Kube-state-metrics
Collect container metrics from Kubernetes Kube-state-metrics with Elastic Agent.
Version |
1.57.0 (View all) |
Compatible Kibana version(s) |
8.12.0 or higher |
Supported Serverless project types |
Security Observability |
Subscription level |
Basic |
Kube-state Metrics version should be aligned with the Kubernetes version of your cluster. Follow relevant kubernetes/kube-state-metrics compatibility-matrix for more information.
Metrics
If Leader Election is activated (default behaviour) only the elastic agent
which holds the leadership lock
will retrieve metrics from the kube_state_metrics
.
This is relevant in multi-node kubernetes cluster and prevents duplicate data.
state_container
This is the state_container
dataset of the Kubernetes package. It collects container related
metrics from kube_state_metrics
.
An example event for state_container
looks as following:
{
"container": {
"image": {
"name": "k8s.gcr.io/coredns/coredns:v1.8.0"
},
"runtime": "containerd",
"id": "696963fe4eeb8734a10e44e0ef8d582fe9861c13ef7c50d6fa5689733df7d302"
},
"kubernetes": {
"container": {
"memory": {
"request": {
"bytes": 73400320
},
"limit": {
"bytes": 178257920
}
},
"name": "coredns",
"cpu": {
"request": {
"cores": 0.1
}
},
"id": "containerd://696963fe4eeb8734a10e44e0ef8d582fe9861c13ef7c50d6fa5689733df7d302",
"status": {
"phase": "running",
"ready": true,
"restarts": 5
}
},
"node": {
"uid": "57ccd748-c877-4be9-9b0e-568e9f205025",
"hostname": "kind-control-plane",
"name": "kind-control-plane",
"labels": {
"node_kubernetes_io/exclude-from-external-load-balancers": "",
"node-role_kubernetes_io/master": "",
"kubernetes_io/hostname": "kind-control-plane",
"node-role_kubernetes_io/control-plane": "",
"beta_kubernetes_io/os": "linux",
"kubernetes_io/arch": "amd64",
"kubernetes_io/os": "linux",
"beta_kubernetes_io/arch": "amd64"
}
},
"pod": {
"uid": "b5637989-65ec-4f86-a13e-b9bd02e9bac5",
"ip": "10.244.0.5",
"name": "coredns-558bd4d5db-8qp4d"
},
"namespace": "kube-system",
"namespace_uid": "a4453575-518e-4a21-9909-34874f674177",
"replicaset": {
"name": "coredns-558bd4d5db"
},
"namespace_labels": {
"kubernetes_io/metadata_name": "kube-system"
},
"labels": {
"pod-template-hash": "558bd4d5db",
"k8s-app": "kube-dns"
},
"deployment": {
"name": "coredns"
}
},
"agent": {
"name": "kind-control-plane",
"id": "de42127b-4db8-4471-824e-a7b14f478663",
"ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e",
"type": "metricbeat",
"version": "8.1.0"
},
"elastic_agent": {
"id": "de42127b-4db8-4471-824e-a7b14f478663",
"version": "8.1.0",
"snapshot": true
},
"orchestrator": {
"cluster": {
"name": "kind",
"url": "kind-control-plane:6443"
}
},
"@timestamp": "2021-12-20T10:02:04.923Z",
"ecs": {
"version": "8.0.0"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_container"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "5.10.47-linuxkit",
"codename": "Core",
"name": "CentOS Linux",
"type": "linux",
"family": "redhat",
"version": "7 (Core)",
"platform": "centos"
},
"containerized": true,
"ip": [
"10.244.0.1"
],
"name": "kind-control-plane",
"id": "85e35c2b5e1b39ba72393a6baf6ee7cd",
"mac": [
"fe:ec:82:9f:29:19"
],
"architecture": "x86_64"
},
"metricset": {
"period": 10000,
"name": "state_container"
},
"event": {
"duration": 1459222,
"agent_id_status": "verified",
"ingested": "2021-12-20T10:02:05Z",
"module": "kubernetes",
"dataset": "kubernetes.state_container"
}
}
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.instance.name | Instance name of the host machine. | keyword | ||
cloud.machine.type | Machine type of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
container.image.name | Name of the image the container was built on. | keyword | ||
container.labels | Image labels. | object | ||
container.name | Container name. | keyword | ||
container.runtime | Runtime managing this container. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
host.architecture | Operating system architecture. | keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | ||
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | ||
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | ||
host.ip | Host ip addresses. | ip | ||
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | ||
host.os.kernel | Operating system kernel version as a raw string. | keyword | ||
host.os.name | Operating system name, without the version. | keyword | ||
host.os.name.text | Multi-field of host.os.name . | match_only_text | ||
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | ||
host.os.version | Operating system version as a raw string. | keyword | ||
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | ||
kubernetes.annotations.* | Kubernetes annotations map | object | ||
kubernetes.container.cpu.limit.cores | Container CPU cores limit | float | gauge | |
kubernetes.container.cpu.limit.nanocores | Container CPU nanocores limit | long | gauge | |
kubernetes.container.cpu.request.cores | Container CPU requested cores | float | gauge | |
kubernetes.container.cpu.request.nanocores | Container CPU requested nanocores | long | gauge | |
kubernetes.container.id | Container id | keyword | ||
kubernetes.container.memory.limit.bytes | Container memory limit in bytes | long | byte | gauge |
kubernetes.container.memory.request.bytes | Container requested memory in bytes | long | byte | gauge |
kubernetes.container.name | Kubernetes container name | keyword | ||
kubernetes.container.status.phase | Container phase (running, waiting, terminated) | keyword | ||
kubernetes.container.status.ready | Container ready status | boolean | ||
kubernetes.container.status.reason | Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason. | keyword | ||
kubernetes.container.status.restarts | Container restarts count | integer | counter | |
kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | ||
kubernetes.daemonset.name | Kubernetes daemonset name | keyword | ||
kubernetes.deployment.name | Kubernetes deployment name | keyword | ||
kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | ||
kubernetes.labels.* | Kubernetes labels map | object | ||
kubernetes.namespace | Kubernetes namespace | keyword | ||
kubernetes.namespace_annotations.* | Kubernetes namespace annotations map | object | ||
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object | ||
kubernetes.namespace_uid | Kubernetes namespace UID | keyword | ||
kubernetes.node.annotations.* | Kubernetes node annotations map | object | ||
kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | ||
kubernetes.node.labels.* | Kubernetes node labels map | object | ||
kubernetes.node.name | Kubernetes node name | keyword | ||
kubernetes.node.uid | Kubernetes node UID | keyword | ||
kubernetes.pod.ip | Kubernetes pod IP | ip | ||
kubernetes.pod.name | Kubernetes pod name | keyword | ||
kubernetes.pod.uid | Kubernetes pod UID | keyword | ||
kubernetes.replicaset.name | Kubernetes replicaset name | keyword | ||
kubernetes.statefulset.name | Kubernetes statefulset name | keyword | ||
orchestrator.cluster.name | Name of the cluster. | keyword | ||
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_cronjob
This is the state_cronjob
dataset of the Kubernetes package. It collects cronjob related
metrics from kube_state_metrics
.
