ELASTICSEARCH
Elasticsearch is a search and analytics engine often used for log and event data analysis, full-text search, and real-time data visualization.
Elasticsearch can ingest and index large log and event datasets from various sources, including network devices, servers, applications, and security tools. You can use Elasticsearch to search, filter, and analyze this data for indicators of compromise (IOCs), security incidents, and anomalous behavior.
Field |
Type |
Description |
---|---|---|
services.elasticsearch |
object |
|
services.elasticsearch.http_info |
object |
Information about the underlying HTTP connection. |
services.elasticsearch.http_info.headers |
nested |
The key-value header pairs included in the response to the request for the root endpoint (/). |
services.elasticsearch.http_info.headers.key |
text |
|
services.elasticsearch.http_info.headers.value |
object |
|
services.elasticsearch.http_info.headers.value.headers |
text |
The values provided in the corresponding header. |
services.elasticsearch.http_info.status |
text |
A human-readable phrase describing the status code. |
services.elasticsearch.http_info.status_code |
integer |
A 3-digit integer result code indicating the response to a request for the root endpoint (/). |
services.elasticsearch.node_info |
object |
|
services.elasticsearch.node_info.cluster_combined_info |
object |
|
services.elasticsearch.node_info.cluster_combined_info.filesystem |
object |
|
services.elasticsearch.node_info.cluster_combined_info.filesystem.available |
text |
The amount of free disk space that the node can use, in an easy-to-read format. |
services.elasticsearch.node_info.cluster_combined_info.filesystem.available_in_bytes |
unsigned_long |
The amount of free disk space that the node can use, in bytes. |
services.elasticsearch.node_info.cluster_combined_info.filesystem.free |
text |
The total amount of unallocated disk space on the node, in an easy-to-read format. |
services.elasticsearch.node_info.cluster_combined_info.filesystem.free_in_bytes |
unsigned_long |
The total amount of unallocated disk space on the node, in bytes. |
services.elasticsearch.node_info.cluster_combined_info.filesystem.total |
text |
The total amount of disk space on the node, in an easy-to-read format. |
services.elasticsearch.node_info.cluster_combined_info.filesystem.total_in_bytes |
unsigned_long |
The total amount of disk space on the node, in bytes. |
services.elasticsearch.node_info.cluster_combined_info.indices |
object |
|
services.elasticsearch.node_info.cluster_combined_info.indices.count |
unsigned_long |
The number of indices on the node. |
services.elasticsearch.node_info.cluster_combined_info.indices.docs |
object |
|
services.elasticsearch.node_info.cluster_combined_info.indices.docs.count |
unsigned_long |
The total number of documents across all indices on this node. |
services.elasticsearch.node_info.cluster_combined_info.indices.docs.deleted |
unsigned_long |
The total number of deleted documents across all indices on this node. |
services.elasticsearch.node_info.cluster_combined_info.indices.store |
object |
|
services.elasticsearch.node_info.cluster_combined_info.indices.store.reserved_in_bytes |
unsigned_long |
A prediction, in bytes, of how much larger the shard stores can eventually grow due to ongoing peer recoveries, restoring snapshots, and similar activities. |
services.elasticsearch.node_info.cluster_combined_info.indices.store.size_in_bytes |
unsigned_long |
The total amount of disk space on the node, in bytes. |
services.elasticsearch.node_info.cluster_combined_info.name |
text |
|
services.elasticsearch.node_info.cluster_combined_info.status |
text |
An enumerated value representing the health status of the cluster. Green means no issues, yellow means that at least 1 replica shard is unassigned, and red means that at least 1 primary shard is unassigned. |
services.elasticsearch.node_info.cluster_combined_info.timestamp |
unsigned_long |
The last time the cluster statistics were refreshed, in unix milliseconds. |
services.elasticsearch.node_info.cluster_combined_info.uuid |
text |
The unique identifier for the cluster. |
services.elasticsearch.node_info.nodes |
object |
