ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.0.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
8.0.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
8.0.0,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
8.0.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
8.0.0,true,acme,acme.account.id,keyword,custom,,,Customer account for this activity.
8.0.0,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
8.0.0,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
8.0.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
8.0.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
8.0.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
8.0.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
8.0.0,true,client,client.address,keyword,extended,,,Client network address.
8.0.0,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
8.0.0,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
8.0.0,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
8.0.0,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
8.0.0,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
8.0.0,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
8.0.0,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
8.0.0,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
8.0.0,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
8.0.0,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
8.0.0,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
8.0.0,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
8.0.0,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
8.0.0,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
8.0.0,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
8.0.0,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
8.0.0,true,client,client.ip,ip,core,,,IP address of the client.
8.0.0,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
8.0.0,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
8.0.0,true,client,client.nat.port,long,extended,,,Client NAT port
8.0.0,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
8.0.0,true,client,client.port,long,core,,,Port of the client.
8.0.0,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
8.0.0,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
8.0.0,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
8.0.0,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
8.0.0,true,client,client.user.email,keyword,extended,,,User email address.
8.0.0,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
8.0.0,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
8.0.0,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
8.0.0,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.0.0,true,client,client.user.group.name,keyword,extended,,,Name of the group.
8.0.0,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
8.0.0,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
8.0.0,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
8.0.0,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
8.0.0,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
8.0.0,true,destination,destination.address,keyword,extended,,,Destination network address.
8.0.0,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
8.0.0,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
8.0.0,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
8.0.0,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
8.0.0,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
8.0.0,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
8.0.0,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
8.0.0,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
8.0.0,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
8.0.0,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
8.0.0,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
8.0.0,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
8.0.0,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
8.0.0,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
8.0.0,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
8.0.0,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
8.0.0,true,destination,destination.ip,ip,core,,,IP address of the destination.
8.0.0,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
8.0.0,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
8.0.0,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
8.0.0,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
8.0.0,true,destination,destination.port,long,core,,,Port of the destination.
8.0.0,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
8.0.0,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
8.0.0,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
8.0.0,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
8.0.0,true,destination,destination.user.email,keyword,extended,,,User email address.
8.0.0,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
8.0.0,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
8.0.0,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
8.0.0,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.0.0,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
8.0.0,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
8.0.0,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
8.0.0,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
8.0.0,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
8.0.0,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
8.0.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
8.0.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
8.0.0,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
8.0.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
8.0.0,true,event,event.code,keyword,extended,,4648,Identification code for this event.
8.0.0,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
8.0.0,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
8.0.0,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
8.0.0,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed.
8.0.0,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
8.0.0,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
8.0.0,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
8.0.0,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
8.0.0,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
8.0.0,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
8.0.0,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
8.0.0,true,event,event.provider,keyword,extended,,kernel,Source of the event.
8.0.0,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
8.0.0,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
8.0.0,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
8.0.0,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
8.0.0,true,event,event.sequence,long,extended,,,Sequence number of the event.
8.0.0,true,event,event.severity,long,core,,7,Numeric severity of the event.
8.0.0,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed.
8.0.0,true,event,event.timezone,keyword,extended,,,Event time zone.
8.0.0,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
8.0.0,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
8.0.0,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
8.0.0,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
8.0.0,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
8.0.0,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
8.0.0,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
8.0.0,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
8.0.0,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
8.0.0,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
8.0.0,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
8.0.0,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
8.0.0,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
8.0.0,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
8.0.0,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
8.0.0,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
8.0.0,true,http,http.version,keyword,extended,,1.1,HTTP version.
8.0.0,true,network,network.application,keyword,extended,,aim,Application level protocol name.
8.0.0,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
8.0.0,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
8.0.0,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
8.0.0,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
8.0.0,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
8.0.0,true,network,network.inner,object,extended,,,Inner VLAN tag information
8.0.0,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
8.0.0,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
8.0.0,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
8.0.0,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
8.0.0,true,network,network.protocol,keyword,core,,http,Application protocol name.
8.0.0,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
8.0.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
8.0.0,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
8.0.0,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
8.0.0,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
8.0.0,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
8.0.0,true,server,server.address,keyword,extended,,,Server network address.
8.0.0,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
8.0.0,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
8.0.0,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
8.0.0,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
8.0.0,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
8.0.0,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
8.0.0,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
8.0.0,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
8.0.0,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
8.0.0,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
8.0.0,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
8.0.0,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
8.0.0,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
8.0.0,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
8.0.0,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
8.0.0,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
8.0.0,true,server,server.ip,ip,core,,,IP address of the server.
8.0.0,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
8.0.0,true,server,server.nat.ip,ip,extended,,,Server NAT ip
8.0.0,true,server,server.nat.port,long,extended,,,Server NAT port
8.0.0,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
8.0.0,true,server,server.port,long,core,,,Port of the server.
8.0.0,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
8.0.0,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
8.0.0,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
8.0.0,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
8.0.0,true,server,server.user.email,keyword,extended,,,User email address.
8.0.0,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
8.0.0,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
8.0.0,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
8.0.0,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.0.0,true,server,server.user.group.name,keyword,extended,,,Name of the group.
8.0.0,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
8.0.0,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
8.0.0,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
8.0.0,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
8.0.0,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
8.0.0,true,source,source.address,keyword,extended,,,Source network address.
8.0.0,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
8.0.0,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
8.0.0,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
8.0.0,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
8.0.0,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
8.0.0,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
8.0.0,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
8.0.0,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
8.0.0,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
8.0.0,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
8.0.0,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
8.0.0,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
8.0.0,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
8.0.0,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
8.0.0,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
8.0.0,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
8.0.0,true,source,source.ip,ip,core,,,IP address of the source.
8.0.0,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
8.0.0,true,source,source.nat.ip,ip,extended,,,Source NAT ip
8.0.0,true,source,source.nat.port,long,extended,,,Source NAT port
8.0.0,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
8.0.0,true,source,source.port,long,core,,,Port of the source.
8.0.0,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
8.0.0,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
8.0.0,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
8.0.0,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
8.0.0,true,source,source.user.email,keyword,extended,,,User email address.
8.0.0,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
8.0.0,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
8.0.0,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
8.0.0,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.0.0,true,source,source.user.group.name,keyword,extended,,,Name of the group.
8.0.0,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
8.0.0,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
8.0.0,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
8.0.0,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
8.0.0,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
8.0.0,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
8.0.0,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
8.0.0,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
8.0.0,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
8.0.0,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
8.0.0,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
8.0.0,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
8.0.0,true,url,url.password,keyword,extended,,,Password of the request.
8.0.0,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
8.0.0,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
8.0.0,true,url,url.query,keyword,extended,,,Query string of the request.
8.0.0,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
8.0.0,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
8.0.0,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
8.0.0,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
8.0.0,true,url,url.username,keyword,extended,,,Username of the request.
8.0.0,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
8.0.0,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
8.0.0,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
8.0.0,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
8.0.0,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
8.0.0,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
8.0.0,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
8.0.0,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.0.0,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
8.0.0,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
8.0.0,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
8.0.0,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
8.0.0,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
8.0.0,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
8.0.0,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
8.0.0,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.