Elastic
Start free trial Contact Sales
Loading

Operating system fields

Elastic Stack Serverless

The OS fields contain information about the operating system.

Operating system field details

Field Description Level
os.family OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian
 extended
os.full Operating system name, including the version or code name.

type: keyword

Multi-fields:

- os.full.text (type: match_only_text)

example: Mac OS Mojave

OTel Badge relation os.description
 extended
os.kernel Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic
 extended
os.name Operating system name, without the version.

type: keyword

Multi-fields:

- os.name.text (type: match_only_text)

example: Mac OS X

OTel Badge relation os.name
 extended
os.platform Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin
 extended
os.type Use the os.type field to categorize the operating system into one of the broad commercial families.

If the OS you’re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.

Expected values for this field:

- linux
- macos
- unix
- windows
- ios
- android

type: keyword

example: macos

OTel Badge relation os.type

Note: The expected values in ECS for os.type do not correspond with the values defined in semantic conventions!
 extended
os.version Operating system version as a raw string.

type: keyword

example: 10.14.1

OTel Badge relation os.version
 extended

Field reuse

The os fields are expected to be nested at:

  • host.os
  • observer.os
  • user_agent.os

Note also that the os fields are not expected to be used directly at the root of the events.