Updated on 2023-11-29 GMT+08:00

Built-in Reserved Fields

During log collection, LTS adds information such as the collection time, log type, and host IP address to logs in the form of Key-Value pairs. These fields are built-in reserved fields of LTS.

  • When using APIs to write log data or add ICAgent configurations, do not set field names to built-in reserved fields. Otherwise, problems such as duplicate field names and inaccurate query may occur.
  • The name of a custom log field cannot contain double underscores (_). Otherwise, the index cannot be configured.

Log Example

The following is a CCE log. The value of the content field is the original log text, and other fields are common built-in reserved fields.

{     
"hostName":"epstest-xx518",
"hostIP":"192.168.0.31",
"clusterId":"c7f3f4a5-xxxx-11ed-a4ec-0255ac100b07",
"pathFile":"stdout.log",
"content":"level=error ts=2023-04-19T09:21:21.333895559Z",
"podIp":"10.0.0.145",
"containerName":"config-reloader",
"clusterName":"epstest",
"nameSpace":"monitoring",
"hostIPv6":"",
"collectTime":"1681896081334",
"appName":"alertmanager-alertmanager",
"hostId":"318c02fe-xxxx-4c91-b5bb-6923513b6c34",
"lineNum":"1681896081333991900",
"podName":"alertmanager-alertmanager-54d7xxxx-wnfsh",
"__time__":"1681896081334",
"serviceID":"cf5b453xxxad61d4c483b50da3fad5ad",
"category":"LTS"
}

Built-in Reserved Field Description

Table 1 Built-in reserved field description

Field

Data Format

Index and Statistics Settings

Description

collectTime

Integer, Unix timestamp (ms)

Index setting: After this function is enabled, a field index is created for collectTime by default. The index data type is long.

Enter collectTime: xxx during the query.

Indicates the time when logs are collected by ICAgent.

In the example, "collectTime":"1681896081334" is 2023-04-19 17:21:21 when converted into standard time.

__time__

Integer, Unix timestamp (ms)

Index setting: After this function is enabled, a field index is created for time by default. The index data type is long. This field cannot be queried.

Log time refers to the time when a log is displayed on the console.

In the example, "__time__":"1681896081334" is 2023-04-19 17:21:21 when converted into standard time.

By default, the collection time is used as the log time. You can also customize the log time.

lineNum

Integer

Index setting: After this function is enabled, a field index is created for lineNum by default. The index data type is long.

Line number (offset), which is used to sort logs.

Non-high-precision logs are generated based on the value of collectTime. The default value is collectTime * 1000000 + 1. For high-precision logs, the value is the nanosecond value reported by users.

Such as "lineNum":"1681896081333991900" in the example.

category

String

Index setting: After this function is enabled, a field index is created for category by default. The index data type is string, and the delimiters are empty. Enter category: xxx during the query.

Log type, indicating the source of the log.

For example, the field value of logs collected by ICAgent is LTS, and that of logs reported by a cloud service such as DCS is DCS.

clusterName

String

Index setting: After this function is enabled, a field index is created for clusterName by default. The index data type is string, and the delimiters are empty. Enter clusterName: xxx during the query.

Cluster name, used in the Kubernetes scenario.

Such as "clusterName":"epstest" in the example.

clusterId

String

Index setting: After this function is enabled, a field index is created for clusterId by default. The index data type is string, and the delimiters are empty. Enter clusterId: xxx during the query.

Cluster ID, used in the Kubernetes scenario.

Such as "clusterId":"c7f3f4a5-xxxx-11ed-a4ec-0255ac100b07" in the example.

nameSpace

String

Index setting: After this function is enabled, a field index is created for nameSpace by default. The index data type is string, and the delimiters are empty. Enter nameSpace: xxx during the query.

Namespace used in the Kubernetes scenario.

Such as "nameSpace":"monitoring" in the example.

appName

String

Index setting: After this function is enabled, a field index is created for appName by default. The index data type is string, and the delimiters are empty. Enter appName: xxx during the query.

Component name, used as the name of the workload in the Kubernetes scenario.

Such as "appName":"alertmanager-alertmanager" in the example.

serviceID

String

Index setting: After this function is enabled, a field index is created for serviceID by default. The index data type is string, and the delimiters are empty. Enter serviceID: xxx during the query.

Workload ID in the Kubernetes scenario.

Such as "serviceID":"cf5b453xxxad61d4c483b50da3fad5ad" in the example.

podName

String

Index setting: After this function is enabled, a field index is created for podName by default. The index data type is string, and the delimiters are empty. Enter podName: xxx during the query.

Pod name in the Kubernetes scenario.

Such as "podName":"alertmanager-alertmanager-0" in the example.

podIp

String

Index setting: After this function is enabled, a field index is created for podIp by default. The index data type is string, and the delimiters are empty. Enter podIp: xxx during the query.

Pod IP in the Kubernetes scenario.

Such as "podIp":"10.0.0.145" in the example.

containerName

String

Index setting: After this function is enabled, a field index is created for containerName by default. The index data type is string, and the delimiters are empty. Enter containerName: xxx during the query.

Container name used in the Kubernetes scenario.

Such as "containerName":"config-reloader" in the example.

hostName

String

Index setting: After this function is enabled, a field index is created for hostName by default. The index data type is string, and the delimiters are empty. Enter hostName: xxx during the query.

Indicates the host name where ICAgent resides.

Such as "hostName":"epstest-xx518" in the example.

hostId

String

Index setting: After this function is enabled, a field index is created for hostId by default. The index data type is string, and the delimiters are empty. Enter hostId: xxx during the query.

Indicates the host ID where ICAgent resides. The ID is generated by ICAgent.

Such as "hostId":"318c02fe-xxxx-4c91-b5bb-6923513b6c34" in the example.

hostIP

String

Index setting: After this function is enabled, a field index is created for hostIP by default. The index data type is string, and the delimiters are empty. Enter hostIP: xxx during the query.

Host IP address where the log collector resides (applicable to IPv4 scenario)

Such as "hostIP":"192.168.0.31" in the example.

hostIPv6

String

Index setting: After this function is enabled, a field index is created for hostIPv6 by default. The index data type is string, and the delimiters are empty. Enter hostIPv6: xxx during the query.

Host IP address where the log collector resides (applicable to IPv6 scenario)

Such as "hostIPv6":"" in the example.

pathFile

String

Index setting: After this function is enabled, a field index is created for pathFile by default. The index data type is string, and the delimiters are empty. Enter pathFile: xxx during the query.

File path is the path of the collected log file.

Such as "pathFile":"stdout.log" in the example.

content

String

Index setting: After Index Whole Text is enabled, the delimiter defined by the full-text index is used to segment the value of the content field. The content field cannot be configured in the field index.

Original log content

Such as "content":"level=error ts=2023-04-19T09:21:21.333895559Z" in the example.

logContent

String

The logContent field cannot be configured in the field index.

N/A

logContentSize

Integer

The logContentSize field cannot be configured in the field index.

N/A

logIndexSize

Integer

The logIndexSize field cannot be configured in the field index.

N/A

groupName

String

The groupName field cannot be configured in the field index.

N/A

logStream

String

The logStream field cannot be configured in the field index.

N/A

__receive_time__

Integer, Unix timestamp (ms)

Index setting: After this function is enabled, a field index is created for __receive_time__ by default. The index data type is long.

Time when a log is reported to the server, which is same as the time when the LTS collector receives the log.

__client_time__

Integer, Unix timestamp (ms)

Index setting: After this function is enabled, a field index is created for __client_time__ by default. The index data type is long.

Time when the client reports a device log.

_content_parse_fail_

String

Index setting: After this function is enabled, a field index is created for _content_parse_fail_ by default. The index data type is string, and the default delimiter is used. Enter _content_parse_fail_: xxx during the query.

Content of the log that fails to be parsed.

__save_time__

Integer, Unix timestamp (ms)

Index setting: After this function is enabled, a field index is created for __save_time__ by default. The index data type is long.

Time field of the log stream engine. Log data in the period specified by this field is obtained.

__time

Integer, Unix timestamp (ms)

Index setting: After this function is enabled, a field index is created for __time by default. The index data type is date.

Collection time, which is used for visualized query.