Built-in Reserved Fields
During log collection, LTS adds information such as the collection time, log type, and host IP address to logs in the form of Key-Value pairs. These fields are built-in reserved fields of LTS.
- When using APIs to write log data or add ICAgent configurations, do not set field names to built-in reserved fields. Otherwise, problems such as duplicate field names and inaccurate query may occur.
- The name of a custom log field cannot contain double underscores (_). Otherwise, the index cannot be configured.
Log Example
The following is a CCE log. The value of the content field is the original log text, and other fields are common built-in reserved fields.
{ "hostName":"epstest-xx518", "hostIP":"192.168.0.31", "clusterId":"c7f3f4a5-xxxx-11ed-a4ec-0255ac100b07", "pathFile":"stdout.log", "content":"level=error ts=2023-04-19T09:21:21.333895559Z", "podIp":"10.0.0.145", "containerName":"config-reloader", "clusterName":"epstest", "nameSpace":"monitoring", "hostIPv6":"", "collectTime":"1681896081334", "appName":"alertmanager-alertmanager", "hostId":"318c02fe-xxxx-4c91-b5bb-6923513b6c34", "lineNum":"1681896081333991900", "podName":"alertmanager-alertmanager-54d7xxxx-wnfsh", "__time__":"1681896081334", "serviceID":"cf5b453xxxad61d4c483b50da3fad5ad", "category":"LTS" }
Built-in Reserved Field Description
Field |
Data Format |
Index and Statistics Settings |
Description |
---|---|---|---|
collectTime |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for collectTime by default. The index data type is long. Enter collectTime: xxx during the query. |
Indicates the time when logs are collected by ICAgent. In the example, "collectTime":"1681896081334" is 2023-04-19 17:21:21 when converted into standard time. |
__time__ |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for time by default. The index data type is long. This field cannot be queried. |
Log time refers to the time when a log is displayed on the console. In the example, "__time__":"1681896081334" is 2023-04-19 17:21:21 when converted into standard time. By default, the collection time is used as the log time. You can also customize the log time. |
lineNum |
Integer |
Index setting: After this function is enabled, a field index is created for lineNum by default. The index data type is long. |
Line number (offset), which is used to sort logs. Non-high-precision logs are generated based on the value of collectTime. The default value is collectTime * 1000000 + 1. For high-precision logs, the value is the nanosecond value reported by users. Such as "lineNum":"1681896081333991900" in the example. |
category |
String |
Index setting: After this function is enabled, a field index is created for category by default. The index data type is string, and the delimiters are empty. Enter category: xxx during the query. |
Log type, indicating the source of the log. For example, the field value of logs collected by ICAgent is LTS, and that of logs reported by a cloud service such as DCS is DCS. |
clusterName |
String |
Index setting: After this function is enabled, a field index is created for clusterName by default. The index data type is string, and the delimiters are empty. Enter clusterName: xxx during the query. |
Cluster name, used in the Kubernetes scenario. Such as "clusterName":"epstest" in the example. |
clusterId |
String |
Index setting: After this function is enabled, a field index is created for clusterId by default. The index data type is string, and the delimiters are empty. Enter clusterId: xxx during the query. |
Cluster ID, used in the Kubernetes scenario. Such as "clusterId":"c7f3f4a5-xxxx-11ed-a4ec-0255ac100b07" in the example. |
nameSpace |
String |
Index setting: After this function is enabled, a field index is created for nameSpace by default. The index data type is string, and the delimiters are empty. Enter nameSpace: xxx during the query. |
Namespace used in the Kubernetes scenario. Such as "nameSpace":"monitoring" in the example. |
appName |
String |
Index setting: After this function is enabled, a field index is created for appName by default. The index data type is string, and the delimiters are empty. Enter appName: xxx during the query. |
Component name, used as the name of the workload in the Kubernetes scenario. Such as "appName":"alertmanager-alertmanager" in the example. |
serviceID |
String |
Index setting: After this function is enabled, a field index is created for serviceID by default. The index data type is string, and the delimiters are empty. Enter serviceID: xxx during the query. |
Workload ID in the Kubernetes scenario. Such as "serviceID":"cf5b453xxxad61d4c483b50da3fad5ad" in the example. |
