Built-in Reserved Fields
During log collection, LTS adds information such as the collection time, log type, and host IP address to logs in the form of Key-Value pairs. These fields are built-in reserved fields of LTS.
- When using APIs to write log data or add ICAgent configurations, do not set field names to built-in reserved fields. Otherwise, problems such as duplicate field names and inaccurate query may occur.
- The name of a custom log field cannot contain double underscores (_). Otherwise, the index cannot be configured.
This function is available only in regions AF-Johannesburg, AP-Singapore, CN-Hong Kong, CN East-Shanghai1, LA-Mexico City1, LA-Mexico City2, LA-Santiago, and LA-Sao Paulo1.
Log Example
The following is a CCE log. The value of the content field is the original log text, and other fields are common built-in reserved fields.
{
"hostName":"epstest-xx518",
"hostIP":"192.168.0.31",
"clusterId":"c7f3f4a5-xxxx-11ed-a4ec-0255ac100b07",
"pathFile":"stdout.log",
"content":"level=error ts=2023-04-19T09:21:21.333895559Z",
"podIp":"10.0.0.145",
"containerName":"config-reloader",
"clusterName":"epstest",
"nameSpace":"monitoring",
"hostIPv6":"",
"collectTime":"1681896081334",
"appName":"alertmanager-alertmanager",
"hostId":"318c02fe-xxxx-4c91-b5bb-6923513b6c34",
"lineNum":"1681896081333991900",
"podName":"alertmanager-alertmanager-54d7xxxx-wnfsh",
"__time__":"1681896081334",
"serviceID":"cf5b453xxxad61d4c483b50da3fad5ad",
"category":"LTS"
}
Built-in Reserved Field Description
|
Field |
Data Format |
Index and Statistics Settings |
Description |
|---|---|---|---|
|
collectTime |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for collectTime by default. The index data type is long. Enter collectTime: xxx during the query. |
Indicates the time when logs are collected by ICAgent. In the example, "collectTime":"1681896081334" is 2023-04-19 17:21:21 when converted into standard time. |
|
__time__ |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for time by default. The index data type is long. This field cannot be queried. |
Log time refers to the time when a log is displayed on the console. In the example, "__time__":"1681896081334" is 2023-04-19 17:21:21 when converted into standard time. By default, the collection time is used as the log time. You can also customize the log time. |
|
lineNum |
Integer |
Index setting: After this function is enabled, a field index is created for lineNum by default. The index data type is long. |
Line number (offset), which is used to sort logs. Non-high-precision logs are generated based on the value of collectTime. The default value is collectTime * 1000000 + 1. For high-precision logs, the value is the nanosecond value reported by users. Such as "lineNum":"1681896081333991900" in the example. |
|
category |
String |
Index setting: After this function is enabled, a field index is created for category by default. The index data type is string, and the delimiters are empty. Enter category: xxx during the query. |
Log type, indicating the source of the log. For example, the field value of logs collected by ICAgent is LTS, and that of logs reported by a cloud service such as DCS is DCS. |
|
clusterName |
String |
Index setting: After this function is enabled, a field index is created for clusterName by default. The index data type is string, and the delimiters are empty. Enter clusterName: xxx during the query. |
Cluster name, used in the Kubernetes scenario. Such as "clusterName":"epstest" in the example. |
|
clusterId |
String |
Index setting: After this function is enabled, a field index is created for clusterId by default. The index data type is string, and the delimiters are empty. Enter clusterId: xxx during the query. |
Cluster ID, used in the Kubernetes scenario. Such as "clusterId":"c7f3f4a5-xxxx-11ed-a4ec-0255ac100b07" in the example. |
|
nameSpace |
String |
Index setting: After this function is enabled, a field index is created for nameSpace by default. The index data type is string, and the delimiters are empty. Enter nameSpace: xxx during the query. |
Namespace used in the Kubernetes scenario. Such as "nameSpace":"monitoring" in the example. |
|
appName |
String |
Index setting: After this function is enabled, a field index is created for appName by default. The index data type is string, and the delimiters are empty. Enter appName: xxx during the query. |
Component name, used as the name of the workload in the Kubernetes scenario. Such as "appName":"alertmanager-alertmanager" in the example. |
|
serviceID |
String |
Index setting: After this function is enabled, a field index is created for serviceID by default. The index data type is string, and the delimiters are empty. Enter serviceID: xxx during the query. |