|
services.elasticsearch.node_info.nodes.node_data |
object |
|
services.elasticsearch.node_info.nodes.node_data.build_flavor |
text |
An enumerated value describing the Elasticsearch variety in use, either "default" (indicating the closed-source version of Elasticsearch), "oss" (indicating the open-source version of Elasticsearch), or "unknown". |
services.elasticsearch.node_info.nodes.node_data.build_hash |
text |
The short hash of the git commit used to compile this version of the software. |
services.elasticsearch.node_info.nodes.node_data.build_type |
text |
An enumerated value indicating the file format in which the Elasticsearch executable was retrieved. |
services.elasticsearch.node_info.nodes.node_data.host |
text |
The self-reported identifier of the node. |
services.elasticsearch.node_info.nodes.node_data.ingest_processors |
text |
A list of the types of data processors the node has available. |
services.elasticsearch.node_info.nodes.node_data.ip |
ip |
The IP address of the node. |
services.elasticsearch.node_info.nodes.node_data.jvm |
object |
Information about the node's Java Virtual Machine configuration. |
services.elasticsearch.node_info.nodes.node_data.jvm.gc |
text |
A list of the garbage-collection algorithms in use. |
services.elasticsearch.node_info.nodes.node_data.jvm.input_args |
text |
The command-line arguments provided to the Java Virtual Machine. |
services.elasticsearch.node_info.nodes.node_data.jvm.memory_pools |
text |
|
services.elasticsearch.node_info.nodes.node_data.jvm.start_time |
text |
|
services.elasticsearch.node_info.nodes.node_data.jvm.start_time_ms |
unsigned_long |
The time the Java Virtual Machine was started, in unix milliseconds. |
services.elasticsearch.node_info.nodes.node_data.jvm.version |
text |
The version of Java the Java Virtual Machine is using. |
services.elasticsearch.node_info.nodes.node_data.jvm.vm_name |
text |
The name of the Java Virtual Machine the node is using (for example, OpenJDK). |
services.elasticsearch.node_info.nodes.node_data.jvm.vm_vendor |
text |
The name of the person or organization that created or maintains the version of the Java Virtual Machine. |
services.elasticsearch.node_info.nodes.node_data.jvm.vm_version |
text |
The version of the Java Virtual Machine the node is using. |
services.elasticsearch.node_info.nodes.node_data.modules |
object |
|
services.elasticsearch.node_info.nodes.node_data.modules.class_name |
text |
|
services.elasticsearch.node_info.nodes.node_data.modules.desc |
text |
|
services.elasticsearch.node_info.nodes.node_data.modules.elastic_version |
text |
|
services.elasticsearch.node_info.nodes.node_data.modules.ext_plugins |
text |
|
services.elasticsearch.node_info.nodes.node_data.modules.has_native_ctrl |
boolean |
|
services.elasticsearch.node_info.nodes.node_data.modules.java_version |
text |
|
services.elasticsearch.node_info.nodes.node_data.modules.name |
text |
|
services.elasticsearch.node_info.nodes.node_data.modules.version |
text |
|
services.elasticsearch.node_info.nodes.node_data.name |
text |
|
services.elasticsearch.node_info.nodes.node_data.os |
object |
|
services.elasticsearch.node_info.nodes.node_data.os.allocated_proc |
integer |
The number of processors used by the node to calculate its thread pool size. |
services.elasticsearch.node_info.nodes.node_data.os.arch |
text |
The name of the Java Virtual Machine architecture used by the node. |
services.elasticsearch.node_info.nodes.node_data.os.available_proc |
integer |
The number of processors available to the Java Virtual Machine. |
services.elasticsearch.node_info.nodes.node_data.os.name |
text |
The simplified name of the operating system used by the node. |
services.elasticsearch.node_info.nodes.node_data.os.pretty_name |
text |
The full name of the operating system used by the node, which may include the distribution and version number. |
services.elasticsearch.node_info.nodes.node_data.os.refresh_interval_ms |
unsigned_long |
How often the node's processor statistics are refreshed, in milliseconds. |
services.elasticsearch.node_info.nodes.node_data.os.version |
text |
|
services.elasticsearch.node_info.nodes.node_data.roles |
text |
|