podName |
String |
Index setting: After this function is enabled, a field index is created for podName by default. The index data type is string, and the delimiters are empty. Enter podName: xxx during the query. |
Pod name in the Kubernetes scenario. Such as "podName":"alertmanager-alertmanager-0" in the example. |
podIp |
String |
Index setting: After this function is enabled, a field index is created for podIp by default. The index data type is string, and the delimiters are empty. Enter podIp: xxx during the query. |
Pod IP in the Kubernetes scenario. Such as "podIp":"10.0.0.145" in the example. |
containerName |
String |
Index setting: After this function is enabled, a field index is created for containerName by default. The index data type is string, and the delimiters are empty. Enter containerName: xxx during the query. |
Container name used in the Kubernetes scenario. Such as "containerName":"config-reloader" in the example. |
hostName |
String |
Index setting: After this function is enabled, a field index is created for hostName by default. The index data type is string, and the delimiters are empty. Enter hostName: xxx during the query. |
Indicates the host name where ICAgent resides. Such as "hostName":"epstest-xx518" in the example. |
hostId |
String |
Index setting: After this function is enabled, a field index is created for hostId by default. The index data type is string, and the delimiters are empty. Enter hostId: xxx during the query. |
Indicates the host ID where ICAgent resides. The ID is generated by ICAgent. Such as "hostId":"318c02fe-xxxx-4c91-b5bb-6923513b6c34" in the example. |
hostIP |
String |
Index setting: After this function is enabled, a field index is created for hostIP by default. The index data type is string, and the delimiters are empty. Enter hostIP: xxx during the query. |
Host IP address where the log collector resides (applicable to IPv4 scenario) Such as "hostIP":"192.168.0.31" in the example. |
hostIPv6 |
String |
Index setting: After this function is enabled, a field index is created for hostIPv6 by default. The index data type is string, and the delimiters are empty. Enter hostIPv6: xxx during the query. |
Host IP address where the log collector resides (applicable to IPv6 scenario) Such as "hostIPv6":"" in the example. |
pathFile |
String |
Index setting: After this function is enabled, a field index is created for pathFile by default. The index data type is string, and the delimiters are empty. Enter pathFile: xxx during the query. |
File path is the path of the collected log file. Such as "pathFile":"stdout.log" in the example. |
content |
String |
Index setting: After Index Whole Text is enabled, the delimiter defined by the full-text index is used to segment the value of the content field. The content field cannot be configured in the field index. |
Original log content Such as "content":"level=error ts=2023-04-19T09:21:21.333895559Z" in the example. |
logContent |
String |
The logContent field cannot be configured in the field index. |
N/A |
logContentSize |
Integer |
The logContentSize field cannot be configured in the field index. |
N/A |
logIndexSize |
Integer |
The logIndexSize field cannot be configured in the field index. |
N/A |
groupName |
String |
The groupName field cannot be configured in the field index. |
N/A |
logStream |
String |
The logStream field cannot be configured in the field index. |
N/A |
__receive_time__ |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for __receive_time__ by default. The index data type is long. |
Time when a log is reported to the server, which is same as the time when the LTS collector receives the log. |
__client_time__ |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for __client_time__ by default. The index data type is long. |
Time when the client reports a device log. |
_content_parse_fail_ |
String |
Index setting: After this function is enabled, a field index is created for _content_parse_fail_ by default. The index data type is string, and the default delimiter is used. Enter _content_parse_fail_: xxx during the query. |
Content of the log that fails to be parsed. |
__save_time__ |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for __save_time__ by default. The index data type is long. |
Time field of the log stream engine. Log data in the period specified by this field is obtained. |
__time |
Integer, Unix timestamp (ms) |
Index setting: After this function is enabled, a field index is created for __time by default. The index data type is date. |
Collection time, which is used for visualized query. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot