net.error.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
op (string) The function that was executed.
class required (string) Subcategory of network error.

Possible values:
  • connection
  • rx_tx
unit required (string) Indicates that the metric's value is a number of operations.

Value must be operation.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.open ^

Structure of the net.open metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.open",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 13687,
    "host": "1f0ec6c8a7bc",
    "unit": "connection",
    "summary": "true",
    "_time": 1643826403.121437
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.open",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "lt-curl",
    "pid": 2485,
    "fd": 7,
    "host": "2a6bc132b07a",
    "proto": "UDP",
    "port": 0,
    "unit": "connection",
    "_time": 1643832569.764144
  }
}

net.open properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.open.body properties

Property Description
_metric required (string) Indicates that the Source is a Network Open operation.

Value must be net.open.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string) Indicates that the metric's value is a number of connections.

Value must be connection.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.other ^

Structure of the net.other metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.other",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "server_seqpacket",
    "pid": 234979,
    "host": "test_user",
    "unit": "connection",
    "summary": "true",
    "_time": 1643887036.00144
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.other",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "server_seqpacket",
    "pid": 235293,
    "fd": 4,
    "host": "test_user",
    "proto": "SEQPACKET",
    "port": 0,
    "unit": "connection",
    "_time": 1643887122.646226
  }
}

net.other properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.other.body properties

Property Description
_metric required (string) Indicates that the Source is a Network operation of an other-than-standard kind.

Value must be net.other.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string) Indicates that the metric's value is a number of connections.

Value must be connection.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.port ^

Structure of the net.port metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.port",
    "_metric_type": "gauge",
    "_value": 2,
    "proc": "accept02",
    "pid": 13689,
    "host": "1f0ec6c8a7bc",
    "unit": "instance",
    "summary": "true",
    "_time": 1643826403.184484
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.port",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "accept01",
    "pid": 9871,
    "fd": 4,
    "host": "1f0ec6c8a7bc",
    "proto": "TCP",
    "port": 0,
    "unit": "instance",
    "_time": 1643826292.076967
  }
}

net.port properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.port.body properties

Property Description
_metric required (string) Indicates that the Source is a gauge that identifies open ports.

Value must be net.port.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string) Indicates that the metric's value is a number of instances.

Value must be instance.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.rx ^

Structure of the net.rx metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.rx",
    "_metric_type": "counter",
    "_value": 99000,
    "proc": "send02",
    "pid": 15371,
    "host": "1f0ec6c8a7bc",
    "unit": "byte",
    "class": "inet_udp",
    "summary": "true",
    "_time": 1643826428.564141
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.rx",
    "_metric_type": "counter",
    "_value": 6,
    "proc": "recvfrom01",
    "pid": 11544,
    "fd": 4,
    "host": "1f0ec6c8a7bc",
    "domain": "AF_INET",
    "proto": "TCP",
    "localip": "127.0.0.1",
    "localp": 37432,
    "remoteip": "0.0.0.0",
    "remotep": 40765,
    "data": "clear",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826317.098972
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.rx",
    "_metric_type": "counter",
    "_value": 16,
    "proc": "send02",
    "pid": 11555,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "domain": "AF_INET",
    "proto": "UDP",
    "localip": "127.0.0.1",
    "localp": 0,
    "remoteip": " ",
    "remotep": 0,
    "data": "clear",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826318.241899
  }
}

net.rx properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.rx.body properties

Property Description
_metric required (string) Indicates that the Source is a Network receive operation.

Value must be net.rx.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
domain (string) The domain for which the viewed app made a DNS request.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
localn (number) Inode number for the local end of a UNIX domain socket.
localip (string) The IP address portion of the local end of a network connection.

Example:
127.0.0.1
localp (number) The port portion of the local end of a network connection.

Example:
9109
remoten (number) Inode number for the remote end of a UNIX domain socket.
remoteip (string) IP address for the remote end of a network socket.

Example:
192.158.1.38
remotep (number) Port for the remote end of a network socket.

Example:
9108
data (string) The data that the viewed app emitted as output.
numops (number) Count of individual operations aggregated.
unit required (string) Indicates that the metric's value is in bytes.

Value must be byte.
class (string) Subcategory of send and receive operations.

Possible values:
  • inet_tcp
  • inet_udp
  • unix_tcp
  • unix_udp
  • other
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.tcp ^

Structure of the net.tcp metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.tcp",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "accept02",
    "pid": 13689,
    "host": "1f0ec6c8a7bc",
    "unit": "connection",
    "summary": "true",
    "_time": 1643826403.184497
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.tcp",
    "_metric_type": "gauge",
    "_value": 0,
    "proc": "accept01",
    "pid": 9871,
    "fd": 4,
    "host": "1f0ec6c8a7bc",
    "proto": "TCP",
    "port": 0,
    "unit": "connection",
    "_time": 1643826292.07731
  }
}

net.tcp properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.tcp.body properties

Property Description
_metric required (string) Indicates that the Source is a gauge that shows the current count of open TCP ports.

Value must be net.tcp.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
proto (string) The transmission protocol that the viewed app used to send data.

Value must be TCP.
port (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string) Indicates that the metric's value is a number of connections.

Value must be connection.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.tx ^

Structure of the net.tx metric

Examples

{
  "type": "metric",
  "body": {
    "_metric": "net.tx",
    "_metric_type": "counter",
    "_value": 3,
    "proc": "recvmsg01",
    "pid": 15364,
    "host": "1f0ec6c8a7bc",
    "unit": "byte",
    "class": "unix_tcp",
    "summary": "true",
    "_time": 1643826427.279136
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.tx",
    "_metric_type": "counter",
    "_value": 16,
    "proc": "send02",
    "pid": 11555,
    "fd": 4,
    "host": "1f0ec6c8a7bc",
    "domain": "AF_INET",
    "proto": "UDP",
    "localip": "0.0.0.0",
    "localp": 0,
    "remoteip": "127.0.0.1",
    "remotep": 38725,
    "data": "clear",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826318.241855
  }
}
{
  "type": "metric",
  "body": {
    "_metric": "net.tx",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "recvmsg01",
    "pid": 11548,
    "fd": 3,
    "host": "1f0ec6c8a7bc",
    "domain": "UNIX",
    "proto": "TCP",
    "localn": 48335,
    "remoten": 46396,
    "data": "clear",
    "numops": 1,
    "unit": "byte",
    "_time": 1643826317.162209
  }
}

net.tx properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.tx.body properties

Property Description
_metric required (string) Indicates that the Source is a Network transmit operation.

Value must be net.tx.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
domain (string) The domain for which the viewed app made a DNS request.
proto (string) The transmission protocol that the viewed app used to send data.

Possible values:
  • TCP
  • UDP
  • RAW
  • RDM
  • SEQPACKET
  • OTHER
localn (number) Inode number for the local end of a UNIX domain socket.
localip (string) The IP address portion of the local end of a network connection.

Example:
127.0.0.1
localp (number) The port portion of the local end of a network connection.

Example:
9109
remoten (number) Inode number for the remote end of a UNIX domain socket.
remoteip (string) IP address for the remote end of a network socket.

Example:
192.158.1.38
remotep (number) Port for the remote end of a network socket.

Example:
9108
data (string) The data that the viewed app emitted as output.
numops (number) Count of individual operations aggregated.
unit required (string) Indicates that the metric's value is in bytes.

Value must be byte.
class (string) Subcategory of send and receive operations.

Possible values:
  • inet_tcp
  • inet_udp
  • unix_tcp
  • unix_udp
  • other
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

net.udp ^

Structure of the net.udp metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "net.udp",
    "_metric_type": "gauge",
    "_value": 0,
    "proc": "accept01",
    "pid": 9871,
    "fd": 5,
    "host": "1f0ec6c8a7bc",
    "proto": "UDP",
    "port": 0,
    "unit": "connection",
    "_time": 1643826292.077372
  }
}

net.udp properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

net.udp.body properties

Property Description
_metric required (string) Indicates that the Source is a gauge that shows the current count of open UDP ports.

Value must be net.udp.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
fd required (integer) The file descriptor for an operation.

Example:
4
host required (string) Hostname for the host on which the viewed app was run.
proto required (string) The transmission protocol that the viewed app used to send data.

Value must be UDP.
port required (number) Network port opened before a connection was initiated, or closed after the connection closed.
unit required (string) Indicates that the metric's value is a number of connections.

Value must be connection.
summary (string) When true, indicates that the metric value is an aggregation.

