Centralizing logs from various technologies and applications tends to generate tens or hundreds of different attributes in a Log Management environment—especially when many teams’ users, each one with their own personal usage patterns, are working within the same environment.
For instance, a client IP might be transcribed with various attributes within your logs: clientIP, client_ip_address, remote_address, client.ip, etc. The execution time of a request may be referred to as exec_time, request_latency, request.time_elapsed, etc.
In this context, the number of created or provided attributes can lead to confusion and difficulty to configure or understand the environment. It is also cumbersome to know which attributes correspond to the the logs of interest and—for instance—correlating web proxy with web application logs would be difficult.
Even if technologies and teams natively define their respective logs attributes differently, a URL, client IP, or duration have universally consistent meanings. A naming convention defines standard names to use when referring to structuring technical or business concepts, resulting in a common language that everyone agrees to use by convention.
Standard Attributes are the backbone of the naming convention for your organization.
With Aliasing, search and aggregate logs flowing from heterogenous sources. Onboard users across multiple teams with your naming convention, without asking them for changes in their technical stack.
Aliasing is particularly useful when it comes to filtering or aggregating logs from different sources altogether—that is to say, when turned into facets. Gathering content from multiple and heterogenous sources into a unique Standard Facet makes it much more straightforward to build insights or pivot information across your organization.
For example, follow the clients most impacted by latencies on a hybrid Apache and Amazon Cloud Front infrastructure, using the standard Network Client IP facet alongside the standard duration.
Log integrations natively rely on a default set of standard attributes.
Admin users in your organization can curate the list:
Aliasing a source attribute towards a destination attribute allow logs carrying the source attribute to carry the source and destination attribute, both with the same value.
Users can interact with either the aliased (source) or standard (destination) faceted attribute. As far as facets are concerned, however, users are nudged to use the standard facet rather than the aliased one. This provides guidance towards the naming convention, and discourages users from building assets (such as saved views or dashboards) based on non-standard content.
Additional details regarding aliasing:
user and user.name cannot both be standard attributes).The standard attribute table is available in Log Configuration pages, along with pipelines and other logs intake capabilities such as metrics generation, archives, exclusion filters, etc.
The standard attribute table comes with a set of predefined standard attributes. You can append that list with your own attributes, and edit or delete existing standard attributes:
A standard attribute is defined by its:
Path: The path of the attribute promoted as a standard attribute, as you would find it in your JSON (for example: network.client.ip).Type (string, integer, double, boolean): The type of the attribute, which is used to cast elements of the remapping list.Aliasing list: Comma separated list of attributes that should be aliased to it.Description: Human readable description of the attribute.The standard attribute panel appears when you add a new standard attribute or edit an existing one:
Alias attributes directly from the log explorer. See the associated documentation for reference.
The default standard attribute list is split into 7 functional domains:
The following attributes are related to the data used in network communication. All fields and metrics are prefixed by network.
| Fullname | Type | Description |
|---|---|---|
network.client.ip | string | The IP address of the client that initiated the TCP connection. |
network.destination.ip | string | The IP address the client connected to. |
network.client.port | number | The port of the client that initiated the connection. |
network.destination.port | number | The TCP port the client connected to. |
network.bytes_read | number | Total number of bytes transmitted from the client to the server when the log is emitted. |
network.bytes_written | number | Total number of bytes transmitted from the server to the client when the log is emitted. |
Typical integrations relying on these attributes include Apache, Varnish, AWS ELB, Nginx, HAProxy, etc.
The following attributes are related to the geolocation of IP addresses used in network communication. All fields are prefixed by network.client.geoip or network.destination.geoip.
| Fullname | Type | Description |
|---|---|---|
network.client.geoip.country.name | string | Name of the country |
network.client.geoip.country.iso_code | string | ISO Code of the country (example: US for the United States, FR for France) |
network.client.geoip.continent.code | string | ISO code of the continent (EU, AS, NA, AF, AN, SA, OC) |
network.client.geoip.continent.name | string | Name of the continent (Europe, Australia, North America, Africa, Antartica, South America, Oceania) |
network.client.geoip.subdivision.name | string | Name of the first subdivision level of the country (example: California in the United States or the Sarthe department in France) |
network.client.geoip.subdivision.iso_code | string | ISO Code of the first subdivision level of the country (example: CA in the United States or the SA department in France) |
network.client.geoip.city.name | String | The name of the city (example Paris, New York) |
These attributes are related to the data commonly used in HTTP requests and accesses. All attributes are prefixed by http.
