In AppView, events are structured according to one pattern, and metrics are structured according to another. These patterns are defined rigorously, in validatable JSON Schema.
Three definitions schemas govern the basic patterns. Then there is an individual schema for each event and metric, documented below. The definitions schemas define the elements that can be present in individual event and metric schemas, as well as the overall structures into which those elements fit.
When we say "the AppView schema," we mean the whole set of schemas. The AppView schema now in use was introduced in AppView 1.0.1.
A few event and metric schema elements, namely title
and description
, have placeholder values. In the future, we might make these more informative. They are essentially "internal documentation" within the schemas and do not affect how the schemas function in AppView. In the event that you develop any code that depends on AppView schemas, be aware that the content of title
and description
fields may evolve.
For more about how events and metrics work in AppView, see this overview.
Structure of the console
event
{
"type": "evt",
"id": "eaf4d0598443-a.out-./a.out",
"_channel": "8499188821284",
"body": {
"sourcetype": "console",
"_time": 1643883251.376672,
"source": "stderr",
"host": "eaf4d0598443",
"proc": "a.out",
"cmd": "./a.out",
"pid": 986,
"data": {
"message": "stderr hello world"
}
}
}
{
"type": "evt",
"id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
"_channel": "13468365092424",
"body": {
"sourcetype": "console",
"_time": 1643735941.602952,
"source": "stdout",
"host": "ubuntu",
"proc": "sh",
"cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
"pid": 6545,
"data": {
"message": "/usr/bin/firefox\n"
}
}
}
console
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
console.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is console. Value must be console . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Specifies whether AppView is capturing either stderr or stdout from console.Possible values:
|
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
console.body.data
propertiesProperty | Description |
---|---|
message (string ) |
The textual data written to a console or file. |
Structure of the dns.req
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470757294558",
"body": {
"sourcetype": "dns",
"_time": 1643735942.526987,
"source": "dns.req",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"domain": "detectportal.firefox.com"
}
}
}
dns.req
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
dns.req.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is DNS. Value must be dns . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a Network DNS operation. Value must be dns.req . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
dns.req.body.data
propertiesProperty | Description |
---|---|
domain required (string ) |
The domain for which the viewed app made a DNS request. |
Structure of the dns.resp
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470823778038",
"body": {
"sourcetype": "dns",
"_time": 1643735942.552667,
"source": "dns.resp",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"duration": 25,
"domain": "detectportal.firefox.com",
"addrs": [
"34.107.221.82"
]
}
}
}
dns.resp
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
dns.resp.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is DNS. Value must be dns . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a DNS response operation . Value must be dns.resp . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
dns.resp.body.data
propertiesProperty | Description |
---|---|
duration (number ) |
Duration in milliseconds. Example: 55 |
domain (string ) |
The domain for which the viewed app made a DNS request. |
addrs (array ) |
IP address(es) of the domain for which the viewed app sent a DNS request. |
Structure of the file
event
{
"type": "evt",
"id": "ubuntu-sh- /usr/bin/which /usr/bin/firefox",
"_channel": "13468365092424",
"body": {
"sourcetype": "file",
"_time": 1643735941.602952,
"source": "/var/log/firefox.log",
"host": "ubuntu",
"proc": "sh",
"cmd": "/bin/sh /usr/bin/which /usr/bin/firefox",
"pid": 6545,
"data": {
"message": "/usr/bin/firefox\n"
}
}
}
file
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
file.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is file. Value must be file . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
String that describes a file path. |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
file.body.data
propertiesProperty | Description |
---|---|
message (string ) |
The textual data written to a console or file. |
Structure of the fs.close
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890090429747",
"body": {
"sourcetype": "fs",
"_time": 1643735835.455002,
"source": "fs.close",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"proc": "accept01",
"pid": 1933,
"host": "8bc1398c19f3",
"file": "/dev/shm/ltp_accept01_1931",
"proc_uid": 0,
"proc_gid": 0,
"proc_cgroup": "0::/system.slice/containerd.service",
"file_perms": 600,
"file_owner": 0,
"file_group": 0,
"file_read_bytes": 0,
"file_read_ops": 0,
"file_write_bytes": 0,
"file_write_ops": 0,
"duration": 0,
"op": "close"
}
}
}
fs.close
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.close.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is filesystem. Value must be fs . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File Close operation. Value must be fs.close . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.close.body.data
propertiesProperty | Description |
---|---|
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
host (string ) |
Hostname for the host on which the viewed app was run. |
file (string ) |
The name of the file. |
proc_uid (integer ) |
The user ID of the user who started the viewed app. Example: 0 |
proc_gid (integer ) |
The group ID of the user who started the viewed app. Example: 0 |
proc_cgroup (string ) |
The control group used in container creation. Example: 0::/user.slice/user-1000.slice/session-3.appview |
file_perms (integer ) |
The permissions of the file, in octal format. Example: 777 |
file_owner (number ) |
The user ID of the file owner. Example: 0 |
file_group (number ) |
The group ID of the file owner. Example: 0 |
file_read_bytes (integer ) |
The number of bytes of data read from a file. Example: 512 |
file_read_ops (integer ) |
Count of individual read operations aggregated. Example: 5 |
file_write_bytes (integer ) |
The number of bytes of data written to a file. Example: 10 |
file_write_ops (integer ) |
Count of individual write operations aggregated. Example: 5 |
duration (number ) |
Duration in milliseconds. Example: 55 |
op (string ) |
The close operation that was executed on the filesystem. Possible values:
|
Structure of the fs.delete
event
{
"type": "evt",
"id": "b6209181773f-rm-rm test.txt",
"_channel": "none",
"body": {
"sourcetype": "fs",
"_time": 1643793922.040438,
"source": "fs.delete",
"host": "b6209181773f",
"proc": "rm",
"cmd": "rm test.txt",
"pid": 306,
"data": {
"proc": "rm",
"pid": 306,
"host": "b6209181773f",
"op": "unlinkat",
"file": "test.txt",
"unit": "operation"
}
}
}
fs.delete
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.delete.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is filesystem. Value must be fs . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File Delete operation. Value must be fs.delete . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.delete.body.data
propertiesProperty | Description |
---|---|
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
host (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The delete operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
unit (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
Structure of the fs.duration
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091215105",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455057,
"source": "fs.duration",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 12,
"proc": "accept01",
"pid": 1933,
"fd": 3,
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "microsecond"
}
}
}
fs.duration
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.duration.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File Duration operation. Value must be fs.duration . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.duration.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a File Duration operation. Value must be fs.duration . |
_metric_type (string ) |
Indicates that the metric from the viewed app is a histogram. Value must be histogram . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
op (string ) |
The function that was executed. |
file (string ) |
The name of the file. |
numops (number ) |
Count of individual operations aggregated. |
unit (string ) |
Indicates that the metric's value is in microseconds. Value must be microsecond . |
Structure of the fs.error
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890094642989",
"body": {
"sourcetype": "metric",
"_time": 1643735835.45777,
"source": "fs.error",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1931,
"data": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1931,
"op": "access",
"file": "/dev/shm/ltp_accept01_1931",
"class": "stat",
"unit": "operation"
}
}
}
fs.error
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.error.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File Error operation. Value must be fs.error . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.error.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a File Error operation. Value must be fs.error . |
_metric_type (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
op (string ) |
The function that was executed. |
file (string ) |
The name of the file. |
class (string ) |
Subcategory of filesystem error. Possible values:
|
unit (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
Structure of the fs.open
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890090429747",
"body": {
"sourcetype": "fs",
"_time": 1643735835.454946,
"source": "fs.open",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"proc": "accept01",
"pid": 1933,
"host": "8bc1398c19f3",
"file": "/dev/shm/ltp_accept01_1931",
"proc_uid": 0,
"proc_gid": 0,
"proc_cgroup": "0::/system.slice/containerd.service",
"file_perms": 600,
"file_owner": 0,
"file_group": 0,
"op": "open"
}
}
}
fs.open
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.open.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is filesystem. Value must be fs . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File open operation. Value must be fs.open . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.open.body.data
propertiesProperty | Description |
---|---|
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
host (string ) |
Hostname for the host on which the viewed app was run. |
file (string ) |
The name of the file. |
proc_uid (integer ) |
The user ID of the user who started the viewed app. Example: 0 |
proc_gid (integer ) |
The group ID of the user who started the viewed app. Example: 0 |
proc_cgroup (string ) |
The control group used in container creation. Example: 0::/user.slice/user-1000.slice/session-3.appview |
file_perms (integer ) |
The permissions of the file, in octal format. Example: 777 |
file_owner (number ) |
The user ID of the file owner. Example: 0 |
file_group (number ) |
The group ID of the file owner. Example: 0 |
op (string ) |
The open operation that was executed on the filesystem. Possible values:
|
Structure of the fs.read
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091215105",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455076,
"source": "fs.read",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.read",
"_metric_type": "histogram",
"_value": 4096,
"proc": "accept01",
"pid": 1933,
"fd": 3,
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "byte"
}
}
}
fs.read
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.read.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File Read operation. Value must be fs.read . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.read.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a File Read operation. Value must be fs.read . |
_metric_type (string ) |
Indicates that the metric from the viewed app is a histogram. Value must be histogram . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
op (string ) |
The read operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
numops (number ) |
Count of individual operations aggregated. |
unit (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
Structure of the fs.seek
event
{
"type": "evt",
"id": "8bc1398c19f3-sh-/bin/sh ./file_x",
"_channel": "5891441789884",
"body": {
"sourcetype": "metric",
"_time": 1643735836.805196,
"source": "fs.seek",
"host": "8bc1398c19f3",
"proc": "sh",
"cmd": "/bin/sh ./file_x",
"pid": 2061,
"data": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 1,
"proc": "sh",
"pid": 2061,
"fd": 3,
"op": "lseek",
"file": "./file_x",
"unit": "operation"
}
}
}
fs.seek
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.seek.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File Seek operation. Value must be fs.seek . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.seek.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a File Seek operation. Value must be fs.seek . |
_metric_type (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
op (string ) |
The seek operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
unit (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
Structure of the fs.stat
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091777333",
"body": {
"sourcetype": "metric",
"_time": 1643735835.454905,
"source": "fs.stat",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1933,
"op": "access",
"file": "/dev/shm",
"unit": "operation"
}
}
}
fs.stat
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.stat.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File Stat operation. Value must be fs.stat . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.stat.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a File Stat operation. Value must be fs.stat . |
_metric_type (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
op (string ) |
The stat operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
unit (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
Structure of the fs.write
event
{
"type": "evt",
"id": "8bc1398c19f3-access02-/kernel/syscalls/access/access02",
"_channel": "5891407740765",
"body": {
"sourcetype": "metric",
"_time": 1643735836.773249,
"source": "fs.write",
"host": "8bc1398c19f3",
"proc": "access02",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/access/access02",
"pid": 2058,
"data": {
"_metric": "fs.write",
"_metric_type": "histogram",
"_value": 10,
"proc": "access02",
"pid": 2058,
"fd": 3,
"op": "__write_libc",
"file": "file_x",
"numops": 1,
"unit": "byte"
}
}
}
fs.write
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
fs.write.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a File Write operation. Value must be fs.write . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
fs.write.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a File Write operation. Value must be fs.write . |
_metric_type (string ) |
Indicates that the metric from the viewed app is a histogram. Value must be histogram . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
op (string ) |
The write operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
numops (number ) |
Count of individual operations aggregated. |
unit (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
Structure of the http.req
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "http",
"_time": 1643735942.588626,
"source": "http.req",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"http_method": "GET",
"http_target": "/canonical.html",
"http_flavor": "1.1",
"http_scheme": "http",
"http_host": "detectportal.firefox.com",
"http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"net_transport": "IP.TCP",
"net_peer_ip": "34.107.221.82",
"net_peer_port": 80,
"net_host_ip": "172.16.198.210",
"net_host_port": 33712
}
}
}
http.req
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
http.req.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is HTTP. Value must be http . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the event Source is an HTTP request. Value must be http.req . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
http.req.body.data
propertiesProperty | Description |
---|---|
http_method (string ) |
Specifies the method of an HTTP request in the data; e.g., GET, POST, PATCH, etc. |
http_frame (string ) |
Type of the HTTP/2 frame as described in RFC 7540. Possible values:
|
http_target (string ) |
In a URL, the path or file after the FQDN. |
http_flavor (string ) |
Specifies whether an HTTP request or response is in HTTP/1.1 or HTTP/2.0. |
http_stream (integer ) |
HTTP/2 Stream Identifier. |
http_scheme (string ) |
Specifies whether data was unencrypted (HTTP) or encrypted (HTTPS). Possible values:
|
http_host (string ) |
Hostname of the host to which an HTTP request was sent; or, from which a response was received. |
http_user_agent (string ) |
HTTP header property describing the web client. |
http_client_ip (string ) |
IP address of the host that issued an HTTP request or received the response. |
net_transport (string ) |
Network layer used (before the dot) and transport layer used (after the dot). Possible values:
|
net_peer_ip (string ) |
The IP address portion of the remote side of a network connection. |
net_peer_port (integer ) |
The port portion of the remote side of a network connection. |
net_host_ip (string ) |
The IP address portion of the local side of a network connection. |
net_host_port (integer ) |
The port portion of the local side of a network connection. |
x_appview (string ) |
Value of the x-appview HTTP header (if present).Value must be x-appview . |
Structure of the http.resp
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "http",
"_time": 1643735942.613892,
"source": "http.resp",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"http_method": "GET",
"http_target": "/canonical.html",
"http_scheme": "http",
"http_flavor": "1.1",
"http_status_code": 200,
"http_status_text": "OK",
"http_server_duration": 26,
"http_host": "detectportal.firefox.com",
"http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"net_transport": "IP.TCP",
"net_peer_ip": "34.107.221.82",
"net_peer_port": 80,
"net_host_ip": "172.16.198.210",
"net_host_port": 33712,
"http_response_content_length": 90
}
}
}
http.resp
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
http.resp.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is HTTP. Value must be http . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is an HTTP response. Value must be http.resp . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
http.resp.body.data
propertiesProperty | Description |
---|---|
http_method (string ) |
Specifies the method of an HTTP request in the data; e.g., GET, POST, PATCH, etc. |
http_target (string ) |
In a URL, the path or file after the FQDN. |
http_stream (integer ) |
HTTP/2 Stream Identifier. |
http_scheme (string ) |
Specifies whether data was unencrypted (HTTP) or encrypted (HTTPS). Possible values:
|
http_flavor (string ) |
Specifies whether an HTTP request or response is in HTTP/1.1 or HTTP/2.0. |
http_status_code (integer ) |
Specifies the status code of an HTTP response. Possible values:
|
http_status_text (string ) |
The standard text that accompanies an HTTP response status code. Possible values:
|
http_client_duration (number ) |
Time elapsed between when a request was issued and when the response was received, in milliseconds. |
http_server_duration (number ) |
Time elapsed between when a request was received and when the response was issued, in milliseconds. |
http_host (string ) |
Hostname of the host to which an HTTP request was sent; or, from which a response was received. |
http_user_agent (string ) |
HTTP header property describing the web client. |
net_transport (string ) |
Network layer used (before the dot) and transport layer used (after the dot). Possible values:
|
net_peer_ip (string ) |
The IP address portion of the remote side of a network connection. |
net_peer_port (integer ) |
The port portion of the remote side of a network connection. |
net_host_ip (string ) |
The IP address portion of the local side of a network connection. |
net_host_port (integer ) |
The port portion of the local side of a network connection. |
http_response_content_length (number ) |
Specifies the length in bytes of the HTTP response body. |
Structure of the net.app
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470846442500",
"body": {
"sourcetype": "net",
"_time": 1643735942.588594,
"source": "net.app",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"proc": "firefox",
"pid": 6544,
"fd": 91,
"host": "ubuntu",
"protocol": "HTTP"
}
}
}
net.app
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.app.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is net (meaning network). Value must be net . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a Network App (protocol detection) operation. Value must be net.app . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.app.body.data
propertiesProperty | Description |
---|---|
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host (string ) |
Hostname for the host on which the viewed app was run. |
protocol (string ) |
Protocol detected in data transmitted over a network connection. Possible values:
|
Structure of the net.close
event
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618970557",
"body": {
"sourcetype": "net",
"_time": 1643735857.983449,
"source": "net.close",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3793,
"data": {
"net_transport": "IP.TCP",
"net_peer_ip": "0.0.0.0",
"net_peer_port": 35533,
"net_host_ip": "127.0.0.1",
"net_host_port": 40184,
"duration": 0,
"net_bytes_sent": 0,
"net_bytes_recv": 6,
"net_close_reason": "local"
}
}
}
net.close
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.close.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is net (meaning network). Value must be net . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a Network Close operation. Value must be net.close . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.close.body.data
propertiesProperty | Description |
---|---|
net_transport (string ) |
Network layer used (before the dot) and transport layer used (after the dot). Possible values:
|
net_peer_ip (string ) |
The IP address portion of the remote side of a network connection. |
net_peer_port (integer ) |
The port portion of the remote side of a network connection. |
net_host_ip (string ) |
The IP address portion of the local side of a network connection. |
net_host_port (integer ) |
The port portion of the local side of a network connection. |
net_protocol (string ) |
First network protocol detected from data sent or received. Value must be http . |
unix_peer_inode (number ) |
Inode number for the remote end of a UNIX domain socket. |
unix_local_inode (number ) |
Inode number for the local end of a UNIX domain socket. |
duration (number ) |
Duration in milliseconds. Example: 55 |
net_bytes_sent (number ) |
The number of bytes of data sent over a network connection. |
net_bytes_recv (number ) |
The number of bytes of data received over a network connection. |
net_close_reason (string ) |
Specifies which end of a network connection initiated the closing of the connection. Possible values:
|
Structure of the net.duration
event
{
"type": "evt",
"id": "8bc1398c19f3-recvmsg01-ernel/syscalls/recvmsg/recvmsg01",
"_channel": "5912681876432",
"body": {
"sourcetype": "metric",
"_time": 1643735858.046756,
"source": "net.duration",
"host": "8bc1398c19f3",
"proc": "recvmsg01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvmsg/recvmsg01",
"pid": 3798,
"data": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 1,
"proc": "recvmsg01",
"pid": 3798,
"fd": 4,
"proto": "TCP",
"port": 41482,
"numops": 1,
"unit": "millisecond"
}
}
}
net.duration
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.duration.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a counter that measures Network duration. Value must be net.duration . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.duration.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a counter that measures Network duration. Value must be net.duration . |
_metric_type (string ) |
Indicates that the metric is a timer. Value must be timer . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
numops (number ) |
Count of individual operations aggregated. |
unit (string ) |
Indicates that the metric's value is in milliseconds. Value must be millisecond . |
Structure of the net.error
event
{
"type": "evt",
"id": "90aac4bb0722-accept01-/kernel/syscalls/accept/accept01",
"_channel": "2745569202700291",
"body": {
"sourcetype": "metric",
"_time": 1643972258.00885,
"source": "net.error",
"host": "90aac4bb0722",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1934,
"data": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1934,
"op": "accept",
"class": "connection",
"unit": "operation"
}
}
}
net.error
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.error.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a Network Error operation. Value must be net.error . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.error.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a Network Error operation. Value must be net.error . |
_metric_type (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
op (string ) |
The function that was executed. |
class (string ) |
Subcategory of network error. Value must be connection . |
unit (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
Structure of the net.open
event
{
"type": "evt",
"id": "8bc1398c19f3-accept02-/kernel/syscalls/accept/accept02",
"_channel": "5890157346952",
"body": {
"sourcetype": "net",
"_time": 1643735835.521928,
"source": "net.open",
"host": "8bc1398c19f3",
"proc": "accept02",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept02",
"pid": 1936,
"data": {
"net_transport": "IP.TCP",
"net_peer_ip": "127.0.0.1",
"net_peer_port": 58625,
"net_host_ip": "0.0.0.0",
"net_host_port": 0
}
}
}
net.open
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.open.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is net (meaning network). Value must be net . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a Network Open operation. Value must be net.open . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.open.body.data
propertiesProperty | Description |
---|---|
net_transport (string ) |
Network layer used (before the dot) and transport layer used (after the dot). Possible values:
|
net_peer_ip (string ) |
The IP address portion of the remote side of a network connection. |
net_peer_port (integer ) |
The port portion of the remote side of a network connection. |
net_host_ip (string ) |
The IP address portion of the local side of a network connection. |
net_host_port (integer ) |
The port portion of the local side of a network connection. |
unix_peer_inode (number ) |
Inode number for the remote end of a UNIX domain socket. |
unix_local_inode (number ) |
Inode number for the local end of a UNIX domain socket. |
net_protocol (string ) |
First network protocol detected from data sent or received. Value must be http . |
Structure of the net.other
event
{
"type": "evt",
"id": "test_user-server_seqpacket-./server_seqpacket",
"_channel": "11977632602680",
"body": {
"sourcetype": "metric",
"_time": 1643886739.820863,
"source": "net.other",
"host": "test_user",
"proc": "server_seqpacket",
"cmd": "./server_seqpacket",
"pid": 232570,
"data": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 232570,
"fd": 3,
"proto": "SEQPACKET",
"port": 0,
"unit": "connection"
}
}
}
net.other
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.other.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.other.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other . |
_metric_type (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit (string ) |
Indicates that the metric's value is a number of connections. Value must be connection . |
Structure of the net.port
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091645261",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455222,
"source": "net.port",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 1933,
"fd": 4,
"proto": "TCP",
"port": 0,
"unit": "instance"
}
}
}
net.port
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.port.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a gauge that identifies open ports. Value must be net.port . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.port.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a gauge that identifies open ports. Value must be net.port . |
_metric_type (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit (string ) |
Indicates that the metric's value is a number of instances. Value must be instance . |
Structure of the net.rx
event
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618970557",
"body": {
"sourcetype": "metric",
"_time": 1643735857.983368,
"source": "net.rx",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3793,
"data": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 3793,
"fd": 4,
"domain": "AF_INET",
"proto": "TCP",
"localip": "127.0.0.1",
"localp": 40184,
"remoteip": "0.0.0.0",
"remotep": 35533,
"data": "clear",
"numops": 1,
"unit": "byte"
}
}
}
net.rx
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.rx.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a Network receive operation. Value must be net.rx . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.rx.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a Network receive operation. Value must be net.rx . |
_metric_type (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
domain (string ) |
The domain for which the viewed app made a DNS request. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
localip (string ) |
The IP address portion of the local end of a network connection. Example: 127.0.0.1 |
localp (number ) |
The port portion of the local end of a network connection. Example: 9109 |
localn (number ) |
Inode number for the local end of a UNIX domain socket. |
remoteip (string ) |
IP address for the remote end of a network socket. Example: 192.158.1.38 |
remotep (number ) |
Port for the remote end of a network socket. Example: 9108 |
remoten (number ) |
Inode number for the remote end of a UNIX domain socket. |
data (string ) |
Specifies whether data was unencrypted (clear) or encrypted (SSL). Possible values:
|
numops (number ) |
Count of individual operations aggregated. |
unit (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
Structure of the net.tcp
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091645261",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455387,
"source": "net.tcp",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1933,
"fd": 4,
"proto": "TCP",
"port": 0,
"unit": "connection"
}
}
}
net.tcp
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.tcp.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.tcp.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp . |
_metric_type (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
proto (string ) |
The transmission protocol that the viewed app used to send data. Value must be TCP . |
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit (string ) |
Indicates that the metric's value is a number of connections. Value must be connection . |
Structure of the net.tx
event
{
"type": "evt",
"id": "8bc1398c19f3-recvfrom01-nel/syscalls/recvfrom/recvfrom01",
"_channel": "5912618642035",
"body": {
"sourcetype": "metric",
"_time": 1643735857.983059,
"source": "net.tx",
"host": "8bc1398c19f3",
"proc": "recvfrom01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/recvfrom/recvfrom01",
"pid": 3795,
"data": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 3795,
"fd": 4,
"domain": "AF_INET",
"proto": "TCP",
"localip": "0.0.0.0",
"localp": 0,
"remoteip": "127.0.0.1",
"remotep": 40184,
"data": "clear",
"numops": 1,
"unit": "byte"
}
}
}
net.tx
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.tx.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a Network transmit operation. Value must be net.tx . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.tx.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a Network transmit operation. Value must be net.tx . |
_metric_type (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
domain (string ) |
The domain for which the viewed app made a DNS request. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
localip (string ) |
The IP address portion of the local end of a network connection. Example: 127.0.0.1 |
localp (number ) |
The port portion of the local end of a network connection. Example: 9109 |
localn (number ) |
Inode number for the local end of a UNIX domain socket. |
remoteip (string ) |
IP address for the remote end of a network socket. Example: 192.158.1.38 |
remotep (number ) |
Port for the remote end of a network socket. Example: 9108 |
remoten (number ) |
Inode number for the remote end of a UNIX domain socket. |
data (string ) |
Specifies whether data was unencrypted (clear) or encrypted (SSL). Possible values:
|
numops (number ) |
Count of individual operations aggregated. |
unit (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
Structure of the net.udp
event
{
"type": "evt",
"id": "8bc1398c19f3-accept01-/kernel/syscalls/accept/accept01",
"_channel": "5890091656419",
"body": {
"sourcetype": "metric",
"_time": 1643735835.455419,
"source": "net.udp",
"host": "8bc1398c19f3",
"proc": "accept01",
"cmd": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"pid": 1933,
"data": {
"_metric": "net.udp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1933,
"fd": 5,
"proto": "UDP",
"port": 0,
"unit": "connection"
}
}
}
net.udp
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
net.udp.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
net.udp.body.data
propertiesProperty | Description |
---|---|
_metric (string ) |
Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp . |
_metric_type (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value (number ) |
The value reported by the event or metric. Example: 1 |
proc (string ) |
The name of the viewed app's process. |
pid (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
proto (string ) |
The transmission protocol that the viewed app used to send data. Value must be UDP . |
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit (string ) |
Indicates that the metric's value is a number of connections. Value must be connection . |
Structure of the notice
event
{
"type": "evt",
"id": "9a721a6ad0be-htop-htop",
"_channel": "13544129471303",
"body": {
"sourcetype": "metric",
"_time": 1643888296.317304,
"source": "notice",
"host": "9a721a6ad0be",
"proc": "htop",
"cmd": "htop",
"pid": 302,
"data": "Truncated metrics. Your rate exceeded 10000 metrics per second"
}
}
notice
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
notice.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is metric. Value must be metric . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is an AppView notification. Value must be notice . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (string ) |
The data that the viewed app emitted as output. |
Structure of the sec.conn
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470757294558",
"body": {
"sourcetype": "sec",
"_time": 1643735942.526987,
"source": "sec.conn",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"address": "8.23.2.2",
"port": 22,
"reason": "Connection requested to blacklisted IP address and/or Port"
}
}
}
sec.conn
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
sec.conn.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is sec (meaning security). Value must be sec . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is connection security detection. Value must be sec.conn . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
sec.conn.body.data
propertiesProperty | Description |
---|---|
address required (string ) |
IP address(es) to which the viewed app made a connection. |
port required (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
reason required (string ) |
Reason for event. Example: File not defined in allow list was accessed |
Structure of the sec.dns
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470757294558",
"body": {
"sourcetype": "sec",
"_time": 1643735942.526987,
"source": "sec.dns",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"dns_name": "bad-exfil.net",
"reason": "Exfiltration over DNS was detected"
}
}
}
sec.dns
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
sec.dns.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is sec (meaning security). Value must be sec . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is DNS security detection. Value must be sec.dns . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
sec.dns.body.data
propertiesProperty | Description |
---|---|
dns_name required (string ) |
DNS name. |
reason required (string ) |
Reason for event. Example: File not defined in allow list was accessed |
Structure of the sec.file
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470757294558",
"body": {
"sourcetype": "sec",
"_time": 1643735942.526987,
"source": "sec.file",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"file": "/etc/passwd",
"reason": "Write to system file",
"write_bytes": 250
}
}
}
sec.file
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
sec.file.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is sec (meaning security). Value must be sec . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is file security detection. Value must be sec.file . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
sec.file.body.data
propertiesProperty | Description |
---|---|
file required (string ) |
The name of the file. |
reason required (string ) |
Reason for event. Example: File not defined in allow list was accessed |
write_bytes required (integer ) |
The number of bytes of data written to a file. Example: 10 |
Structure of the sec.got
event
{
"type": "evt",
"id": "ubuntu-firefox-/usr/lib/firefox/firefox",
"_channel": "13470757294558",
"body": {
"sourcetype": "sec",
"_time": 1643735942.526987,
"source": "sec.got",
"host": "ubuntu",
"proc": "firefox",
"cmd": "/usr/lib/firefox/firefox",
"pid": 6544,
"data": {
"function": "open",
"reason": "Detected GOT hooking",
"redirected_from": "0x111000",
"redirected_to": "0x444000"
}
}
}
sec.got
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes events from metrics. Value must be evt . |
id required (string ) |
Identifies the application that the process is associated with. |
_channel required (string ) |
Identifies the operation during whose lifetime the event or metric is emitted. |
body required (object ) |
body Details below. |
sec.got.body
propertiesProperty | Description |
---|---|
sourcetype required (string ) |
Indicates that the Sourcetype is sec (meaning security). Value must be sec . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
source required (string ) |
Indicates that the Source is GOT security detection. Value must be sec.got . |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proc required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
data required (object ) |
data Details below. |
sec.got.body.data
propertiesProperty | Description |
---|---|
function required (string ) |
The function name in the codebase. |
reason required (string ) |
Reason for event. Example: File not defined in allow list was accessed |
redirected_from required (string ) |
Function redirected from. |
redirected_to required (string ) |
Function redirected to. |
Structure of the process-start message
{
"format": "ndjson",
"info": {
"process": {
"libappviewver": "v1.3.0",
"pid": 35673,
"ppid": 3390,
"gid": 1000,
"groupname": "test_user",
"uid": 1000,
"username": "test_user",
"hostname": "test_user",
"procname": "ls",
"cmd": "ls --color=auto",
"id": "test_user-ls-ls --color=auto",
"cgroup": "9:cpuset:/",
"machine_id": "a1e2ada5a5b1b273b4b5c0c2c1c4f5d1",
"uuid": "da845a9b-a55d-4c42-893d-08b54ee6e999"
},
"configuration": {
"current": {
"metric": {
"enable": "true",
"transport": {
"type": "udp",
"host": "127.0.0.1",
"port": "8125",
"tls": {
"enable": "false",
"validateserver": "true",
"cacertpath": ""
}
},
"format": {
"type": "statsd",
"statsdprefix": "",
"statsdmaxlen": 512,
"verbosity": 4
},
"watch": [
{
"type": "fs"
},
{
"type": "net"
},
{
"type": "http"
},
{
"type": "dns"
},
{
"type": "process"
},
{
"type": "statsd"
}
]
},
"libappview": {
"log": {
"level": "info",
"transport": {
"type": "file",
"path": "/tmp/appview.log",
"buffering": "line"
}
},
"snapshot": {
"coredump": "false",
"backtrace": "false"
},
"configevent": "true",
"summaryperiod": 10,
"commanddir": "/tmp"
},
"event": {
"enable": "true",
"transport": {
"type": "tcp",
"host": "127.0.0.1",
"port": "9109",
"tls": {
"enable": "false",
"validateserver": "true",
"cacertpath": ""
}
},
"format": {
"type": "ndjson",
"maxeventpersec": 10000,
"enhancefs": "true"
},
"watch": [
{
"type": "file",
"name": "(\\/logs?\\/)|(\\.log$)|(\\.log[.\\d])",
"field": ".*",
"value": ".*"
},
{
"type": "console",
"name": "(stdout)|(stderr)",
"field": ".*",
"value": ".*",
"allowbinary": "true"
},
{
"type": "http",
"name": ".*",
"field": ".*",
"value": ".*",
"headers": []
},
{
"type": "net",
"name": ".*",
"field": ".*",
"value": ".*"
},
{
"type": "fs",
"name": ".*",
"field": ".*",
"value": ".*"
},
{