Value must be true.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

proc.child ^

Structure of the proc.child metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.child",
    "_metric_type": "gauge",
    "_value": 0,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "process",
    "_time": 1643749566.030543
  }
}

proc.child properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

proc.child.body properties

Property Description
_metric required (string) Indicates that the Source is a gauge of child processes spawned.

Value must be proc.child.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is a number of processes.

Value must be process.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

proc.cpu ^

Structure of the proc.cpu metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.cpu",
    "_metric_type": "counter",
    "_value": 2107,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "microsecond",
    "_time": 1643749566.030295
  }
}

proc.cpu properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

proc.cpu.body properties

Property Description
_metric required (string) Indicates that the Source is a counter of microseconds of the process's CPU were scheduled.

Value must be proc.cpu.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is in microseconds.

Value must be microsecond.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

proc.cpu.perc ^

Structure of the proc.cpu_perc metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.cpu_perc",
    "_metric_type": "gauge",
    "_value": 0.02107,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "percent",
    "_time": 1643749566.030327
  }
}

proc.cpu.perc properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

proc.cpu.perc.body properties

Property Description
_metric required (string) Indicates that the Source is a gauge that measures percentage of CPU used by the process.

Value must be proc.cpu_perc.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is a percentage.

Value must be percent.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

proc.fd ^

Structure of the proc.fd metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.fd",
    "_metric_type": "gauge",
    "_value": 5,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "file",
    "_time": 1643749566.030497
  }
}

proc.fd properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

proc.fd.body properties

Property Description
_metric required (string) Indicates that the Source is a gauge that reports how many file descriptors the process has opened.

Value must be proc.fd.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is a number of files.

Value must be file.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

proc.mem ^

Structure of the proc.mem metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.mem",
    "_metric_type": "gauge",
    "_value": 31284,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "kibibyte",
    "_time": 1643749566.030388
  }
}

proc.mem properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

proc.mem.body properties

Property Description
_metric required (string) Indicates that the Source is a gauge that reports process memory consumption.

Value must be proc.mem.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is in kibibytes.

Value must be kibibyte.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

proc.start ^

Structure of the proc.start metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.start",
    "_metric_type": "counter",
    "_value": 1,
    "proc": "accept01",
    "pid": 1945,
    "gid": 0,
    "groupname": "root",
    "uid": 0,
    "username": "root",
    "host": "7cb66c7f77dd",
    "args": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
    "unit": "process",
    "_time": 1643749566.026885
  }
}

proc.start properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

proc.start.body properties

Property Description
_metric required (string) Indicates that the Source is a counter which can only be 1, meaning that the process has started.

Value must be proc.start.
_metric_type required (string) Indicates that the metric is a counter.

Value must be counter.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
gid required (integer) Group ID of the user who created the process.

Example:
0
groupname required (string) Groupname of the user who created the process.

Example:
root
uid required (integer) User ID of the user who created the process.

Example:
0
username required (string) Username of the user who created the process.

Example:
root
host required (string) Hostname for the host on which the viewed app was run.
args required (string) The arguments with which the viewed app was run.
unit required (string) Indicates that the metric's value is a number of processes.

Value must be process.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777

proc.thread ^

Structure of the proc.thread metric

Example

{
  "type": "metric",
  "body": {
    "_metric": "proc.thread",
    "_metric_type": "gauge",
    "_value": 1,
    "proc": "accept01",
    "pid": 1946,
    "host": "7cb66c7f77dd",
    "unit": "thread",
    "_time": 1643749566.030435
  }
}

proc.thread properties

Property Description
type required (string) Distinguishes metrics from events.

Value must be metric.
body required (object) body

Details below.

proc.thread.body properties

Property Description
_metric required (string) Indicates that the Source is a gauge that reports how many threads are running in the process.

Value must be proc.thread.
_metric_type required (string) Indicates that the metric is a gauge.

Value must be gauge.
_value required (number) The value reported by the event or metric.

Example:
1
proc required (string) The name of the viewed app's process.
pid required (integer) The process ID of the viewed app.

Example:
1000
host required (string) Hostname for the host on which the viewed app was run.
unit required (string) Indicates that the metric's value is a number of threads.

Value must be thread.
_time required (number) The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds.

Example:
1643662126.91777