Typical integrations relying on these attributes include Apache, Rails, AWS CloudFront, web applications servers, etc.
| Fullname | Type | Description |
|---|---|---|
http.url | string | The URL of the HTTP request. |
http.status_code | number | The HTTP response status code. |
http.method | string | Indicates the desired action to be performed for a given resource. |
http.referer | string | HTTP header field that identifies the address of the webpage that linked to the resource being requested. |
http.request_id | string | The ID of the HTTP request. |
http.useragent | string | The User-Agent as it is sent (raw format). See below for more details. |
http.version | string | The version of HTTP used for the request. |
These attributes provide details about the parsed parts of the HTTP URL. They are generally generated thanks to the URL parser. All attributes are prefixed by http.url_details.
| Fullname | Type | Description |
|---|---|---|
http.url_details.host | string | The HTTP host part of the URL. |
http.url_details.port | number | The HTTP port part of the URL. |
http.url_details.path | string | The HTTP path part of the URL. |
http.url_details.queryString | object | The HTTP query string parts of the URL decomposed as query params key/value attributes. |
http.url_details.scheme | string | The protocol name of the URL (HTTP or HTTPS) |
These attributes provide details about the meanings of user-agents’ attributes. They are generally generated thanks to the User-Agent parser. All attributes are prefixed by http.useragent_details.
| Fullname | Type | Description |
|---|---|---|
http.useragent_details.os.family | string | The OS family reported by the User-Agent. |
http.useragent_details.browser.family | string | The Browser Family reported by the User-Agent. |
http.useragent_details.device.family | string | The Device family reported by the User-Agent. |
These attributes are related to the data used when a log or an error is generated via a logger in a custom application. All attributes are prefixed either by logger or error.
| Fullname | Type | Description |
|---|---|---|
logger.name | string | The name of the logger. |
logger.thread_name | string | The name of the current thread when the log is fired. |
logger.method_name | string | The class method name. |
logger.version | string | The version of the logger. |
error.kind | string | The error type or kind (or code is some cases). |
error.message | string | A concise, human-readable, one-line message explaining the event |
error.stack | string | The stack trace or the complementary information about the error |
Typical integrations relying on these attributes are: Java, NodeJs, .NET, Golang, Python, etc.
Database related attributes are prefixed by db.
| Fullname | Type | Description |
|---|---|---|
db.instance | string | Database instance name. E.g., in Java, if jdbc.url="jdbc:mysql://127.0.0.1:3306/customers", the instance name is customers. |
db.statement | string | A database statement for the given database type. E.g., for mySQL: "SELECT * FROM wuser_table"; for Redis: "SET mykey 'WuValue'". |
db.operation | string | The operation that was performed (“query”, “update”, “delete”,…). |
db.user | string | User that performs the operation. |
Typical integrations relying on these attributes are: Cassandra, MySQL, RDS, Elasticsearch, etc.
Performance metrics attributes.
| Fullname | Type | Description |
|---|---|---|
duration | number | A duration of any kind in nanoseconds: HTTP response time, database query time, latency, etc. |
Datadog advises you to remap any durations within your logs on this attribute since Datadog displays and uses it as a default measure for trace search.
All attributes and measures are prefixed by usr.
| Fullname | Type | Description |
|---|---|---|
usr.id | string | The user identifier. |
usr.name | string | The user friendly name. |
usr.email | string | The user email. |
These attributes are related to the data added by a syslog or a log-shipper agent. All fields and metrics are prefixed by syslog.
| Fullname | Type | Description |
|---|---|---|
syslog.hostname | string | The hostname |
syslog.appname | string | The application name. Generally remapped to the service reserved attribute. |
syslog.severity | number | The log severity. Generally remapped to the status reserved attribute. |
syslog.timestamp | string | The log timestamp. Generally remapped to the date reserved attribute. |
syslog.env | string | The environment name where the source of logs come from. |
Some integrations that rely on these are: Rsyslog, NxLog, Syslog-ng, Fluentd, Logstash, etc.
All attributes and measures are prefixed by dns.
| Fullname | Type | Description |
|---|---|---|
dns.id | string | The DNS query identifier. |
dns.question.name | string | The queried domain name. |
dns.question.type | string | A two octet code which specifies the DNS question type. |
dns.question.class | string | The class looked up by the DNS question (i.e IN when using the internet). |
dns.question.size | number | The DNS question size in bytes. |
dns.answer.name | string | The IP address that the DNS answers with. |
dns.answer.type | string | A two octet code which specifies the DNS answer type. |
dns.answer.class | string | The class answered by the DNS. |
dns.answer.size | number | The DNS answer size in bytes. |
dns.flags.rcode | string | The DNS reply code. |
All attributes are prefixed by evt.
| Fullname | Type | Description |
|---|---|---|
evt.name | string | The shared name across events generated by the same activity (e.g.: authentication). |
evt.outcome | string | The result of the event (e.g. success, failure). |
Additional helpful documentation, links, and articles:
On this Page
