Centralizing logs from various technologies and applications tends to generate tens or hundreds of different attributes in a Log Management environment—especially when many teams’ users, each one with their own personal usage patterns, are working within the same environment.
This can generate confusion. For instance, a client IP might have the following attributes within your logs:
In this context, the number of created or provided attributes can lead to confusion and difficulty to configure or understand the environment. It is also cumbersome to know which attributes correspond to the the logs of interest and—for instance—correlating web proxy with web application logs would be difficult. Even if technologies define their respective logs attributes differently, a URL, client IP, or duration have universally consistent meanings.
Standard Attributes have been designed to help your organization to define its own naming convention and to enforce it as much as possible across users and functional teams. The goal is to define a subset of attributes that would be the recipient of shared semantics that everyone agrees to use by convention.
Log Integrations are natively relying on the default provided set, but your organization can decide to extend or modify this list. The standard attribute table is available in Log Configuration pages, along with pipelines and other logs intake capabilities (metrics generation, archives, exclusion filters, etc.).
To enforce standard attributes, administrators have the right to re-copy an existing set of non-standard attributes into a set of standard ones. This enables noncompliant logs sources to become compliant without losing any previous information.
Typically, during a transitional period, standard attributes may coexist in your organization along with their non-standard versions. To help your users cherry-pick the standard attributes in this context, they are identified as such in the explorer (e.g. in the facet list, or in measure or group selectors in Analytics).
If you are an administrator or prescriptor of the naming convention in your organization, you can take this opportunity to educate other users with standard attributes, and nudge them to align.
The standard attribute table comes with a set of predefined standard attributes. You can append that list with your own attributes, and edit or delete existing standard attributes:
A standard attribute is defined by its:
Path: The path of the standard attributes as you would find it in your JSON (e.g
boolean): The type of the attribute which is used to cast element of the remapping list
Description: Human readable description of the attribute
Remapping list: Comma separated list of non-compliant attributes that should be remapped to standard ones
The standard attribute panel pops when you add a new standard attribute or edit an existing one:
Any element of the standard attributes can then be filled or updated.
Note: Any updates or additions to standard attributes are only applied to newly ingested logs.
After being processed in the pipelines, each log goes through the full list of standard attributes. For each entry of the standard attribute table, if the current log has an attribute matching the remapping list, the following is done:
Important Note: By default, the type of an existing standard attribute is unchanged if the remapping list is empty. Add the standard attribute to its own remapping list to enforce its type.
To add or update a standard attribute, follow these rules:
user.namecannot both be standard attributes).
The default standard attribute list is split into 7 functional domains:
The following attributes are related to the data used in network communication. All fields and metrics are prefixed by
|The IP address of the client that initiated the TCP connection.|
|The IP address the client connected to.|
|The port of the client that initiated the connection.|
|The TCP port the client connected to.|
|Total number of bytes transmitted from the client to the server when the log is emitted.|
|Total number of bytes transmitted from the server to the client when the log is emitted.|
The following attributes are related to the geolocation of IP addresses used in network communication. All fields are prefixed by
|Name of the country|
|ISO Code of the country (example: |
|ISO code of the continent (|
|Name of the continent (|
|Name of the first subdivision level of the country (example: |
|ISO Code of the first subdivision level of the country (example: |
|The name of the city (example |
These attributes are related to the data commonly used in HTTP requests and accesses. All attributes are prefixed by
|The URL of the HTTP request.|
|The HTTP response status code.|
|Indicates the desired action to be performed for a given resource.|
|HTTP header field that identifies the address of the webpage that linked to the resource being requested.|
|The ID of the HTTP request.|
|The User-Agent as it is sent (raw format). See below for more details.|
|The version of HTTP used for the request.|
These attributes provide details about the parsed parts of the HTTP URL. They are generally generated thanks to the URL parser. All attributes are prefixed by
|The HTTP host part of the URL.|
|The HTTP port part of the URL.|
|The HTTP path part of the URL.|
|The HTTP query string parts of the URL decomposed as query params key/value attributes.|
|The protocol name of the URL (HTTP or HTTPS)|
These attributes provide details about the meanings of user-agents’ attributes. They are generally generated thanks to the User-Agent parser. All attributes are prefixed by
|The OS family reported by the User-Agent.|
|The Browser Family reported by the User-Agent.|
|The Device family reported by the User-Agent.|
These attributes are related to the data used when a log or an error is generated via a logger in a custom application. All attributes are prefixed either by
|The name of the logger.|
|The name of the current thread when the log is fired.|
|The class method name.|
|The error type or kind (or code is some cases).|
|A concise, human-readable, one-line message explaining the event|
|The stack trace or the complementary information about the error|
Typical integrations relying on these attributes are: Java, NodeJs, .NET, Golang, Python, etc.
Database related attributes are prefixed by
|Database instance name. E.g., in Java, if |
|A database statement for the given database type. E.g., for mySQL: |
|The operation that was performed (“query”, “update”, “delete”,…).|
|User that performs the operation.|
Performance metrics attributes.
|A duration of any kind in nanoseconds: HTTP response time, database query time, latency, etc.|
All attributes and measures are prefixed by
|The user identifier.|
|The user friendly name.|
|The user email.|
These attributes are related to the data added by a syslog or a log-shipper agent. All fields and metrics are prefixed by
|The application name. Generally remapped to the |
|The log severity. Generally remapped to the |
|The log timestamp. Generally remapped to the |
|The environment name where the source of logs come from.|
All attributes and measures are prefixed by
|The DNS query identifier.|
|The IP address URL that the DNS question wishes to find.|
|A two octet code which specifies the DNS question type.|
|The class looked up by the DNS question (i.e IN when using the internet).|
|The DNS question size in bytes.|
|The queried domain name.|
|A two octet code which specifies the DNS answer type.|
|The class answered by the DNS.|
|The DNS answer size in bytes.|
|The DNS reply code.|
Additional helpful documentation, links, and articles: