Global field reference
The following reference contains a list of global fields that have a well defined semantic meaning in Dynatrace and can be used across different monitoring types. The fields are organized in namespaces that are separated with dots.
Top level fields
The top level fields contain generally relevant information for all monitoring data
timestamp
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
timeframe
The timeframe represented by a timeseries record.
start_time
Start time of a data point. Value is an UNIX Epoch time in nanoseconds and less or equal the
end_time
.1649822520123123123
end_time
End time of a data point. Value is an UNIX Epoch time in nanoseconds and greater or equal the
start_time
.1649822520123123165
duration
The difference of
start_time
and end_time
in nanoseconds.42
interval
Denotes the timeframe of represented by individual timeseries measurements returned by a timeseries record.
1 min
Adobe
Fields
adobe.em.env_type
Adobe Experience Manager (AEM) environment type.
dev
; stage
; prod
adobe.em.program
Adobe Experience Manager (AEM) service. Contains the customer defined name of the AEM environment.
adobe.em.service
Adobe Experience Manager (AEM) service. Contains the program and environment IDs the customer is exposed to.
adobe.em.tier
Adobe Experience Manager (AEM) tier.
author
; publish
; preview
Aggregation
OneAgent might aggregate spans having the same parent span into a single one. The aggregated span contains attributes to indicated that aggregation happened and to allow to reconstruct details.
For aggregated spans the start_time
holds the earliest start_time
, end_time
holds the latest end_time
of all aggregated spans.
Fields
aggregation.count
The number of spans aggregated into the this span. This means this span represents multiple spans therefore value is >1.
3
aggregation.exception_count
The number of aggregated spans which included an exception.
0
; 6
aggregation.duration_sum
The duration sum in nanoseconds for all aggregated spans.
123
aggregation.duration_min
The duration in nanoseconds for shortest aggregated span.
42
aggregation.duration_max
The duration in nanoseconds for longest aggregated span.
482
aggregation.parallel_execution
true
indicates that aggregated spans may have been executed in parallel. Therefore start_time + duration_sum
may exceed end_time
.aggregation.duration_samples
Array of reservoir sampled span durations of the aggregated spans. The duration samples can be used to estimate a more accurate duration distribution of aggregated spans rather then using the average value.
[42, 482, 301]
Apache HTTP Server
Fields
apache.httpd.config.path
Apache Spark
Fields
apache.spark.master.ip
Apache Tomcat
Fields
apache.tomcat.base
The server's base directory. This is what usually is referred to as CATALINA_BASE.
/usr/share/tomcat6
apache.tomcat.home
The server's home directory. This is what usually is referred to as CATALINA_HOME.
/usr/share/tomcat6
App
The app namespace contains information on the application sending the event.
Fields
app.bundle
Name of the bundle or package.
com.example.easytravel
app.version
Full version of the application. This can include more verbose information, such as the build number.
5.23.15789
; 143542
app.short_version
Human readable version of the application, usually major & minor version.
5.23
app.id
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
dynatrace.notebooks
; my.awesome.app
ASP.NET Core
Fields
aspnetcore.appl.path
Authentication
Authentication type and method used to login to a Dynatrace system.
Fields
authentication.type
The method of authentication.
OAUTH2
authentication.grant.type
The grant type used during OAuth2 authentication.
AUTHORIZATION_CODE
; CLIENT_CREDENTIALS
authentication.client.id
The OAuth2 client id if of type 'CLIENT_CREDENTIALS'.
dt0s02.UZCK6ENL.2YQ2A3DZUEISRJSUU5544J3SC3TMPXSEEMNA5HK7RW54SJ6XKLYGMWJNKL7B2DNH
authentication.token
The public token identifier of authentication.type 'TOKEN'.
dt0c01.AM4SEYKIBROBEJ2N3HAXZ4IX
authentication.type
MUST be one of the following:
DEVOPSTOKEN
NONE
TOKEN
authentication.grant.type
MUST be one of the following:
AUTHORIZATION_CODE
CLIENT_CREDENTIALS
authentication.client.id
and authentication.token
MUST follow the Dynatrace token format definition.
Specifically, authentication.client.id
MUST be prefixed with dt0s02.
Availability
Information about entity availability. Sample usage is reporting hosts and PGI-s availability by OS Agent. Value of availability.state can be used for calculating aggregate availability (dividing count of "successful" requests by count of all requests). With constant frequency of requests it can be treated as a time-base availability, showing percentage of time that the monitored entity was available.
Fields
availability.state
State of entity (host or PGI) availability.
up
availability.state
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
available
no_data
no_data_agent_inactive
shutdown_host
unavailable
unimportant
unmonitored_agent_stopped
unmonitored_agent_uninstalled
unmonitored_agent_upgrade
up
Amazon Web Services (AWS)
Fields that can come from applications running on AWS.
Fields
Resource attributes
aws.ecr.account.id
aws.ecr.region
aws.ecs.cluster
aws.ecs.container.name
aws.ecs.family
aws.ecs.revision
aws.ecs.task.arn
The full Amazon Resource Name (ARN) of the task to which the container belongs.
arn:aws:ecs:us-west-2:111122223333:task/default/cd189a933e5849daa93386466019ab50
aws.ecs.docker.name
The name of the container supplied to Docker.
curl-image
aws.ecs.container.arn
The full Amazon Resource Name (ARN) of the container.
arn:aws:ecs:us-west-2:111122223333:container/05966557-f16c-49cb-9352-24b3a0dcd0e1
aws.ecs.docker.id
The Docker ID for the container.
cd189a933e5849daa93386466019ab50-2495160603
aws.lambda.function.name
aws.lambda.initialization_type
The AWS Lambda initialization type. Same string value as available in AWS_LAMBDA_INITIALIZATION_TYPE.
snap_start
aws.region
A specific geographical AWS Cloud location.
us-east-1
aws.account.id
A 12-digit number, such as 123456789012, that uniquely identifies an AWS account.
Tags:
permission
123456789012
aws.availability_zone
A specific availability zone in given AWS region.
us‑east‑1a
; us‑east‑1b
aws.log_group
Amazon CloudWatch group of log streams that share the same retention, monitoring, and access control settings.
/aws/lambda/a-SomeFumction-1AWHD6W1QC5DH
aws.log_stream
A sequence of log events that share the same source.
2021/01/04/[$LATEST]b2e34f11da04232cb9f9d3d5799a5c12
aws.service
The service that identifies the AWS product.
s3
aws.resource.type
The name of a resource type
group
; cluster
; instance
aws.resource.id
The unique identifier of the resource
i-0922cda4579db3a45
aws.resource.name
The name of the resource - value of Name tag in AWS
my-ec2-instance
aws.arn
Amazon Resource Name (ARN)
arn:aws:lambda:us-east-1:478983378254:function:acceptanceWeatherBackend
aws.alb.name
Application load balancer name that instance is behind
my-alb
aws.lambda.initialization_type
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
on-demand
provisioned-concurrency
snap-start
Span attributes
aws.x_amzn_trace_id
Root=1-63441c4a-abcdef012345678912345678
; Self=1-63441c4a-12456789abcdef012345678;Root=1-67891233-abcdef012345678912345678
aws.x_amzn_request_id
Contains the value of the AWS 'X-Amzn-RequestId' HTTP header.
123344566
aws.lambda.invoked_arn
The full invoked ARN as provided on the
Context
passed to the function (Lambda-Runtime-Invoked-Function-Arn
response header from the request to /runtime/invocation/next
).arn:aws:lambda:us-east-1:123456789012:function:acceptanceWeatherBackend:production
Azure
Fields that can come from applications running on Azure.
Fields
Resource attributes
azure.subscription
An Azure subscription is a logical container used to provision resources in Azure.
Tags:
permission
27e9b03f-04d2-2b69-b327-32f433f7ed21
azure.resource.group
A resource group is a container that holds related resources for an Azure solution.
Tags:
permission
demo-backend-rg
azure.resource.type
The name of a resource type in the format: {resource-provider}/{resource-type}.
Microsoft.ContainerService/managedClusters
azure.resource.id
A unique, immutable, identifier assigned to each Azure cloud resource.
/subscriptions/27e9b03f-04d2-2b69-b327-32f433f7ed21/resourceGroups/demo-backend-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks
azure.resource.name
User provided name of Azure cloud resource.
demo-aks
azure.location
A specific geographical location of Azure Cloud resource.
East US
azure.management_group
A group of Azure subscriptions used for governance use cases.
Tenant Root Group
; My Custom Group
azure.event_hub_namespace.name
Azure Event Hub Namespace name.
my-event-hub
azure.service_bus_namespace.name
Azure Service Bus name.
my-service-bus
azure.sql_server.name
Azure SQL Server name.
contoso-sql-server
azure.sql_elastic_pool.name
Azure SQL Server Elastic Pool name.
contoso-elastic-pool
azure.vm.name
Azure Virtual Machine name.
my-virtual-machine
azure.vm_scale_set.name
Azure Virtual Machine Scale Set name.
my-vmss
azure.vmid
Azure Virtual Machine unique 128bits identifier
090556DA-D4FA-764F-A9F1-63614EDA019A
azure.site_name
Globally unique deployment information about an Azure function.
dt-function-scripted
azure.class_name
The full qualified name of the class executing an Azure function.
Host.Functions
BOSH
Fields that are integral to applications managed by BOSH.
Fields
Resource attributes
bosh.name
A unique identifier to a deployment or instance.
isolated_diego_cell_devima
bosh.instance_id
A unique identifier assigned to each deployed instance.
af318409-9e9d-4a18-aca4-0fb52bbdc526
bosh.availability_zone
A specific geographical BOSH location.
us-east-1a
Browser
The browser namespace contains information on the browser running an application.
Fields
browser.user_agent
Full user agent string as provided by the browser.
Mozilla/5.0 (Windows NT 10.0; Win64; x64)
browser.name
Browser name
Mozilla
browser.version
Browser version
5.0
browser.type
Type of browser
desktop
; mobile
; tablet
; robot
; other
Captured Attributes
Span scoped attributes (e.g. method parameters, return values, class names, …) captured by the OneAgent based on a request attribute rule. The actual name of the attribute is the prefix "captured_attribute" plus the "request attribute name" defined in the request attributes configuration. In contrast to request attributes, captured attributes contain the raw values reported by the OneAgent at the location (i.e. on the active span) where they appeared. No aggregation (first/last value, distinct values, ...), type conversion or normalization is performed on them. They are the basis for request attributes.
Fields
captured_attribute.__attribute_name__
Contains the span scoped raw values that were captured under the name
__attribute_name__
defined by the request attribute configuration. The values are always mapped as array according to the type of the captured attributes, so either boolean, double, long or string. If the captured attributes have mixed types (e.g. long and string, or double and long, etc.), all attributes are converted to string and stored as string array.[42]
; ['Platinum']
; [32, 16, 8]
; ['Special Offer', '1702']
; ['18.35', '16']
Cassandra
Fields
cassandra.cluster.name
Client
The client namespace contains information on the initiator of a network connection.
Fields
client.ip
IP address of the client (IPv4 or IPv6) making the request.
Tags:
sensitive-spans
194.232.104.141
; 2a01:468:1000:9::140
client.port
Client port number.
65123
; 80
client.isp
The name of the Internet Service Provider (ISP) associated with the IP address of the client.
Internet Service Provider Name
client.ip.is_public
Indicates whether IP is a public IP.
True
Cloud
Fields related to cloud deployments that can be used across different providers.