Important Note: Please make sure that you install latest kube-state metrics version for this datataset to appear. Eg. Kube-state-metrics v2.3.0 was not reporting cron_job metrics for Kubernetes v1.25.0
An example event for state_cronjob
looks as following:
{
"kubernetes": {
"namespace": "default",
"namespace_uid": "5f4a8989-32b3-4fc9-ba5b-9dece58436b8",
"namespace_labels": {
"kubernetes_io/metadata_name": "default"
},
"cronjob": {
"last_schedule": {
"sec": 1674053820
},
"created": {
"sec": 1674053817
},
"name": "hello",
"active": {
"count": 0
},
"is_suspended": false,
"next_schedule": {
"sec": 1674053880
}
},
"labels": {
"k8s-app": "myjob"
}
},
"orchestrator": {
"cluster": {
"name": "kind",
"url": "kind-control-plane:6443"
}
},
"agent": {
"name": "kind-control-plane",
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"type": "metricbeat",
"ephemeral_id": "b61db5f9-8e5a-4ec2-b73f-dd4ee1537110",
"version": "8.6.0"
},
"@timestamp": "2023-01-18T14:57:16.597Z",
"ecs": {
"version": "8.0.0"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_cronjob"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "5.10.104-linuxkit",
"codename": "focal",
"name": "Ubuntu",
"family": "debian",
"type": "linux",
"version": "20.04.5 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"172.18.0.2",
"fc00:f853:ccd:e793::2",
"fe80::42:acff:fe12:2",
"10.244.0.1",
"172.21.0.2",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1"
],
"name": "kind-control-plane",
"id": "ee94d9f5b385448b805141d2b007ef9e",
"mac": [
"02-42-AC-12-00-02",
"02-42-AC-15-00-02",
"26-44-88-00-0A-01",
"36-29-00-36-7F-53",
"52-A2-77-CF-D4-EC",
"62-BC-CF-94-14-6C",
"8E-B9-C8-09-2D-B8",
"92-BA-04-F3-2A-CC",
"A2-55-7D-53-57-91",
"A6-4F-D1-E2-1E-12",
"B6-ED-00-D6-1B-B8",
"BA-D7-49-95-5A-F5",
"CA-B9-E6-A7-52-0D",
"D6-F9-71-43-6C-24",
"DE-05-63-F9-0B-36",
"EE-C8-E8-11-00-F5",
"F6-52-0A-F0-63-83"
],
"architecture": "x86_64"
},
"elastic_agent": {
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"version": "8.6.0",
"snapshot": false
},
"metricset": {
"period": 10000,
"name": "state_cronjob"
},
"event": {
"duration": 11786458,
"agent_id_status": "verified",
"ingested": "2023-01-18T14:57:17Z",
"module": "kubernetes",
"dataset": "kubernetes.state_cronjob"
}
}
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.instance.name | Instance name of the host machine. | keyword | ||
cloud.machine.type | Machine type of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
container.image.name | Name of the image the container was built on. | keyword | ||
container.labels | Image labels. | object | ||
container.name | Container name. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
host.architecture | Operating system architecture. | keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | ||
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | ||
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | ||
host.ip | Host ip addresses. | ip | ||
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | ||
host.os.kernel | Operating system kernel version as a raw string. | keyword | ||
host.os.name | Operating system name, without the version. | keyword | ||
host.os.name.text | Multi-field of host.os.name . | match_only_text | ||
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | ||
host.os.version | Operating system version as a raw string. | keyword | ||
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | ||
kubernetes.annotations.* | Kubernetes annotations map | object | ||
kubernetes.cronjob.active.count | Number of active pods for the cronjob | long | gauge | |
kubernetes.cronjob.concurrency | Concurrency policy | keyword | ||
kubernetes.cronjob.created.sec | Epoch seconds since the cronjob was created | double | s | gauge |
kubernetes.cronjob.deadline.sec | Deadline seconds after schedule for considering failed | long | s | gauge |
kubernetes.cronjob.is_suspended | Whether the cronjob is suspended | boolean | ||
kubernetes.cronjob.last_schedule.sec | Epoch seconds for last cronjob run | double | s | gauge |
kubernetes.cronjob.name | Cronjob name | keyword | ||
kubernetes.cronjob.next_schedule.sec | Epoch seconds for next cronjob run | double | s | gauge |
kubernetes.cronjob.schedule | Cronjob schedule | keyword | ||
kubernetes.labels.* | Kubernetes labels map | object | ||
kubernetes.namespace | Kubernetes namespace | keyword | ||
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object | ||
kubernetes.namespace_uid | Kubernetes namespace UID | keyword | ||
orchestrator.cluster.name | Name of the cluster. | keyword | ||
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_daemonset
This is the state_daemonset
dataset of the Kubernetes package. It collects daemonset related
metrics from kube_state_metrics
.