"type": "dns",
"name": ".*",
"field": ".*",
"value": ".*"
}
]
},
"payload": {
"enable": "false",
"dir": "/tmp"
},
"tags": {},
"protocol": [],
"cribl": {
"enable": "false",
"transport": {
"type": "edge"
},
"authtoken": ""
}
}
},
"environment": {}
}
}
start.msg
propertiesProperty | Description |
---|---|
authtoken (string ) |
Token used for authenticating to Cribl Edge or Stream. |
format required (string ) |
Specifies the format for output of events and metrics from AppView. See appview.yml .Possible values:
|
breaker (string ) |
Specifies an Event Breaker for Cribl Edge or Stream to use. Value must be Cribl - Do Not Break Ruleset . |
info required (object ) |
The principal container for start-message information, in the form of nested process , configuration , and environment objects.Details below. |
start.msg.info
propertiesProperty | Description |
---|---|
process required (object ) |
Describes the process associated with the viewed app. Details below. |
configuration required (object ) |
Container for configurations. For now, describes current configuration only. Details below. |
environment required (object ) |
Environment variables present when the current configuration was loaded. Details below. |
start.msg.info.process
propertiesProperty | Description |
---|---|
libappviewver required (string ) |
Version of the AppView library that is currently loaded. Example: v1.0.0 |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
ppid required (integer ) |
The process ID of the parent process of the viewed app. |
gid required (integer ) |
Group ID of the user who created the process. Example: 0 |
groupname required (string ) |
Groupname of the user who created the process. Example: root |
uid required (integer ) |
User ID of the user who created the process. Example: 0 |
username required (string ) |
Username of the user who created the process. Example: root |
hostname required (string ) |
Hostname for the host on which the viewed app was run. |
procname required (string ) |
The name of the viewed app's process. |
cmd required (string ) |
The command that was run to start the viewed app. Example: top |
id required (string ) |
An ID that concatenates (possibly truncated) the viewed app's hostname, procname, and command, to facilitate correlation of similar processes when searching, graphing, or aggregating. |
cgroup required (string ) |
The cgroup for the process. |
machine_id required (string ) |
A unique identifier for a machine. |
uuid required (string ) |
A unique identifier for a process. |
start.msg.info.configuration
propertiesProperty | Description |
---|---|
current (object ) |
Describes the current configuration. Details below. |
start.msg.info.environment
propertiesProperty | Description |
---|
start.msg.info.configuration.current
propertiesProperty | Description |
---|---|
metric (object ) |
Settings for metrics. See appview.yml .Details below. |
libappview (object ) |
Specifies how to set up the AppView library. See appview.yml .Details below. |
event (object ) |
Settings for events. See appview.yml .Details below. |
payload (object ) |
Settings for enabling and storing payloads. See appview.yml .Details below. |
tags (object ) |
User-defined tags which become fields in generated events and metrics. See appview.yml .Details below. |
protocol (array ) |
List whose entries define protocols that AppView should detect in network payloads, and how to handle matches. See appview.yml . |
cribl (object ) |
Settings for the cribl backend. See appview.yml .Details below. |
start.msg.info.configuration.current.metric
propertiesProperty | Description |
---|---|
enable (string ) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
transport (object ) |
Backend connection for metrics or events. See appview.yml .Details below. |
format (object ) |
Settings for the format of metric data. See appview.yml .Details below. |
watch (array ) |
Array containing objects that enable different categories of metrics. See appview.yml . |
start.msg.info.configuration.current.libappview
propertiesProperty | Description |
---|---|
log (object ) |
Logging settings for the AppView library. See appview.yml .Details below. |
configevent (string ) |
When enabled, AppView guarantees that a process start message is the first event sent over the current connection. Possible values:
|
summaryperiod (integer ) |
Time interval over which to perform aggregation. See appview.yml . |
commanddir (string ) |
The directory AppView polls for a appview.<pid> file, as explained in the Dynamic Configuration section of the Using the CLI page of the AppView docs. |
snapshot (object ) |
Settings to specify content of the snapshot AppView creates for crash analysis. Details below. |
start.msg.info.configuration.current.event
propertiesProperty | Description |
---|---|
enable (string ) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
transport (object ) |
Backend connection for events. See appview.yml .Details below. |
format (object ) |
Settings for the format of event data. See appview.yml .Details below. |
watch (array ) |
Array containing objects that enable different categories of events. See appview.yml . |
start.msg.info.configuration.current.payload
propertiesProperty | Description |
---|---|
enable (string ) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
dir (string ) |
Specifies director where payload data should be written. Applies only when payloads are enabled and a backend other than cribl is used. See appview.yml . |
start.msg.info.configuration.current.tags
propertiesProperty | Description |
---|
start.msg.info.configuration.current.cribl
propertiesProperty | Description |
---|---|
enable (string ) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
transport (object ) |
Backend connection to Cribl Edge or Stream. See appview.yml .Details below. |
authtoken (string ) |
Token used for authenticating to Cribl Edge or Stream. |
start.msg.info.configuration.current.metric.transport
propertiesProperty | Description |
---|---|
type (string ) |
Specifies the transport mechanism on which to send and/or receive data. See appview.yml .Possible values:
|
host (string ) |
Hostname for the host on which the viewed app was run. |
port (string ) |
Connection port. See appview.yml . |
path (string ) |
File or UNIX domain socket path. See appview.yml .Example: /tmp/appview.log |
buffering (string ) |
File buffering. See appview.yml .Possible values:
|
tls (object ) |
TLS connection settings. See appview.yml .Details below. |
start.msg.info.configuration.current.metric.format
propertiesProperty | Description |
---|---|
type (string ) |
Specifies the format of metric data. See appview.yml . Possible values:
|
statsdprefix (string ) |
Specifies a prefix to prepend the metric name. See appview.yml . |
statsdmaxlen (integer ) |
Specifies the maximum length for a string that expresses a StatsD metric. See appview.yml . |
verbosity (integer ) |
Controls the tag cardinality and aggregation of a metric. See appview.yml . |
start.msg.info.configuration.current.libappview.log
propertiesProperty | Description |
---|---|
level (string ) |
Specifies log level. See appview.yml .Possible values:
|
transport (object ) |
Backend connection for AppView library logging. See appview.yml .Details below. |
start.msg.info.configuration.current.libappview.snapshot
propertiesProperty | Description |
---|---|
coredump (string ) |
When true, AppView captures a core dump whenever the kernel sends the viewed app a fatal signal (i.e., illegal instruction, bus error, segmentation fault, or floating point exception). Possible values:
|
backtrace (string ) |
When true, AppView captures a backtrace (a.k.a. stack trace) whenever the kernel sends the viewed app a fatal signal (i.e., illegal instruction, bus error, segmentation fault, or floating point exception). Possible values:
|
start.msg.info.configuration.current.event.transport
propertiesProperty | Description |
---|---|
type (string ) |
Specifies the transport mechanism on which to send and/or receive data. See appview.yml .Possible values:
|
host (string ) |
Hostname for the host on which the viewed app was run. |
port (string ) |
Connection port. See appview.yml . |
path (string ) |
File or UNIX domain socket path. See appview.yml .Example: /tmp/appview.log |
buffering (string ) |
File buffering. See appview.yml .Possible values:
|
tls (object ) |
Specifies whether to enable TLS for the metrics backend. See appview.yml .Details below. |
start.msg.info.configuration.current.event.format
propertiesProperty | Description |
---|---|
type (string ) |
Specifies the format of metric data. See appview.yml . Possible values:
|
maxeventpersec (integer ) |
Specifies a rate limit for events. See appview.yml . |
enhancefs (string ) |
Specifies whether to display full information about fs events.Possible values:
|
start.msg.info.configuration.current.cribl.transport
propertiesProperty | Description |
---|---|
type (string ) |
Specifies the transport mechanism on which to send and/or receive data. See appview.yml .Possible values:
|
host (string ) |
Hostname for the host on which the viewed app was run. |
port (string ) |
Connection port. See appview.yml . |
path (string ) |
File or UNIX domain socket path. See appview.yml .Example: /tmp/appview.log |
buffering (string ) |
File buffering. See appview.yml .Possible values:
|
tls (object ) |
TLS settings for the Cribl backend. See appview.yml .Details below. |
start.msg.info.configuration.current.metric.transport.tls
propertiesProperty | Description |
---|---|
enable (string ) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
validateserver (string ) |
Specifies whether to validate the TLS server certificate. See appview.yml .Possible values:
|
cacertpath (string ) |
CA Certificate Path. See appview.yml . |
start.msg.info.configuration.current.libappview.log.transport
propertiesProperty | Description |
---|---|
type (string ) |
Specifies the transport mechanism on which to send and/or receive data. See appview.yml .Possible values:
|
host (string ) |
Hostname for the host on which the viewed app was run. |
port (string ) |
Connection port. See appview.yml . |
path (string ) |
File or UNIX domain socket path. See appview.yml .Example: /tmp/appview.log |
buffering (string ) |
File buffering. See appview.yml .Possible values:
|
tls (object ) |
TLS settings for backend used by the AppView library. See appview.yml. Details below. |