services.elasticsearch.node_info.nodes.node_data.settings |
object |
|
services.elasticsearch.node_info.nodes.node_data.settings.cluster_name |
text |
The name of the cluster the node belongs to. |
services.elasticsearch.node_info.nodes.node_data.settings.node |
object |
|
services.elasticsearch.node_info.nodes.node_data.settings.node.attr |
object |
|
services.elasticsearch.node_info.nodes.node_data.settings.node.attr.ml |
object |
|
services.elasticsearch.node_info.nodes.node_data.settings.node.attr.ml.enabled |
text |
Whether the ElasticSearch machine-learning APIs are enabled on the node. |
services.elasticsearch.node_info.nodes.node_data.settings.node.attr.ml.machine_memory |
text |
|
services.elasticsearch.node_info.nodes.node_data.settings.node.attr.ml.max_open_jobs |
text |
The maximum number of jobs that can run simultaneously on a node. |
services.elasticsearch.node_info.nodes.node_data.settings.node.attr.xpack_installed |
text |
Whether X-Pack, an ElasticSearch expansion included by default, is installed. |
services.elasticsearch.node_info.nodes.node_data.settings.node.name |
text |
The name of the node. |
services.elasticsearch.node_info.nodes.node_data.thread_pool_list |
object |
|
services.elasticsearch.node_info.nodes.node_data.thread_pool_list.keep_alive |
text |
How long an idle thread should remain in the thread pool. |
services.elasticsearch.node_info.nodes.node_data.thread_pool_list.max |
integer |
The maximum number of threads in the thread pool. |
services.elasticsearch.node_info.nodes.node_data.thread_pool_list.min |
integer |
The minimum number of threads in the thread pool. |
services.elasticsearch.node_info.nodes.node_data.thread_pool_list.queue_size |
integer |
When applicable, the number of incoming requests to queue if there is not a thread available to execute them. |
services.elasticsearch.node_info.nodes.node_data.thread_pool_list.type |
text |
The strategy used to assign incoming requests to an execution thread. |
services.elasticsearch.node_info.nodes.node_data.total_indexing_buffer |
unsigned_long |
The amount of memory used to hold recently indexed documents before writing them to disk, in bytes. |
services.elasticsearch.node_info.nodes.node_data.version |
text |
The ElasticSearch version running on this node. |
services.elasticsearch.node_info.nodes.node_name |
text |
The name of the node. |
services.elasticsearch.system_info |
object |
|
services.elasticsearch.system_info.cluster_uuid |
text |
The unique identifier for the cluster. |
services.elasticsearch.system_info.name |
text |
The name of the cluster. |
services.elasticsearch.system_info.tagline |
text |
A snippet describing the server. By default, it is "You Know, for Search" |
services.elasticsearch.system_info.version |
object |
Version information and accompanying metadata, such as the build date and compatibility information. |
services.elasticsearch.system_info.version.build_date |
text |
The date this version of the software was compiled. |
services.elasticsearch.system_info.version.build_flavor |
text |
An enumerated value describing the Elasticsearch variety in use, either "default" (indicating the closed-source version of Elasticsearch), "oss" (indicating the open-source version of Elasticsearch), or "unknown". |
services.elasticsearch.system_info.version.build_hash |
text |
The short hash of the git commit used to compile this version of the software. |
services.elasticsearch.system_info.version.build_snapshot |
boolean |
Whether the server is running a snapshot version. |
services.elasticsearch.system_info.version.build_type |
text |
An enumerated value indicating the file format in which the Elasticsearch executable was retrieved. |
services.elasticsearch.system_info.version.lucene_version |
text |
The version of Lucene used by the server. |
services.elasticsearch.system_info.version.min_idx_compat_ver |
text |
The minimum version of the ElasticSearch wire protocol compatible with the server. |
services.elasticsearch.system_info.version.min_wire_compat_ver |
text |
The minimum version of indices that the server supports. |
services.elasticsearch.system_info.version.number |
text |
The version number. |
Comments
0 comments
Article is closed for comments.