Fields
cloud.availability_zone
Identifier referring to the availability zone within a cloud vendor's region.
us-east-1a
cloud.region
Identifier referring to a geographic region of a cloud vendor's datacenter.
us-east-1
cloud.resource_id
Cloud provider-specific native identifier of the monitored cloud resource (e.g. an ARN on AWS, a fully qualified resource ID on Azure, a full resource name on GCP).
arn:aws:lambda:REGION:ACCOUNT_ID:function:my-function
; //run.googleapis.com/projects/PROJECT_ID/locations/LOCATION_ID/services/SERVICE_ID
; /subscriptions/<SUBSCIPTION_GUID>/resourceGroups/<RG>/providers/Microsoft.Web/sites/<FUNCAPP>/functions/<FUNC>
cloud.provider
Name of the cloud provider.
alibaba_cloud
cloud.account.id
The cloud account ID the resource is assigned to.
111111111111
; opentelemetry
The prefix of the service matches the one specified in cloud.provider
.
cloud.provider
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
alibaba_cloud
aws
azure
gcp
heroku
ibm_cloud
tencent_cloud
cloud.platform
MUST be one of the following:
alibaba_cloud_ecs
alibaba_cloud_fc
alibaba_cloud_openshift
aws_app_runner
aws_ec2
aws_ecs
aws_eks
aws_elastic_beanstalk
aws_lambda
aws_openshift
azure_aks
azure_app_service
azure_container_instances
azure_functions
azure_openshift
azure_vm
gcp_app_engine
gcp_cloud_functions
gcp_cloud_run
gcp_compute_engine
gcp_kubernetes_engine
gcp_openshift
ibm_cloud_openshift
tencent_cloud_cvm
tencent_cloud_eks
tencent_cloud_scf
Cloudfoundry
Fields
cloudfoundry.application.id
cloudfoundry.application.name
cloudfoundry.instance.index
cloudfoundry.space.id
cloudfoundry.space.name
Code
Fields
code.function
The method or function name, or equivalent (usually rightmost part of the code unit's name). Represents the name of the function, that is represented by this span.
serveRequest
code.namespace
The "namespace" within which
code.function
is defined. Usually the qualified class or module name, such that code.namespace
+ some separator + code.function
form a unique identifier for the code unit.com.example.MyHttpService
code.filepath
The source code file name that identifies the code unit as uniquely as possible.
/usr/local/MyApplication/content_root/app/index.php
code.invoked.function
Like
code.function
, only it represents the function that was active when a span has been started. Typically it is the function that has been instrumented. The spans duration does not reflect the duration of this function execution. Should only be set if it differs from code.function
.invoke
code.invoked.namespace
Like
code.namespace
, only it represents the namespace of the function that was active when a span has been started. Typically it is the function that has been instrumented. Should only be set if it differs from code.namespace
.com.sun.xml.ws.server.InvokerTube$2
code.invoked.filepath
Like
code.filepath
, only it represents the file path of the function that was active when a span has been started. Typically it is the function that has been instrumented. Should only be set if it differs from code.filepath
./usr/local/MyApplication/content_root/app/index.php
code.call_stack
The call stack of the
code.function
. The call stack starts with the code.function
and the stack frames are separated by a line feed.com.example.SampleClass.doProcessing(SampleClass.java) com.example.SampleClass.doSomeWork(SampleClass.java) com.example.SampleClass.main(SampleClass.java)
Coldfusion
Fields
coldfusion.jvm.config.file
coldfusion.service.name
Compilation Timings
For some technologies compilation of code might be a significant contributor to request execution time. Compilation timings provide insight into this, where available.
Fields
compilation_timings.duration_sum
The total duration in nanoseconds spent compiling.
6723
compilation_timings.compilation_count
The number of compilations contributing to
compilation_timings.duration_sum
.7
compilation_timings.top_compilations
The top N compilations contributing to
compilation_timings.duration_sum
, represented as map from compilation unit name to duration in nanoseconds spent.{'/home/user/test/php/build/tmp/php-htdocs/memcached/memcachedCli.php': 1952, '/home/user/test/php/build/tmp/php-htdocs/curl_cli_uri_filtering.php': 1306}
Container
Fields
container.id
Container ID. Usually a UUID, as for example used to identify Docker containers. The UUID might be abbreviated.
a3bf90e006b2
container.image.name
Name of the image the container was built on.
gcr.io/opentelemetry/operator
container.image.version
0.1
container.name
Container name used by container runtime.
opentelemetry-autoconf
CICS Transaction Gateway
CTG (shorthand for "CICS Transaction Gateway") is a connector for enterprise modernization of CICS assets. It empowers various application platforms, such as Java servlets, to incorporate CICS programs.