start.msg.info.configuration.current.event.transport.tls
propertiesProperty | Description |
---|---|
enable (string ) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
validateserver (string ) |
Specifies whether to validate the TLS server certificate. See appview.yml .Possible values:
|
cacertpath (string ) |
CA Certificate Path. See appview.yml . |
start.msg.info.configuration.current.cribl.transport.tls
propertiesProperty | Description |
---|---|
enable (string ) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
validateserver (string ) |
Specifies whether to validate the TLS server certificate. See appview.yml .Possible values:
|
cacertpath (string ) |
CA Certificate Path. See appview.yml . |
start.msg.info.configuration.current.libappview.log.transport.tls
propertiesProperty | Description |
---|---|
enable (string ) |
Specifies whether a feature or some functionality is enabled or disabled overall. Possible values:
|
validateserver (string ) |
Specifies whether to validate the TLS server certificate. See appview.yml .Possible values:
|
cacertpath (string ) |
CA Certificate Path. See appview.yml . |
Structure of the dns.req
metric
{
"type": "metric",
"body": {
"_metric": "dns.req",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 31,
"host": "2a6bc132b07a",
"unit": "request",
"summary": "true",
"_time": 1643832467.795134
}
}
{
"type": "metric",
"body": {
"_metric": "dns.req",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 2485,
"host": "2a6bc132b07a",
"domain": "cribl.io",
"duration": 0,
"unit": "request",
"_time": 1643832569.764219
}
}
dns.req
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
dns.req.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a Network DNS operation. Value must be dns.req . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
domain (string ) |
The domain for which the viewed app made a DNS request. |
duration (number ) |
Duration in milliseconds. Example: 55 |
unit required (string ) |
Indicates that the metric's value is a number of a requests. Value must be request . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the fs.close
metric
{
"type": "metric",
"body": {
"_metric": "fs.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.121424
}
}
{
"type": "metric",
"body": {
"_metric": "fs.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "close",
"file": "/dev/shm/ltp_accept01_9870",
"unit": "operation",
"_time": 1643826292.07658
}
}
fs.close
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
fs.close.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a File Close operation. Value must be fs.close . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The close operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
unit required (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the fs.duration
metric
{
"type": "metric",
"body": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 1,
"proc": "access01",
"pid": 13697,
"host": "1f0ec6c8a7bc",
"unit": "microsecond",
"summary": "true",
"_time": 1643826404.006442
}
}
{
"type": "metric",
"body": {
"_metric": "fs.duration",
"_metric_type": "histogram",
"_value": 16,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "microsecond",
"_time": 1643826292.076675
}
}
fs.duration
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
fs.duration.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a File Duration operation. Value must be fs.duration . |
_metric_type required (string ) |
Indicates that the metric from the viewed app is a histogram. Value must be histogram . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The function that was executed. |
file (string ) |
The name of the file. |
numops (number ) |
Count of individual operations aggregated. |
unit required (string ) |
Indicates that the metric's value is in microseconds. Value must be microsecond . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the fs.error
metric
{
"type": "metric",
"body": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13686,
"host": "1f0ec6c8a7bc",
"class": "stat",
"unit": "operation",
"summary": "true",
"_time": 1643826403.123802
}
}
{
"type": "metric",
"body": {
"_metric": "fs.error",
"_metric_type": "counter",
"_value": 1,
"proc": "accept02",
"pid": 9872,
"host": "1f0ec6c8a7bc",
"op": "readdir",
"file": "/tmp/QxbCjC",
"class": "read_write",
"unit": "operation",
"_time": 1643826292.14466
}
}
fs.error
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
fs.error.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a File Error operation. Value must be fs.error . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The function that was executed. |
file (string ) |
The name of the file. |
class required (string ) |
Subcategory of filesystem error. Possible values:
|
unit required (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the fs.open
metric
{
"type": "metric",
"body": {
"_metric": "fs.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.121411
}
}
{
"type": "metric",
"body": {
"_metric": "fs.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "open",
"file": "/dev/shm/ltp_accept01_9870",
"unit": "operation",
"_time": 1643826292.076503
}
}
fs.open
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
fs.open.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a File open operation. Value must be fs.open . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The open operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
unit required (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the fs.read
metric
{
"type": "metric",
"body": {
"_metric": "fs.read",
"_metric_type": "counter",
"_value": 13312,
"proc": "access01",
"pid": 13697,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"summary": "true",
"_time": 1643826404.006381
}
}
{
"type": "metric",
"body": {
"_metric": "fs.read",
"_metric_type": "counter",
"_value": 4096,
"proc": "accept01",
"pid": 9871,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "fgets_unlocked",
"file": "/etc/passwd",
"numops": 1,
"unit": "byte",
"_time": 1643826292.076709
}
}
fs.read
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
fs.read.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a File Read operation. Value must be fs.read . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The read operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
numops (number ) |
Count of individual operations aggregated. |
unit required (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the fs.seek
metric
{
"type": "metric",
"body": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 3,
"proc": "sh",
"pid": 13810,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826404.175738
}
}
{
"type": "metric",
"body": {
"_metric": "fs.seek",
"_metric_type": "counter",
"_value": 1,
"proc": "sh",
"pid": 9994,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "lseek",
"file": "./file_x",
"unit": "operation",
"_time": 1643826293.407508
}
}
fs.seek
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
fs.seek.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a File Seek operation. Value must be fs.seek . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The function that was executed. |
file (string ) |
The name of the file. |
unit required (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the fs.stat
metric
{
"type": "metric",
"body": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13686,
"host": "1f0ec6c8a7bc",
"unit": "operation",
"summary": "true",
"_time": 1643826403.123752
}
}
{
"type": "metric",
"body": {
"_metric": "fs.stat",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"host": "1f0ec6c8a7bc",
"op": "access",
"file": "/dev/shm",
"unit": "operation",
"_time": 1643826292.076446
}
}
fs.stat
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
fs.stat.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a File Stat operation. Value must be fs.stat . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The function that was executed. |
file (string ) |
The name of the file. |
unit required (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the fs.write
metric
{
"type": "metric",
"body": {
"_metric": "fs.write",
"_metric_type": "counter",
"_value": 10,
"proc": "access02",
"pid": 13806,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"summary": "true",
"_time": 1643826404.234963
}
}
{
"type": "metric",
"body": {
"_metric": "fs.write",
"_metric_type": "counter",
"_value": 10,
"proc": "access02",
"pid": 9991,
"fd": 3,
"host": "1f0ec6c8a7bc",
"op": "__write_libc",
"file": "file_x",
"numops": 1,
"unit": "byte",
"_time": 1643826293.385378
}
}
fs.write
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
fs.write.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a File Write operation. Value must be fs.write . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The write operation that was executed on the filesystem. Possible values:
|
file (string ) |
The name of the file. |
numops (number ) |
Count of individual operations aggregated. |
unit required (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the http.duration.client
metric
{
"type": "metric",
"body": {
"_metric": "http.duration.client",
"_metric_type": "timer",
"_value": 6,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924553.681483
}
}
{
"type": "metric",
"body": {
"_metric": "http.duration.client",
"_metric_type": "timer",
"_value": 7,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924472.648148
}
}
http.duration.client
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
http.duration.client.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a counter that measures HTTP client duration. Value must be http.duration.client . |
_metric_type required (string ) |
Indicates that the metric is a timer. Value must be timer . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
http_target required (string ) |
In a URL, the path or file after the FQDN. |
numops required (number ) |
Count of individual operations aggregated. |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is in milliseconds. Value must be millisecond . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the http.duration.server
metric
{
"type": "metric",
"body": {
"_metric": "http.duration.server",
"_metric_type": "timer",
"_value": 0,
"http_target": "/",
"numops": 1,
"proc": "httpd",
"pid": 2260,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924563.450939
}
}
{
"type": "metric",
"body": {
"_metric": "http.duration.server",
"_metric_type": "timer",
"_value": 1,
"http_target": "/",
"numops": 1,
"proc": "httpd",
"pid": 648,
"host": "c067d78736db",
"unit": "millisecond",
"summary": "true",
"_time": 1643924498.350866
}
}
http.duration.server
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
http.duration.server.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a counter that measures HTTP server duration. Value must be http.duration.server . |
_metric_type required (string ) |
Indicates that the metric is a timer. Value must be timer . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
http_target required (string ) |
In a URL, the path or file after the FQDN. |
numops required (number ) |
Count of individual operations aggregated. |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is in milliseconds. Value must be millisecond . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the http.req
metric
{
"type": "metric",
"body": {
"_metric": "http.req",
"_metric_type": "counter",
"_value": 1,
"http_target": "/",
"http_status_code": 200,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "request",
"summary": "true",
"_time": 1643924553.681441
}
}
{
"type": "metric",
"body": {
"_metric": "http.req",
"_metric_type": "counter",
"_value": 1,
"http_target": "/",
"http_status_code": 200,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "request",
"summary": "true",
"_time": 1643924472.64811
}
}
http.req
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
http.req.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the metric Source aggregates HTTP requests and responses. Value must be http.req . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
http_target required (string ) |
In a URL, the path or file after the FQDN. |
http_status_code required (integer ) |
Specifies the status code of an HTTP response. Possible values:
|
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is a number of a requests. Value must be request . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the http.req.content_length
metric
{
"type": "metric",
"body": {
"_metric": "http.req.content_length",
"_metric_type": "counter",
"_value": 38,
"http_target": "/echo/post/json",
"numops": 1,
"proc": "curl",
"pid": 525,
"host": "272cc69a120a",
"unit": "byte",
"summary": "true",
"_time": 1644230452.63037
}
}
http.req.content_length
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
http.req.content_length.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a counter that measures HTTP request content length. Value must be http.req.content_length . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
http_target required (string ) |
In a URL, the path or file after the FQDN. |
numops required (number ) |
Count of individual operations aggregated. |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the http.resp.content_length
metric
{
"type": "metric",
"body": {
"_metric": "http.resp.content_length",
"_metric_type": "counter",
"_value": 58896,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 788,
"host": "c067d78736db",
"unit": "byte",
"summary": "true",
"_time": 1643924553.6815
}
}
{
"type": "metric",
"body": {
"_metric": "http.resp.content_length",
"_metric_type": "counter",
"_value": 58896,
"http_target": "/",
"numops": 1,
"proc": "lt-curl",
"pid": 30,
"host": "c067d78736db",
"unit": "byte",
"summary": "true",
"_time": 1643924472.648165
}
}
http.resp.content_length
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
http.resp.content_length.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a counter that measures HTTP response content length. Value must be http.resp.content_length . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
http_target required (string ) |
In a URL, the path or file after the FQDN. |
numops required (number ) |
Count of individual operations aggregated. |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.close
metric
{
"type": "metric",
"body": {
"_metric": "net.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.12145
}
}
{
"type": "metric",
"body": {
"_metric": "net.close",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 5,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643826292.077388
}
}
net.close
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.close.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a Network Close operation. Value must be net.close . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The function that was executed. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string ) |
Indicates that the metric's value is a number of connections. Value must be connection . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.duration
metric
{
"type": "metric",
"body": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 1,
"proc": "sendfile06_64",
"pid": 15385,
"host": "1f0ec6c8a7bc",
"unit": "millisecond",
"summary": "true",
"_time": 1643826428.960074
}
}
{
"type": "metric",
"body": {
"_metric": "net.duration",
"_metric_type": "timer",
"_value": 53,
"proc": "send02",
"pid": 11555,
"fd": 3,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"numops": 1,
"unit": "millisecond",
"_time": 1643826318.65727
}
}
net.duration
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.duration.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a counter that measures Network duration. Value must be net.duration . |
_metric_type required (string ) |
Indicates that the metric is a timer. Value must be timer . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
numops (number ) |
Count of individual operations aggregated. |
unit required (string ) |
Indicates that the metric's value is in milliseconds. Value must be millisecond . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.error
metric
{
"type": "metric",
"body": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 6,
"proc": "accept01",
"pid": 5920,
"host": "7cb66c7f77dd",
"op": "summary",
"class": "connection",
"unit": "operation",
"_time": 1643749774.573214
}
}
{
"type": "metric",
"body": {
"_metric": "net.error",
"_metric_type": "counter",
"_value": 1,
"proc": "recv01",
"pid": 3593,
"host": "7cb66c7f77dd",
"op": "recv",
"class": "rx_tx",
"unit": "operation",
"_time": 1643749590.518109
}
}
net.error
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.error.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a Network Error operation. Value must be net.error . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
op (string ) |
The function that was executed. |
class required (string ) |
Subcategory of network error. Possible values:
|
unit required (string ) |
Indicates that the metric's value is a number of operations. Value must be operation . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.open
metric
{
"type": "metric",
"body": {
"_metric": "net.open",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 13687,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.121437
}
}
{
"type": "metric",
"body": {
"_metric": "net.open",
"_metric_type": "counter",
"_value": 1,
"proc": "lt-curl",
"pid": 2485,
"fd": 7,
"host": "2a6bc132b07a",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643832569.764144
}
}
net.open
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.open.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a Network Open operation. Value must be net.open . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string ) |
Indicates that the metric's value is a number of connections. Value must be connection . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.other
metric
{
"type": "metric",
"body": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 234979,
"host": "test_user",
"unit": "connection",
"summary": "true",
"_time": 1643887036.00144
}
}
{
"type": "metric",
"body": {
"_metric": "net.other",
"_metric_type": "gauge",
"_value": 1,
"proc": "server_seqpacket",
"pid": 235293,
"fd": 4,
"host": "test_user",
"proto": "SEQPACKET",
"port": 0,
"unit": "connection",
"_time": 1643887122.646226
}
}
net.other
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.other.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a Network operation of an other-than-standard kind. Value must be net.other . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string ) |
Indicates that the metric's value is a number of connections. Value must be connection . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.port
metric
{
"type": "metric",
"body": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 2,
"proc": "accept02",
"pid": 13689,
"host": "1f0ec6c8a7bc",
"unit": "instance",
"summary": "true",
"_time": 1643826403.184484
}
}
{
"type": "metric",
"body": {
"_metric": "net.port",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 9871,
"fd": 4,
"host": "1f0ec6c8a7bc",
"proto": "TCP",
"port": 0,
"unit": "instance",
"_time": 1643826292.076967
}
}
net.port
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.port.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a gauge that identifies open ports. Value must be net.port . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string ) |
Indicates that the metric's value is a number of instances. Value must be instance . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.rx
metric
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 99000,
"proc": "send02",
"pid": 15371,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"class": "inet_udp",
"summary": "true",
"_time": 1643826428.564141
}
}
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 6,
"proc": "recvfrom01",
"pid": 11544,
"fd": 4,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "TCP",
"localip": "127.0.0.1",
"localp": 37432,
"remoteip": "0.0.0.0",
"remotep": 40765,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826317.098972
}
}
{
"type": "metric",
"body": {
"_metric": "net.rx",
"_metric_type": "counter",
"_value": 16,
"proc": "send02",
"pid": 11555,
"fd": 3,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "UDP",
"localip": "127.0.0.1",
"localp": 0,
"remoteip": " ",
"remotep": 0,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826318.241899
}
}
net.rx
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.rx.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a Network receive operation. Value must be net.rx . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
domain (string ) |
The domain for which the viewed app made a DNS request. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
localn (number ) |
Inode number for the local end of a UNIX domain socket. |
localip (string ) |
The IP address portion of the local end of a network connection. Example: 127.0.0.1 |
localp (number ) |
The port portion of the local end of a network connection. Example: 9109 |
remoten (number ) |
Inode number for the remote end of a UNIX domain socket. |
remoteip (string ) |
IP address for the remote end of a network socket. Example: 192.158.1.38 |
remotep (number ) |
Port for the remote end of a network socket. Example: 9108 |
data (string ) |
The data that the viewed app emitted as output. |
numops (number ) |
Count of individual operations aggregated. |
unit required (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
class (string ) |
Subcategory of send and receive operations. Possible values:
|
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.tcp
metric
{
"type": "metric",
"body": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept02",
"pid": 13689,
"host": "1f0ec6c8a7bc",
"unit": "connection",
"summary": "true",
"_time": 1643826403.184497
}
}
{
"type": "metric",
"body": {
"_metric": "net.tcp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 9871,
"fd": 4,
"host": "1f0ec6c8a7bc",
"proto": "TCP",
"port": 0,
"unit": "connection",
"_time": 1643826292.07731
}
}
net.tcp
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.tcp.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a gauge that shows the current count of open TCP ports. Value must be net.tcp . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Value must be TCP . |
port (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string ) |
Indicates that the metric's value is a number of connections. Value must be connection . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.tx
metric
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 3,
"proc": "recvmsg01",
"pid": 15364,
"host": "1f0ec6c8a7bc",
"unit": "byte",
"class": "unix_tcp",
"summary": "true",
"_time": 1643826427.279136
}
}
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 16,
"proc": "send02",
"pid": 11555,
"fd": 4,
"host": "1f0ec6c8a7bc",
"domain": "AF_INET",
"proto": "UDP",
"localip": "0.0.0.0",
"localp": 0,
"remoteip": "127.0.0.1",
"remotep": 38725,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826318.241855
}
}
{
"type": "metric",
"body": {
"_metric": "net.tx",
"_metric_type": "counter",
"_value": 1,
"proc": "recvmsg01",
"pid": 11548,
"fd": 3,
"host": "1f0ec6c8a7bc",
"domain": "UNIX",
"proto": "TCP",
"localn": 48335,
"remoten": 46396,
"data": "clear",
"numops": 1,
"unit": "byte",
"_time": 1643826317.162209
}
}
net.tx
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.tx.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a Network transmit operation. Value must be net.tx . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
domain (string ) |
The domain for which the viewed app made a DNS request. |
proto (string ) |
The transmission protocol that the viewed app used to send data. Possible values:
|
localn (number ) |
Inode number for the local end of a UNIX domain socket. |
localip (string ) |
The IP address portion of the local end of a network connection. Example: 127.0.0.1 |
localp (number ) |
The port portion of the local end of a network connection. Example: 9109 |
remoten (number ) |
Inode number for the remote end of a UNIX domain socket. |
remoteip (string ) |
IP address for the remote end of a network socket. Example: 192.158.1.38 |
remotep (number ) |
Port for the remote end of a network socket. Example: 9108 |
data (string ) |
The data that the viewed app emitted as output. |
numops (number ) |
Count of individual operations aggregated. |
unit required (string ) |
Indicates that the metric's value is in bytes. Value must be byte . |
class (string ) |
Subcategory of send and receive operations. Possible values:
|
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the net.udp
metric
{
"type": "metric",
"body": {
"_metric": "net.udp",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 9871,
"fd": 5,
"host": "1f0ec6c8a7bc",
"proto": "UDP",
"port": 0,
"unit": "connection",
"_time": 1643826292.077372
}
}
net.udp
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
net.udp.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a gauge that shows the current count of open UDP ports. Value must be net.udp . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
fd required (integer ) |
The file descriptor for an operation. Example: 4 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
proto required (string ) |
The transmission protocol that the viewed app used to send data. Value must be UDP . |
port required (number ) |
Network port opened before a connection was initiated, or closed after the connection closed. |
unit required (string ) |
Indicates that the metric's value is a number of connections. Value must be connection . |
summary (string ) |
When true, indicates that the metric value is an aggregation. Value must be true . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the proc.child
metric
{
"type": "metric",
"body": {
"_metric": "proc.child",
"_metric_type": "gauge",
"_value": 0,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "process",
"_time": 1643749566.030543
}
}
proc.child
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
proc.child.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a gauge of child processes spawned. Value must be proc.child . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is a number of processes. Value must be process . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the proc.cpu
metric
{
"type": "metric",
"body": {
"_metric": "proc.cpu",
"_metric_type": "counter",
"_value": 2107,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "microsecond",
"_time": 1643749566.030295
}
}
proc.cpu
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
proc.cpu.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a counter of microseconds of the process's CPU were scheduled. Value must be proc.cpu . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is in microseconds. Value must be microsecond . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the proc.cpu_perc
metric
{
"type": "metric",
"body": {
"_metric": "proc.cpu_perc",
"_metric_type": "gauge",
"_value": 0.02107,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "percent",
"_time": 1643749566.030327
}
}
proc.cpu.perc
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
proc.cpu.perc.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a gauge that measures percentage of CPU used by the process. Value must be proc.cpu_perc . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is a percentage. Value must be percent . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the proc.fd
metric
{
"type": "metric",
"body": {
"_metric": "proc.fd",
"_metric_type": "gauge",
"_value": 5,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "file",
"_time": 1643749566.030497
}
}
proc.fd
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
proc.fd.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a gauge that reports how many file descriptors the process has opened. Value must be proc.fd . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is a number of files. Value must be file . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the proc.mem
metric
{
"type": "metric",
"body": {
"_metric": "proc.mem",
"_metric_type": "gauge",
"_value": 31284,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "kibibyte",
"_time": 1643749566.030388
}
}
proc.mem
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
proc.mem.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a gauge that reports process memory consumption. Value must be proc.mem . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is in kibibytes. Value must be kibibyte . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the proc.start
metric
{
"type": "metric",
"body": {
"_metric": "proc.start",
"_metric_type": "counter",
"_value": 1,
"proc": "accept01",
"pid": 1945,
"gid": 0,
"groupname": "root",
"uid": 0,
"username": "root",
"host": "7cb66c7f77dd",
"args": "/opt/test/ltp/testcases/kernel/syscalls/accept/accept01",
"unit": "process",
"_time": 1643749566.026885
}
}
proc.start
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
proc.start.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a counter which can only be 1, meaning that the process has started. Value must be proc.start . |
_metric_type required (string ) |
Indicates that the metric is a counter. Value must be counter . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
gid required (integer ) |
Group ID of the user who created the process. Example: 0 |
groupname required (string ) |
Groupname of the user who created the process. Example: root |
uid required (integer ) |
User ID of the user who created the process. Example: 0 |
username required (string ) |
Username of the user who created the process. Example: root |
host required (string ) |
Hostname for the host on which the viewed app was run. |
args required (string ) |
The arguments with which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is a number of processes. Value must be process . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |
Structure of the proc.thread
metric
{
"type": "metric",
"body": {
"_metric": "proc.thread",
"_metric_type": "gauge",
"_value": 1,
"proc": "accept01",
"pid": 1946,
"host": "7cb66c7f77dd",
"unit": "thread",
"_time": 1643749566.030435
}
}
proc.thread
propertiesProperty | Description |
---|---|
type required (string ) |
Distinguishes metrics from events. Value must be metric . |
body required (object ) |
body Details below. |
proc.thread.body
propertiesProperty | Description |
---|---|
_metric required (string ) |
Indicates that the Source is a gauge that reports how many threads are running in the process. Value must be proc.thread . |
_metric_type required (string ) |
Indicates that the metric is a gauge. Value must be gauge . |
_value required (number ) |
The value reported by the event or metric. Example: 1 |
proc required (string ) |
The name of the viewed app's process. |
pid required (integer ) |
The process ID of the viewed app. Example: 1000 |
host required (string ) |
Hostname for the host on which the viewed app was run. |
unit required (string ) |
Indicates that the metric's value is a number of threads. Value must be thread . |
_time required (number ) |
The moment in time when AppView reported the event or metric. In UNIX time with integer part in seconds and fractional part in microseconds. Example: 1643662126.91777 |