An example event for state_daemonset
looks as following:
{
"orchestrator": {
"cluster": {
"name": "kind",
"url": "kind-control-plane:6443"
}
},
"kubernetes": {
"namespace": "kube-system",
"daemonset": {
"replicas": {
"desired": 1,
"unavailable": 0,
"ready": 1,
"available": 1
},
"name": "kube-proxy"
},
"namespace_uid": "250a647d-3acc-4f7e-85b5-a51b6069959d",
"namespace_labels": {
"kubernetes_io/metadata_name": "kube-system"
},
"labels": {
"k8s-app": "kube-proxy"
}
},
"agent": {
"name": "kind-control-plane",
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"ephemeral_id": "b61db5f9-8e5a-4ec2-b73f-dd4ee1537110",
"type": "metricbeat",
"version": "8.6.0"
},
"@timestamp": "2023-01-18T14:52:46.935Z",
"ecs": {
"version": "8.0.0"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_daemonset"
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "5.10.104-linuxkit",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.5 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"172.18.0.2",
"fc00:f853:ccd:e793::2",
"fe80::42:acff:fe12:2",
"10.244.0.1",
"172.21.0.2",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1"
],
"name": "kind-control-plane",
"id": "ee94d9f5b385448b805141d2b007ef9e",
"mac": [
"02-42-AC-12-00-02",
"02-42-AC-15-00-02",
"26-44-88-00-0A-01",
"36-29-00-36-7F-53",
"8E-B9-C8-09-2D-B8",
"92-BA-04-F3-2A-CC",
"A2-55-7D-53-57-91",
"A6-4F-D1-E2-1E-12",
"B6-ED-00-D6-1B-B8",
"BA-D7-49-95-5A-F5",
"CA-B9-E6-A7-52-0D",
"D6-F9-71-43-6C-24",
"DE-05-63-F9-0B-36",
"F6-52-0A-F0-63-83"
],
"architecture": "x86_64"
},
"elastic_agent": {
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"version": "8.6.0",
"snapshot": false
},
"metricset": {
"period": 10000,
"name": "state_daemonset"
},
"event": {
"duration": 182782,
"agent_id_status": "verified",
"ingested": "2023-01-18T14:52:47Z",
"module": "kubernetes",
"dataset": "kubernetes.state_daemonset"
}
}
Exported fields
Field | Description | Type | Metric Type |
---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | |
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
cloud.image.id | Image ID for the cloud instance. | keyword | |
cloud.instance.id | Instance ID of the host machine. | keyword | |
cloud.instance.name | Instance name of the host machine. | keyword | |
cloud.machine.type | Machine type of the host machine. | keyword | |
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
cloud.region | Region in which this host, resource, or service is located. | keyword | |
container.id | Unique container id. | keyword | |
container.image.name | Name of the image the container was built on. | keyword | |
container.labels | Image labels. | object | |
container.name | Container name. | keyword | |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
host.architecture | Operating system architecture. | keyword | |
host.containerized | If the host is a container. | boolean | |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | |
host.ip | Host ip addresses. | ip | |
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
host.os.build | OS build information. | keyword | |
host.os.codename | OS codename, if any. | keyword | |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
host.os.kernel | Operating system kernel version as a raw string. | keyword | |
host.os.name | Operating system name, without the version. | keyword | |
host.os.name.text | Multi-field of host.os.name . | match_only_text | |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
host.os.version | Operating system version as a raw string. | keyword | |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
kubernetes.annotations.* | Kubernetes annotations map | object | |
kubernetes.daemonset.name | keyword | ||
kubernetes.daemonset.replicas.available | The number of available replicas per DaemonSet | long | gauge |
kubernetes.daemonset.replicas.desired | The desired number of replicas per DaemonSet | long | gauge |
kubernetes.daemonset.replicas.ready | The number of ready replicas per DaemonSet | long | gauge |
kubernetes.daemonset.replicas.unavailable | The number of unavailable replicas per DaemonSet | long | gauge |
kubernetes.labels.* | Kubernetes labels map | object | |
kubernetes.namespace | Kubernetes namespace | keyword | |
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object | |
kubernetes.namespace_uid | Kubernetes namespace UID | keyword | |
orchestrator.cluster.name | Name of the cluster. | keyword | |
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | |
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | |
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_deployment
This is the state_deployment
dataset of the Kubernetes package. It collects deployment related
metrics from kube_state_metrics
.
An example event for state_deployment
looks as following:
{
"orchestrator": {
"cluster": {
"name": "kind",
"url": "kind-control-plane:6443"
}
},
"kubernetes": {
"namespace": "kube-system",
"namespace_uid": "250a647d-3acc-4f7e-85b5-a51b6069959d",
"namespace_labels": {
"kubernetes_io/metadata_name": "kube-system"
},
"labels": {
"k8s-app": "kube-dns"
},
"deployment": {
"paused": false,
"replicas": {
"desired": 2,
"unavailable": 0,
"available": 2,
"updated": 2
},
"name": "coredns"
}
},
"agent": {
"name": "kind-control-plane",
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"ephemeral_id": "b61db5f9-8e5a-4ec2-b73f-dd4ee1537110",
"type": "metricbeat",
"version": "8.6.0"
},
"@timestamp": "2023-01-18T14:50:47.075Z",
"ecs": {
"version": "8.0.0"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_deployment"
},
"elastic_agent": {
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"version": "8.6.0",
"snapshot": false
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "5.10.104-linuxkit",
"codename": "focal",
"name": "Ubuntu",
"family": "debian",
"type": "linux",
"version": "20.04.5 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"172.18.0.2",
"fc00:f853:ccd:e793::2",
"fe80::42:acff:fe12:2",
"10.244.0.1",
"172.21.0.2",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1"
],
"name": "kind-control-plane",
"id": "ee94d9f5b385448b805141d2b007ef9e",
"mac": [
"02-42-AC-12-00-02",
"02-42-AC-15-00-02",
"26-44-88-00-0A-01",
"36-29-00-36-7F-53",
"8E-B9-C8-09-2D-B8",
"92-BA-04-F3-2A-CC",
"A2-55-7D-53-57-91",
"A6-4F-D1-E2-1E-12",
"B6-ED-00-D6-1B-B8",
"BA-D7-49-95-5A-F5",
"CA-B9-E6-A7-52-0D",
"D6-F9-71-43-6C-24",
"DE-05-63-F9-0B-36",
"F6-52-0A-F0-63-83"
],
"architecture": "x86_64"
},
"metricset": {
"period": 10000,
"name": "state_deployment"
},
"event": {
"duration": 361259,
"agent_id_status": "verified",
"ingested": "2023-01-18T14:50:47Z",
"module": "kubernetes",
"dataset": "kubernetes.state_deployment"
}
}
Exported fields
Field | Description | Type | Metric Type |
---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | |
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
cloud.image.id | Image ID for the cloud instance. | keyword | |
cloud.instance.id | Instance ID of the host machine. | keyword | |
cloud.instance.name | Instance name of the host machine. | keyword | |
cloud.machine.type | Machine type of the host machine. | keyword | |
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
cloud.region | Region in which this host, resource, or service is located. | keyword | |
container.id | Unique container id. | keyword | |
container.image.name | Name of the image the container was built on. | keyword | |
container.labels | Image labels. | object | |
container.name | Container name. | keyword | |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
host.architecture | Operating system architecture. | keyword | |
host.containerized | If the host is a container. | boolean | |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | |
host.ip | Host ip addresses. | ip | |
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
host.os.build | OS build information. | keyword | |
host.os.codename | OS codename, if any. | keyword | |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
host.os.kernel | Operating system kernel version as a raw string. | keyword | |
host.os.name | Operating system name, without the version. | keyword | |
host.os.name.text | Multi-field of host.os.name . | match_only_text | |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
host.os.version | Operating system version as a raw string. | keyword | |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
kubernetes.annotations.* | Kubernetes annotations map | object | |
kubernetes.deployment.name | Kubernetes deployment name | keyword | |
kubernetes.deployment.paused | Kubernetes deployment paused status | boolean | |
kubernetes.deployment.replicas.available | Deployment available replicas | integer | gauge |
kubernetes.deployment.replicas.desired | Deployment number of desired replicas (spec) | integer | gauge |
kubernetes.deployment.replicas.unavailable | Deployment unavailable replicas | integer | gauge |
kubernetes.deployment.replicas.updated | Deployment updated replicas | integer | gauge |
kubernetes.deployment.status.available | Deployment Available Condition status (true, false or unknown) | keyword | |
kubernetes.deployment.status.progressing | Deployment Progresing Condition status (true, false or unknown) | keyword | |
kubernetes.labels.* | Kubernetes labels map | object | |
kubernetes.namespace | Kubernetes namespace | keyword | |
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object | |
kubernetes.namespace_uid | Kubernetes namespace UID | keyword | |
orchestrator.cluster.name | Name of the cluster. | keyword | |
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | |
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | |
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_job
This is the state_job
dataset of the Kubernetes package. It collects job related
metrics from kube_state_metrics
.