CICS (shorthand for "Customer Information Control System") is a middleware to support rapid, high-volume online transaction processing on IBM mainframe systems on z/OS. CTG features a client and a server, which communicate via so-called GatewayRequests.
Fields
ctg.request.gateway_url
URL of the gateway. Only set on client-side spans.
tcp://1.2.3.4:5678/
ctg.request.type
Type of the CTG GatewayRequest.
BASE
ctg.request.call_type
Integer representing the call type of the CTG GatewayRequest. The set of possible values varies per request type. 1
2
ctg.request.flow_type
5
ctg.request.server_id
ID of the server. Not set for all request types.
IPICTEST
ctg.request.commarea_length
Length of the COMMAREA. Only set when request type is ECI.
0
ctg.request.term_id
Name of the terminal resource. Only set when request type is EPI.
CN02
ctg.request.object_name
Name of the request object. Only set when request type is ADMIN.
ctg.request.extend_mode
Integer representing the extend mode of the CTG GatewayRequest. Only set when request type is ECI. 3
11
ctg.response.code
-23
The values are defined in the IBM CTG API source code.
ctg.request.type
MUST be one of the following:
ADMIN
AUTH
BASE
ECI
EPI
ESI
XA
Custom Services
Fields
custom_service.name
The name of a custom service. This field is only present if a custom service was directly created via Dynatrace OneAgent SDK.
MyCustomService
; AuthenticationComponent
custom_service.method
The service method of a custom service. This field is only present if a custom service was directly created via Dynatrace OneAgent SDK.
startTask
; run
; authenticate
Database
Fields
db.system
An identifier for the database management system (DBMS) product being used. See below for a list of well-known identifiers.
mongodb
; mysql
db.namespace
The name of the database, fully qualified within the server address and port.
customers
; test.users
db.query.text
SELECT * FROM wuser_table
; SET mykey "WuValue"
db.query.parameters
The query parameters used in db.query.text represented as a key and value map. For database systems which do not have named keys the map key is the string representation of the index starting with 0. Several database requests may get aggregated into a single span. Each entry in the array holds the bind parameters for one database request.
Tags:
sensitive-spans
[{'name': 'paul', 'age': '23'}, {'name': 'mary', 'age': '32'}]
; [{'0': 'paul', '1': '23'}, {'0': 'mary', '1': '32'}]
db.affected_item_count
The number of items (rows, documents,…) affected.
32
db.collection.name
The name of a collection (table, container) within the database.
customers
; public.users
db.operation.name
The name of the operation or command executed, e.g. the MongoDB command name, SQL keyword, Redis command name,… 2
drop
; findAndModify
; SELECT
; PREPARE
; GetItem
; set
; LPUSH
; mutateIn
; ReadItems
db.result.execution_count
The number of operations executed on the result (e.g. fetches from SQL result set, MongoDB cursor operations).
12
db.result.exception_count
The number of exceptions encountered while fetching the result.
2
db.result.duration_sum
The total duration in nanoseconds used for fetching the result.
234
db.result.duration_min
The minimum duration in nanoseconds used for fetching the result.
123
db.result.duration_max
The maximum duration in nanoseconds used for fetching the result.
345
db.result.roundtrip_count
The number of round-trips triggered by fetching the result.
2
db.dynamodb.region
The region of the dynamodb (see also
cloud.region
).us-east-1
db.dynamodb.table_names
The list of tables the request targets.
[Cats, Dogs]
db.connection_string
The connection string for a database connection.
Tags:
sensitive-spans
jdbc:dynamodb:Access Key=XXX;Secret Key=XXX;Domain=amazonaws.com;Region
db.cosmosdb.request_charge
4.95
; 2.0
The value may be sanitized to exclude sensitive information.
