Service fields
Elastic Stack Serverless
The service fields describe the service for or from which the data was collected.
These fields help you find and correlate logs for a specific service and version.
| Field | Description | Level |
|---|---|---|
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). type: keyword example: 172.26.0.2:5432 |
extended |
| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but service.id does not.type: keyword example: 8a4f500f |
extended |
| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the service.id should be the same for all nodes.This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that host.name or host.id instead.type: keyword example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 |
core |
| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.type: keyword example: elasticsearch-metrics  service.name |
core |
| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, service.node.name should typically be unique across nodes of a given service.In the case of Elasticsearch, the service.node.name could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.type: keyword example: instance-0000000016  service.instance.id |
extended |
| service.node.role | Deprecated for removal in next major version release. This field will be superseded by node.roles.Role of a service node. This allows for distinction between different running roles of the same service. In the case of Kibana, the service.node.role could be ui or background_tasks.In the case of Elasticsearch, the service.node.role could be master or data.Other services could use this to distinguish between a web and worker role running as part of the service.type: keyword example: background_tasks |
extended |
| service.node.roles | Roles of a service node. This allows for distinction between different running roles of the same service. In the case of Kibana, the service.node.role could be ui or background_tasks or both.In the case of Elasticsearch, the service.node.role could be master or data or both.Other services could use this to distinguish between a web and worker role running as part of the service.type: keyword Note: this field should contain an array of values. example: ["ui", "background_tasks"] |
extended |
| service.state | Current state of the service. type: keyword |
core |
| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch.type: keyword example: elasticsearch |
core |
| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. type: keyword example: 3.2.4 service.version |
core |
| Field | Description | Level |
|---|---|---|
| service.environment | Identifies the environment where the service is running. If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. type: keyword example: production deployment.environment.name |
extended |
The service fields are expected to be nested at:
service.originservice.target
Note also that the service fields may be used directly at the root of the events.
Warning
These fields are in beta and are subject to change.
| Location | Field Set | Description |
|---|---|---|
service.origin.* |
service |
Describes the origin service in case of an incoming request or event. |
service.target.* |
service |
Describes the target service in case of an outgoing request or event. |
For usage and examples of the service fields, please see the Service Fields Usage and Examples section.