An example event for state_job
looks as following:
{
"orchestrator": {
"cluster": {
"name": "kind",
"url": "kind-control-plane:6443"
}
},
"kubernetes": {
"namespace": "default",
"job": {
"owner": {
"kind": "CronJob",
"is_controller": "true",
"name": "hello"
},
"parallelism": {
"desired": 1
},
"name": "hello-27900898",
"completions": {
"desired": 1
},
"pods": {
"active": 0,
"failed": 0,
"succeeded": 1
},
"time": {
"created": "2023-01-18T14:58:00.000Z",
"completed": "2023-01-18T14:58:04.000Z"
},
"status": {
"complete": "true"
}
},
"namespace_uid": "5f4a8989-32b3-4fc9-ba5b-9dece58436b8",
"namespace_labels": {
"kubernetes_io/metadata_name": "default"
},
"cronjob": {
"name": "hello"
},
"labels": {
"job-name": "hello-27900898",
"controller-uid": "ae0e0759-f219-49c5-8845-43553448a045"
}
},
"agent": {
"name": "kind-control-plane",
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"ephemeral_id": "b61db5f9-8e5a-4ec2-b73f-dd4ee1537110",
"type": "metricbeat",
"version": "8.6.0"
},
"@timestamp": "2023-01-18T14:58:46.786Z",
"ecs": {
"version": "8.0.0"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_job"
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "5.10.104-linuxkit",
"codename": "focal",
"name": "Ubuntu",
"family": "debian",
"type": "linux",
"version": "20.04.5 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"172.18.0.2",
"fc00:f853:ccd:e793::2",
"fe80::42:acff:fe12:2",
"10.244.0.1",
"172.21.0.2",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1"
],
"name": "kind-control-plane",
"id": "ee94d9f5b385448b805141d2b007ef9e",
"mac": [
"02-42-AC-12-00-02",
"02-42-AC-15-00-02",
"26-44-88-00-0A-01",
"36-29-00-36-7F-53",
"52-A2-77-CF-D4-EC",
"62-BC-CF-94-14-6C",
"8E-B9-C8-09-2D-B8",
"92-BA-04-F3-2A-CC",
"A2-55-7D-53-57-91",
"A6-4F-D1-E2-1E-12",
"B6-ED-00-D6-1B-B8",
"BA-D7-49-95-5A-F5",
"CA-B9-E6-A7-52-0D",
"D6-F9-71-43-6C-24",
"DE-05-63-F9-0B-36",
"EE-C8-E8-11-00-F5",
"F6-52-0A-F0-63-83"
],
"architecture": "x86_64"
},
"elastic_agent": {
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"version": "8.6.0",
"snapshot": false
},
"metricset": {
"period": 10000,
"name": "state_job"
},
"event": {
"duration": 212263,
"agent_id_status": "verified",
"ingested": "2023-01-18T14:58:46Z",
"module": "kubernetes",
"dataset": "kubernetes.state_job"
}
}
Exported fields
Field | Description | Type | Metric Type |
---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | |
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
cloud.image.id | Image ID for the cloud instance. | keyword | |
cloud.instance.id | Instance ID of the host machine. | keyword | |
cloud.instance.name | Instance name of the host machine. | keyword | |
cloud.machine.type | Machine type of the host machine. | keyword | |
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
cloud.region | Region in which this host, resource, or service is located. | keyword | |
container.id | Unique container id. | keyword | |
container.image.name | Name of the image the container was built on. | keyword | |
container.labels | Image labels. | object | |
container.name | Container name. | keyword | |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
host.architecture | Operating system architecture. | keyword | |
host.containerized | If the host is a container. | boolean | |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | |
host.ip | Host ip addresses. | ip | |
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
host.os.build | OS build information. | keyword | |
host.os.codename | OS codename, if any. | keyword | |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
host.os.kernel | Operating system kernel version as a raw string. | keyword | |
host.os.name | Operating system name, without the version. | keyword | |
host.os.name.text | Multi-field of host.os.name . | match_only_text | |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
host.os.version | Operating system version as a raw string. | keyword | |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
kubernetes.annotations.* | Kubernetes annotations map | object | |
kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | |
kubernetes.job.completions.desired | The configured completion count for the job (Spec) | long | gauge |
kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | |
kubernetes.job.owner.is_controller | Owner is controller ("true", "false", or "\<none\>" ) | keyword | |
kubernetes.job.owner.kind | The kind of resource that owns this job (eg. "CronJob") | keyword | |
kubernetes.job.owner.name | The name of the resource that owns this job | keyword | |
kubernetes.job.parallelism.desired | The configured parallelism of the job (Spec) | long | gauge |
kubernetes.job.pods.active | Number of active pods | long | gauge |
kubernetes.job.pods.failed | Number of failed pods | long | gauge |
kubernetes.job.pods.succeeded | Number of successful pods | long | gauge |
kubernetes.job.status.complete | Whether the job completed ("true", "false", or "unknown") | keyword | |
kubernetes.job.status.failed | Whether the job failed ("true", "false", or "unknown") | keyword | |
kubernetes.job.time.completed | The time at which the job completed | date | |
kubernetes.job.time.created | The time at which the job was created | date | |
kubernetes.labels.* | Kubernetes labels map | object | |
kubernetes.namespace | Kubernetes namespace | keyword | |
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object | |
kubernetes.namespace_uid | Kubernetes namespace UID | keyword | |
orchestrator.cluster.name | Name of the cluster. | keyword | |
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | |
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | |
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_namespace
This is the state_namespace
dataset of the Kubernetes package. It collects node related
metrics from kube_state_metrics
.
An example event for state_namespace
looks as following:
{
"kubernetes": {
"namespace": "local-path-storage",
"state_namespace": {
"created": {
"sec": 1698661397
},
"status": {
"active": true,
"terminating": false
}
}
},
"agent": {
"name": "kind-control-plane",
"id": "9bbe4c49-2375-4d5d-b7ed-87eaec794094",
"ephemeral_id": "fae4af00-5533-44c9-b2f1-bb5225bc2b36",
"type": "metricbeat",
"version": "8.11.0"
},
"@timestamp": "2023-10-30T10:31:06.062Z",
"ecs": {
"version": "8.0.0"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_namespace"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"elastic_agent": {
"id": "9bbe4c49-2375-4d5d-b7ed-87eaec794094",
"version": "8.11.0",
"snapshot": true
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "6.3.13-linuxkit",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"name": "kind-control-plane",
"id": "138690b2aa0f48758176419fc2733566",
"architecture": "x86_64"
},
"metricset": {
"period": 10000,
"name": "state_namespace"
},
"event": {
"duration": 546253,
"agent_id_status": "verified",
"ingested": "2023-10-30T10:31:07Z",
"module": "kubernetes",
"dataset": "kubernetes.state_namespace"
}
}
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.instance.name | Instance name of the host machine. | keyword | ||
cloud.machine.type | Machine type of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
container.image.name | Name of the image the container was built on. | keyword | ||
container.labels | Image labels. | object | ||
container.name | Container name. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
host.architecture | Operating system architecture. | keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | ||
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | ||
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | ||
host.ip | Host ip addresses. | ip | ||
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | ||
host.os.kernel | Operating system kernel version as a raw string. | keyword | ||
host.os.name | Operating system name, without the version. | keyword | ||
host.os.name.text | Multi-field of host.os.name . | match_only_text | ||
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | ||
host.os.version | Operating system version as a raw string. | keyword | ||
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | ||
kubernetes.namespace | Kubernetes namespace | keyword | ||
kubernetes.state_namespace.created.sec | Epoch seconds since the namespace was created. | double | s | gauge |
kubernetes.state_namespace.status.active | Whether the namespace is active (true or false). | boolean | ||
kubernetes.state_namespace.status.terminating | Whether the namespace is terminating (true or false). | boolean | ||
orchestrator.cluster.name | Name of the cluster. | keyword | ||
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_node
This is the state_node
dataset of the Kubernetes package. It collects node related
metrics from kube_state_metrics
.
An example event for state_node
looks as following:
{
"kubernetes": {
"labels": {
"beta_kubernetes_io/arch": "amd64",
"beta_kubernetes_io/os": "linux",
"kubernetes_io/arch": "amd64",
"kubernetes_io/hostname": "kind-control-plane",
"kubernetes_io/os": "linux",
"node-role_kubernetes_io/control-plane": "",
"node_kubernetes_io/exclude-from-external-load-balancers": ""
},
"node": {
"cpu": {
"allocatable": {
"cores": 16
},
"capacity": {
"cores": 16
}
},
"kubelet": {
"version": "v1.27.3"
},
"memory": {
"allocatable": {
"bytes": 8069844992
},
"capacity": {
"bytes": 8069844992
}
},
"name": "kind-control-plane",
"pod": {
"allocatable": {
"total": 110
},
"capacity": {
"total": 110
}
},
"status": {
"disk_pressure": "false",
"memory_pressure": "false",
"pid_pressure": "false",
"ready": "true",
"unschedulable": false
}
}
}
}
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.instance.name | Instance name of the host machine. | keyword | ||
cloud.machine.type | Machine type of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
container.image.name | Name of the image the container was built on. | keyword | ||
container.labels | Image labels. | object | ||
container.name | Container name. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
host.architecture | Operating system architecture. | keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | ||
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | ||
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | ||
host.ip | Host ip addresses. | ip | ||
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | ||
host.os.kernel | Operating system kernel version as a raw string. | keyword | ||
host.os.name | Operating system name, without the version. | keyword | ||
host.os.name.text | Multi-field of host.os.name . | match_only_text | ||
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | ||
host.os.version | Operating system version as a raw string. | keyword | ||
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | ||
kubernetes.annotations.* | Kubernetes annotations map | object | ||
kubernetes.labels.* | Kubernetes labels map | object | ||
kubernetes.node.cpu.allocatable.cores | Node CPU allocatable cores | float | gauge | |
kubernetes.node.cpu.capacity.cores | Node CPU capacity cores | long | gauge | |
kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | ||
kubernetes.node.kubelet.version | Kubelet version. | keyword | ||
kubernetes.node.memory.allocatable.bytes | Node allocatable memory in bytes | long | byte | gauge |
kubernetes.node.memory.capacity.bytes | Node memory capacity in bytes | long | byte | gauge |
kubernetes.node.name | Kubernetes node name | keyword | ||
kubernetes.node.pod.allocatable.total | Node allocatable pods | long | gauge | |
kubernetes.node.pod.capacity.total | Node pod capacity | long | gauge | |
kubernetes.node.status.disk_pressure | Node DiskPressure status (true, false or unknown) | keyword | ||
kubernetes.node.status.memory_pressure | Node MemoryPressure status (true, false or unknown) | keyword | ||
kubernetes.node.status.network_unavailable | Node NetworkUnavailable status (true, false or unknown) | keyword | ||
kubernetes.node.status.out_of_disk | Node OutOfDisk status (true, false or unknown) | keyword | ||
kubernetes.node.status.pid_pressure | Node PIDPressure status (true, false or unknown) | keyword | ||
kubernetes.node.status.ready | Node ready status (true, false or unknown) | keyword | ||
kubernetes.node.status.unschedulable | Node unschedulable status | boolean | ||
orchestrator.cluster.name | Name of the cluster. | keyword | ||
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_persistentvolume
This is the state_persistentvolume
dataset of the Kubernetes package. It collects
PersistentVolume related metrics from kube_state_metrics
.
An example event for state_persistentvolume
looks as following:
{
"@timestamp": "2020-06-25T12:43:54.412Z",
"ecs": {
"version": "1.5.0"
},
"event": {
"module": "kubernetes",
"duration": 12149615,
"dataset": "kubernetes.state_persistentvolume"
},
"agent": {
"version": "8.0.0",
"ephemeral_id": "644323b5-5d6a-4dfb-92dd-35ca602db487",
"id": "a6147a6e-6626-4a84-9907-f372f6c61eee",
"name": "agent-ingest-management-clusterscope-674dbb75df-rp8cc",
"type": "metricbeat"
},
"kubernetes": {
"persistentvolume": {
"capacity": {
"bytes": 10737418240
},
"phase": "Bound",
"storage_class": "manual",
"name": "task-pv-volume"
},
"labels": {
"type": "local"
}
},
"host": {
"ip": [
"172.17.0.11"
],
"mac": [
"02:42:ac:11:00:0b"
],
"hostname": "agent-ingest-management-clusterscope-674dbb75df-rp8cc",
"architecture": "x86_64",
"os": {
"codename": "Core",
"platform": "centos",
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux",
"kernel": "4.19.81"
},
"id": "b0e83d397c054b8a99a431072fe4617b",
"name": "agent-ingest-management-clusterscope-674dbb75df-rp8cc",
"containerized": false
},
"metricset": {
"period": 10000,
"name": "state_persistentvolume"
},
"service": {
"address": "kube-state-metrics:8080",
"type": "kubernetes"
}
}
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.instance.name | Instance name of the host machine. | keyword | ||
cloud.machine.type | Machine type of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
container.image.name | Name of the image the container was built on. | keyword | ||
container.labels | Image labels. | object | ||
container.name | Container name. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
host.architecture | Operating system architecture. | keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | ||
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | ||
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | ||
host.ip | Host ip addresses. | ip | ||
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | ||
host.os.kernel | Operating system kernel version as a raw string. | keyword | ||
host.os.name | Operating system name, without the version. | keyword | ||
host.os.name.text | Multi-field of host.os.name . | match_only_text | ||
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | ||
host.os.version | Operating system version as a raw string. | keyword | ||
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | ||
kubernetes.annotations.* | Kubernetes annotations map | object | ||
kubernetes.labels.* | Kubernetes labels map | object | ||
kubernetes.persistentvolume.capacity.bytes | Volume capacity | long | byte | gauge |
kubernetes.persistentvolume.name | Volume name. | keyword | ||
kubernetes.persistentvolume.phase | Volume phase according to kubernetes | keyword | ||
kubernetes.persistentvolume.storage_class | Storage class for the volume | keyword | ||
orchestrator.cluster.name | Name of the cluster. | keyword | ||
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_persistentvolumeclaim
This is the state_persistentvolumeclaim
dataset of the Kubernetes package. It collects
PersistentVolumeClaim related metrics from kube_state_metrics
.
An example event for state_persistentvolumeclaim
looks as following:
{
"kubernetes": {
"namespace": "default",
"namespace_labels": {
"kubernetes_io/metadata_name": "default"
},
"namespace_uid": "b6c80381-f829-45a4-acef-e4e1c8e58f3e",
"persistentvolumeclaim": {
"access_mode": "ReadWriteOnce",
"created": "2024-01-08T14:07:51.000Z",
"name": "task-pv-claim",
"phase": "Bound",
"request_storage": {
"bytes": 1024
},
"storage_class": "generic",
"volume_name": "task-pv-volume"
}
}
}
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.instance.name | Instance name of the host machine. | keyword | ||
cloud.machine.type | Machine type of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
container.image.name | Name of the image the container was built on. | keyword | ||
container.labels | Image labels. | object | ||
container.name | Container name. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
host.architecture | Operating system architecture. | keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | ||
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | ||
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | ||
host.ip | Host ip addresses. | ip | ||
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | ||
host.os.kernel | Operating system kernel version as a raw string. | keyword | ||
host.os.name | Operating system name, without the version. | keyword | ||
host.os.name.text | Multi-field of host.os.name . | match_only_text | ||
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | ||
host.os.version | Operating system version as a raw string. | keyword | ||
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | ||
kubernetes.annotations.* | Kubernetes annotations map | object | ||
kubernetes.labels.* | Kubernetes labels map | object | ||
kubernetes.namespace | Kubernetes namespace | keyword | ||
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object | ||
kubernetes.namespace_uid | Kubernetes namespace UID | keyword | ||
kubernetes.persistentvolumeclaim.access_mode | Access mode. | keyword | ||
kubernetes.persistentvolumeclaim.created | PersistentVolumeClaim creation date | date | ||
kubernetes.persistentvolumeclaim.name | PVC name. | keyword | ||
kubernetes.persistentvolumeclaim.phase | PVC phase. | keyword | ||
kubernetes.persistentvolumeclaim.request_storage.bytes | Requested capacity. | long | byte | gauge |
kubernetes.persistentvolumeclaim.storage_class | Storage class for the PVC. | keyword | ||
kubernetes.persistentvolumeclaim.volume_name | Binded volume name. | keyword | ||
orchestrator.cluster.name | Name of the cluster. | keyword | ||
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_pod
This is the state_pod
dataset of the Kubernetes package. It collects
Pod related metrics from kube_state_metrics
.
An example event for state_pod
looks as following:
{
"kubernetes": {
"node": {
"uid": "57ccd748-c877-4be9-9b0e-568e9f205025",
"hostname": "kind-control-plane",
"name": "kind-control-plane",
"labels": {
"node_kubernetes_io/exclude-from-external-load-balancers": "",
"node-role_kubernetes_io/master": "",
"kubernetes_io/hostname": "kind-control-plane",
"node-role_kubernetes_io/control-plane": "",
"beta_kubernetes_io/os": "linux",
"kubernetes_io/arch": "amd64",
"kubernetes_io/os": "linux",
"beta_kubernetes_io/arch": "amd64"
}
},
"pod": {
"uid": "d06d59c2-929f-4b13-bc7d-c2492200ce07",
"host_ip": "172.20.0.2",
"ip": "172.20.0.2",
"name": "elastic-agent-h2mgj",
"status": {
"phase": "running",
"ready": "true",
"scheduled": "true"
}
},
"namespace": "kube-system",
"daemonset": {
"name": "elastic-agent"
},
"namespace_uid": "a4453575-518e-4a21-9909-34874f674177",
"namespace_labels": {
"kubernetes_io/metadata_name": "kube-system"
},
"labels": {
"app": "elastic-agent",
"controller-revision-hash": "57c5d7c56f",
"pod-template-generation": "3"
}
},
"agent": {
"name": "kind-control-plane",
"id": "de42127b-4db8-4471-824e-a7b14f478663",
"type": "metricbeat",
"ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e",
"version": "8.1.0"
},
"elastic_agent": {
"id": "de42127b-4db8-4471-824e-a7b14f478663",
"version": "8.1.0",
"snapshot": true
},
"orchestrator": {
"cluster": {
"name": "kind",
"url": "kind-control-plane:6443"
}
},
"@timestamp": "2021-12-20T10:03:24.643Z",
"ecs": {
"version": "8.0.0"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_pod"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "5.10.47-linuxkit",
"codename": "Core",
"name": "CentOS Linux",
"family": "redhat",
"type": "linux",
"version": "7 (Core)",
"platform": "centos"
},
"containerized": true,
"ip": [
"10.244.0.1"
],
"name": "kind-control-plane",
"id": "85e35c2b5e1b39ba72393a6baf6ee7cd",
"mac": [
"fe:ec:82:9f:29:19"
],
"architecture": "x86_64"
},
"metricset": {
"period": 10000,
"name": "state_pod"
},
"event": {
"duration": 736951,
"agent_id_status": "verified",
"ingested": "2021-12-20T10:03:25Z",
"module": "kubernetes",
"dataset": "kubernetes.state_pod"
}
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
cloud.instance.id | Instance ID of the host machine. | keyword |
cloud.instance.name | Instance name of the host machine. | keyword |
cloud.machine.type | Machine type of the host machine. | keyword |
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
cloud.region | Region in which this host, resource, or service is located. | keyword |
container.id | Unique container id. | keyword |
container.image.name | Name of the image the container was built on. | keyword |
container.labels | Image labels. | object |
container.name | Container name. | keyword |
container.runtime | Runtime managing this container. | keyword |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
host.architecture | Operating system architecture. | keyword |
host.containerized | If the host is a container. | boolean |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword |
host.ip | Host ip addresses. | ip |
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
host.os.kernel | Operating system kernel version as a raw string. | keyword |
host.os.name | Operating system name, without the version. | keyword |
host.os.name.text | Multi-field of host.os.name . | match_only_text |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
host.os.version | Operating system version as a raw string. | keyword |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
kubernetes.annotations.* | Kubernetes annotations map | object |
kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword |
kubernetes.daemonset.name | Kubernetes daemonset name | keyword |
kubernetes.deployment.name | Kubernetes deployment name | keyword |
kubernetes.job.name | Name of the Job to which the Pod belongs | keyword |
kubernetes.labels.* | Kubernetes labels map | object |
kubernetes.namespace | Kubernetes namespace | keyword |
kubernetes.namespace_annotations.* | Kubernetes namespace annotations map | object |
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object |
kubernetes.namespace_uid | Kubernetes namespace UID | keyword |
kubernetes.node.annotations.* | Kubernetes node annotations map | object |
kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword |
kubernetes.node.labels.* | Kubernetes node labels map | object |
kubernetes.node.name | Kubernetes node name | keyword |
kubernetes.node.uid | Kubernetes node UID | keyword |
kubernetes.pod.host_ip | Kubernetes pod host IP | ip |
kubernetes.pod.ip | Kubernetes pod IP | ip |
kubernetes.pod.name | Kubernetes pod name | keyword |
kubernetes.pod.status.phase | Kubernetes pod phase (Running, Pending...) | keyword |
kubernetes.pod.status.ready | Kubernetes pod ready status (true, false or unknown) | keyword |
kubernetes.pod.status.scheduled | Kubernetes pod scheduled status (true, false, unknown) | keyword |
kubernetes.pod.uid | Kubernetes pod UID | keyword |
kubernetes.replicaset.name | Kubernetes replicaset name | keyword |
kubernetes.statefulset.name | Kubernetes statefulset name | keyword |
orchestrator.cluster.name | Name of the cluster. | keyword |
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword |
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_replicaset
This is the state_replicaset
dataset of the Kubernetes package. It collects
Replicaset related metrics from kube_state_metrics
.
An example event for state_replicaset
looks as following:
{
"orchestrator": {
"cluster": {
"name": "kind",
"url": "kind-control-plane:6443"
}
},
"kubernetes": {
"namespace": "kube-system",
"replicaset": {
"replicas": {
"desired": 1,
"ready": 1,
"labeled": 1,
"available": 1,
"observed": 1
},
"name": "kube-state-metrics-599d598bdf"
},
"namespace_uid": "250a647d-3acc-4f7e-85b5-a51b6069959d",
"namespace_labels": {
"kubernetes_io/metadata_name": "kube-system"
},
"deployment": {
"name": "kube-state-metrics"
},
"labels": {
"pod-template-hash": "599d598bdf",
"app_kubernetes_io/version": "2.5.0",
"app_kubernetes_io/name": "kube-state-metrics",
"app_kubernetes_io/component": "exporter"
}
},
"agent": {
"name": "kind-control-plane",
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"type": "metricbeat",
"ephemeral_id": "b61db5f9-8e5a-4ec2-b73f-dd4ee1537110",
"version": "8.6.0"
},
"@timestamp": "2023-01-18T14:40:26.856Z",
"ecs": {
"version": "8.0.0"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_replicaset"
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "5.10.104-linuxkit",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.5 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"172.18.0.2",
"fc00:f853:ccd:e793::2",
"fe80::42:acff:fe12:2",
"10.244.0.1",
"172.21.0.2",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1",
"10.244.0.1"
],
"name": "kind-control-plane",
"id": "ee94d9f5b385448b805141d2b007ef9e",
"mac": [
"02-42-AC-12-00-02",
"02-42-AC-15-00-02",
"26-44-88-00-0A-01",
"36-29-00-36-7F-53",
"8E-B9-C8-09-2D-B8",
"92-BA-04-F3-2A-CC",
"A2-55-7D-53-57-91",
"A6-4F-D1-E2-1E-12",
"B6-ED-00-D6-1B-B8",
"BA-D7-49-95-5A-F5",
"CA-B9-E6-A7-52-0D",
"D6-F9-71-43-6C-24",
"DE-05-63-F9-0B-36",
"F6-52-0A-F0-63-83"
],
"architecture": "x86_64"
},
"elastic_agent": {
"id": "c446ee97-62f8-47db-ac88-ada92aa550a0",
"version": "8.6.0",
"snapshot": false
},
"metricset": {
"period": 10000,
"name": "state_replicaset"
},
"event": {
"duration": 394846,
"agent_id_status": "verified",
"ingested": "2023-01-18T14:40:27Z",
"module": "kubernetes",
"dataset": "kubernetes.state_replicaset"
}
}
Exported fields
Field | Description | Type | Metric Type |
---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | |
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
cloud.image.id | Image ID for the cloud instance. | keyword | |
cloud.instance.id | Instance ID of the host machine. | keyword | |
cloud.instance.name | Instance name of the host machine. | keyword | |
cloud.machine.type | Machine type of the host machine. | keyword | |
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
cloud.region | Region in which this host, resource, or service is located. | keyword | |
container.id | Unique container id. | keyword | |
container.image.name | Name of the image the container was built on. | keyword | |
container.labels | Image labels. | object | |
container.name | Container name. | keyword | |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
host.architecture | Operating system architecture. | keyword | |
host.containerized | If the host is a container. | boolean | |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | |
host.ip | Host ip addresses. | ip | |
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
host.os.build | OS build information. | keyword | |
host.os.codename | OS codename, if any. | keyword | |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
host.os.kernel | Operating system kernel version as a raw string. | keyword | |
host.os.name | Operating system name, without the version. | keyword | |
host.os.name.text | Multi-field of host.os.name . | match_only_text | |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
host.os.version | Operating system version as a raw string. | keyword | |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
kubernetes.annotations.* | Kubernetes annotations map | object | |
kubernetes.deployment.name | Kubernetes deployment name | keyword | |
kubernetes.labels.* | Kubernetes labels map | object | |
kubernetes.namespace | Kubernetes namespace | keyword | |
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object | |
kubernetes.namespace_uid | Kubernetes namespace UID | keyword | |
kubernetes.replicaset.name | Kubernetes replicaset name | keyword | |
kubernetes.replicaset.replicas.available | The number of replicas per ReplicaSet | long | gauge |
kubernetes.replicaset.replicas.desired | The number of replicas per ReplicaSet | long | gauge |
kubernetes.replicaset.replicas.labeled | The number of fully labeled replicas per ReplicaSet | long | gauge |
kubernetes.replicaset.replicas.observed | The generation observed by the ReplicaSet controller | long | gauge |
kubernetes.replicaset.replicas.ready | The number of ready replicas per ReplicaSet | long | gauge |
orchestrator.cluster.name | Name of the cluster. | keyword | |
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | |
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | |
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_resourcequota
This is the state_resourcequota
dataset of the Kubernetes package. It collects ResourceQuota related metrics
from kube_state_metrics
.