Workload ID in the Kubernetes scenario. Such as "serviceID":"cf5b453xxxad61d4c483b50da3fad5ad" in the example. |
|
podName |
String |
Index setting: After this function is enabled, a field index is created for podName by default. The index data type is string, and the delimiters are empty. Enter podName: xxx during the query. |
Pod name in the Kubernetes scenario. Such as "podName":"alertmanager-alertmanager-0" in the example. |
|
podIp |
String |
Index setting: After this function is enabled, a field index is created for podIp by default. The index data type is string, and the delimiters are empty. Enter podIp: xxx during the query. |
Pod IP in the Kubernetes scenario. Such as "podIp":"10.0.0.145" in the example. |
|
containerName |
String |
Index setting: After this function is enabled, a field index is created for containerName by default. The index data type is string, and the delimiters are empty. Enter containerName: xxx during the query. |
Container name used in the Kubernetes scenario. Such as "containerName":"config-reloader" in the example. |
|
hostName |
String |
Index setting: After this function is enabled, a field index is created for hostName by default. The index data type is string, and the delimiters are empty. Enter hostName: xxx during the query. |
Indicates the host name where ICAgent resides. Such as "hostName":"epstest-xx518" in the example. |
|
hostId |
String |
Index setting: After this function is enabled, a field index is created for hostId by default. The index data type is string, and the delimiters are empty. Enter hostId: xxx during the query. |
Indicates the host ID where ICAgent resides. The ID is generated by ICAgent. Such as "hostId":"318c02fe-xxxx-4c91-b5bb-6923513b6c34" in the example. |
|
hostIP |
String |
Index setting: After this function is enabled, a field index is created for hostIP by default. The index data type is string, and the delimiters are empty. Enter hostIP: xxx during the query. |
Host IP address where the log collector resides (applicable to IPv4 scenario) Such as "hostIP":"192.168.0.31" in the example. |
|
hostIPv6 |
String |
Index setting: After this function is enabled, a field index is created for hostIPv6 by default. The index data type is string, and the delimiters are empty. Enter hostIPv6: xxx during the query. |
Host IP address where the log collector resides (applicable to IPv6 scenario) Such as "hostIPv6":"" in the example. |
|
pathFile |
String |
Index setting: After this function is enabled, a field index is created for pathFile by default. The index data type is string, and the delimiters are empty. Enter pathFile: xxx during the query. |
File path is the path of the collected log file. Such as "pathFile":"stdout.log" in the example. |
|
content |
String |
Index setting: After Index Whole Text is enabled, the delimiter defined by the full-text index is used to segment the value of the content field. The content field cannot be configured in the field index. |
Original log content Such as "content":"level=error ts=2023-04-19T09:21:21.333895559Z" in the example. |
|
__receive_time__ |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for __receive_time__ by default. The index data type is long. |
Time when a log is reported to the server, which is same as the time when the LTS collector receives the log. |
|
__client_time__ |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for __client_time__ by default. The index data type is long. |
Time when the client reports a device log. |
|
_content_parse_fail_ |
String |
Index setting: After this function is enabled, a field index is created for _content_parse_fail_ by default. The index data type is string, and the default delimiter is used. Enter _content_parse_fail_: xxx during the query. |
Content of the log that fails to be parsed. |
|
__save_time__ |
Integer, Unix timestamp (ms) |
The __save_time__ field cannot be configured in the field index. |
Time field of the log stream engine. Log data in the period specified by this field is obtained. |
|
__time |
Integer, Unix timestamp (ms) |
The __time field cannot be configured in the field index. |
N/A |
|
logContent |
String |
The logContent field cannot be configured in the field index. |
N/A |
|
logContentSize |
Integer |
The logContentSize field cannot be configured in the field index. |
N/A |
|
logIndexSize |
Integer |
The logIndexSize field cannot be configured in the field index. |
N/A |
|
groupName |
String |
The groupName field cannot be configured in the field index. |
N/A |
|
logStream |
String |
The logStream field cannot be configured in the field index. |
N/A |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