An example event for state_resourcequota
looks as following:
{
"@timestamp": "2020-06-25T12:45:04.416Z",
"metricset": {
"name": "state_resourcequota",
"period": 10000
},
"host": {
"hostname": "agent-ingest-management-clusterscope-674dbb75df-rp8cc",
"name": "agent-ingest-management-clusterscope-674dbb75df-rp8cc",
"architecture": "x86_64",
"os": {
"codename": "Core",
"platform": "centos",
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux",
"kernel": "4.19.81"
},
"id": "b0e83d397c054b8a99a431072fe4617b",
"containerized": false,
"ip": [
"172.17.0.11"
],
"mac": [
"02:42:ac:11:00:0b"
]
},
"service": {
"address": "kube-state-metrics:8080",
"type": "kubernetes"
},
"event": {
"dataset": "kubernetes.state_resourcequota",
"module": "kubernetes",
"duration": 6324269
},
"agent": {
"id": "a6147a6e-6626-4a84-9907-f372f6c61eee",
"name": "agent-ingest-management-clusterscope-674dbb75df-rp8cc",
"type": "metricbeat",
"version": "8.0.0",
"ephemeral_id": "644323b5-5d6a-4dfb-92dd-35ca602db487"
},
"ecs": {
"version": "1.5.0"
},
"kubernetes": {
"namespace": "quota-object-example",
"resourcequota": {
"name": "object-quota-demo",
"resource": "persistentvolumeclaims",
"type": "hard",
"quota": 1
}
}
}
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.instance.name | Instance name of the host machine. | keyword | ||
cloud.machine.type | Machine type of the host machine. | keyword | ||
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
container.image.name | Name of the image the container was built on. | keyword | ||
container.labels | Image labels. | object | ||
container.name | Container name. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | ||
host.architecture | Operating system architecture. | keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | ||
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword | ||
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword | ||
host.ip | Host ip addresses. | ip | ||
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | ||
host.os.kernel | Operating system kernel version as a raw string. | keyword | ||
host.os.name | Operating system name, without the version. | keyword | ||
host.os.name.text | Multi-field of host.os.name . | match_only_text | ||
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | ||
host.os.version | Operating system version as a raw string. | keyword | ||
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | ||
kubernetes.annotations.* | Kubernetes annotations map | object | ||
kubernetes.labels.* | Kubernetes labels map | object | ||
kubernetes.namespace | Kubernetes namespace | keyword | ||
kubernetes.resourcequota.created.sec | Epoch seconds since the ResourceQuota was created | double | s | gauge |
kubernetes.resourcequota.name | ResourceQuota name | keyword | ||
kubernetes.resourcequota.quota | Quota informed (hard or used) for the resource | double | gauge | |
kubernetes.resourcequota.resource | Resource name the quota applies to | keyword | ||
kubernetes.resourcequota.type | Quota information type, hard or used | keyword | ||
orchestrator.cluster.name | Name of the cluster. | keyword | ||
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | ||
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | ||
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_service
This is the state_service
dataset of the Kubernetes package. It collects
Service related metrics from kube_state_metrics
.
An example event for state_service
looks as following:
{
"kubernetes": {
"service": {
"created": "2021-12-15T16:57:18.000Z",
"name": "kube-dns",
"type": "ClusterIP",
"cluster_ip": "10.96.0.10"
},
"namespace": "kube-system",
"namespace_uid": "a4453575-518e-4a21-9909-34874f674177",
"selectors": {
"k8s-app": "kube-dns"
},
"namespace_labels": {
"kubernetes_io/metadata_name": "kube-system"
},
"labels": {
"kubernetes_io_cluster_service": "true",
"kubernetes_io_name": "CoreDNS",
"k8s_app": "kube-dns",
"k8s-app": "kube-dns",
"kubernetes_io/cluster-service": "true",
"kubernetes_io/name": "CoreDNS"
}
},
"agent": {
"name": "kind-control-plane",
"id": "de42127b-4db8-4471-824e-a7b14f478663",
"type": "metricbeat",
"ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e",
"version": "8.1.0"
},
"elastic_agent": {
"id": "de42127b-4db8-4471-824e-a7b14f478663",
"version": "8.1.0",
"snapshot": true
},
"orchestrator": {
"cluster": {
"name": "kind",
"url": "kind-control-plane:6443"
}
},
"@timestamp": "2021-12-20T10:04:34.632Z",
"ecs": {
"version": "8.0.0"
},
"service": {
"address": "http://kube-state-metrics:8080/metrics",
"type": "kubernetes"
},
"data_stream": {
"namespace": "default",
"type": "metrics",
"dataset": "kubernetes.state_service"
},
"host": {
"hostname": "kind-control-plane",
"os": {
"kernel": "5.10.47-linuxkit",
"codename": "Core",
"name": "CentOS Linux",
"type": "linux",
"family": "redhat",
"version": "7 (Core)",
"platform": "centos"
},
"containerized": true,
"ip": [
"10.244.0.1"
],
"name": "kind-control-plane",
"id": "85e35c2b5e1b39ba72393a6baf6ee7cd",
"mac": [
"fe:ec:82:9f:29:19"
],
"architecture": "x86_64"
},
"metricset": {
"period": 10000,
"name": "state_service"
},
"event": {
"duration": 187211,
"agent_id_status": "verified",
"ingested": "2021-12-20T10:04:35Z",
"module": "kubernetes",
"dataset": "kubernetes.state_service"
}
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
cloud.instance.id | Instance ID of the host machine. | keyword |
cloud.instance.name | Instance name of the host machine. | keyword |
cloud.machine.type | Machine type of the host machine. | keyword |
cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
cloud.region | Region in which this host, resource, or service is located. | keyword |
container.id | Unique container id. | keyword |
container.image.name | Name of the image the container was built on. | keyword |
container.labels | Image labels. | object |
container.name | Container name. | keyword |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
host.architecture | Operating system architecture. | keyword |
host.containerized | If the host is a container. | boolean |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword |
host.ip | Host ip addresses. | ip |
host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
host.os.kernel | Operating system kernel version as a raw string. | keyword |
host.os.name | Operating system name, without the version. | keyword |
host.os.name.text | Multi-field of host.os.name . | match_only_text |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
host.os.version | Operating system version as a raw string. | keyword |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
kubernetes.annotations.* | Kubernetes annotations map | object |
kubernetes.labels.* | Kubernetes labels map | object |
kubernetes.namespace | Kubernetes namespace | keyword |
kubernetes.namespace_annotations.* | Kubernetes namespace annotations map | object |
kubernetes.namespace_labels.* | Kubernetes namespace labels map | object |
kubernetes.namespace_uid | Kubernetes namespace UID | keyword |
kubernetes.selectors.* | Kubernetes Service selectors map | object |
kubernetes.service.cluster_ip | Internal IP for the service. | keyword |
kubernetes.service.created | Service creation date | date |
kubernetes.service.external_ip | Service external IP | keyword |
kubernetes.service.external_name | Service external DNS name | keyword |
kubernetes.service.ingress_hostname | Ingress Hostname | keyword |
kubernetes.service.ingress_ip | Ingress IP | keyword |
kubernetes.service.load_balancer_ip | Load Balancer service IP | keyword |
kubernetes.service.name | Service name. | keyword |
kubernetes.service.type | Service type | keyword |
orchestrator.cluster.name | Name of the cluster. | keyword |
orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword |
service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch . | keyword |
state_statefulset
This is the state_statefulset
dataset of the Kubernetes package.
An example event for state_statefulset
looks as following:
{
"orchestrator": {
"cluster": {
&