Depending on the data provided on ingest this attribute may be derived by e.g. parse of db.statement
. Parsing might fail or result might be inaccurate.
db.system
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
adabas
cache
cassandra
clickhouse
cloudscape
cockroachdb
coldfusion
cosmosdb
couchbase
couchdb
db2
derby
dl/i
dynamodb
edb
elasticsearch
filemaker
firebird
firstsql
geode
h2
hanadb
hbase
hive
hsqldb
informix
ingres
instantdb
interbase
mariadb
maxdb
memcached
mongodb
mssql
mssqlcompact
mysql
neo4j
netezza
opensearch
oracle
other_sql
pervasive
pointbase
postgresql
progress
redis
redshift
spanner
sqlite
sybase
teradata
vertica
Deployment Attributes
Fields
deployment.release_product
The name of the deployed product.
WoGo Main
deployment.release_stage
The stage the product is deployed to.
production
deployment.release_version
The version of the deployed product.
0.4.1
deployment.release_build_version
The build version of the deployed product.
2021-03-24
Device
The device namespace contains information on the device running an application. This should only be used for end-user devices or devices outside of a private infrastructure. In line with the naming conventions and guidelines, we are in this case adhering to the emerging Open Telemetry convention around this, with some additions.
Fields
device.manufacturer
The manufacturer of the device.
Apple
device.model.identifier
The model identifier of the device.
iPhone3,4
device.is_rooted
Indicates if a rooted device was detected.
device.screen.width
Screen size width.
2048
device.screen.height
Screen size height.
1152
device.battery.level
The battery level of the device.
100
device.orientation
The orientation of the device.
landscape
Disk
Fields describing a disk.
Fields
Resource attributes
disk.device_name
Disk device name (Linux, AIX)
sda
disk.mountpoint
Primary mountpoint
/mnt/storage
disk.all_mountpoints
List of all mountpoints
[/mnt/storage, /home, /var/log]
DL/I Database Attachment
Fields
db.dli.pcb
The name of the program communication block associated with this DL/I method.
3
; MYPCBNAM
db.dli.segment_name
The name of the last segment that was matched or returned.
PARTROOT
db.dli.segment_level
The hierarchical level of the segment that was matched or returned.
3
; 24
db.dli.processing_options
The PCB processing options.
GR
db.dli.terminal_name
The DL/I database or logical terminal name associated with this DL/I method.
HWSAM5ZD
; 10505
db.dli.status_code
The DL/I status code.
QC
db.dli.pcb_type
The PCB type.
DC
; DL/I
; F/P
db.dli.pcb_type
MUST be one of the following:
DC
DL/I
F/P
Dotnet
Fields
dotnet.dll.file
Filename of main dotnet assembly.
dotnet.dll.path
Filepath of main dotnet assembly.
Dynatrace ActiveGate
Metadata with ActiveGate realated information.
Fields
dt.active_gate.id
Hexadecimal identifier of the ActiveGate prefixed with
0x
0xef3d21c3
dt.active_gate.group.name
The name of group ActiveGate instance belongs to
GdanskLab
dt.active_gate.working_mode
Working mode of the ActiveGate
cluster
dt.active_gate.working_mode
MUST be one of the following:
cluster
embedded
environment
multitenant
API connector fields
dt.active_gate.api_connector.config_id
Config long id of the endpoint configuration as a string.
123
; 9276
dt.active_gate.api_connector.pipeline_identifier
String identifier of an api connector pipeline
Kubernetes/Topology
dt.active_gate.api_connector.pipeline_status
Status of an api connector pipeline run
failed
dt.active_gate.api_connector.technology_id
String identifier of an api connector technology
Kubernetes
; CloudFoundry
; AWS
; Dynatrace Extension
; Azure
dt.active_gate.api_connector.pipeline_status
MUST be one of the following:
failed
skipped
succeeded
Dynatrace OneAgent Metadata
Metadata of the OneAgent module that reported a signal. These attributes are what one would also see in OneAgent Health.
Fields
dt.agent.module.type
OneAgent module type
apache
dt.agent.module.version
OneAgent full module version
1.269.17.20221117-132428
dt.agent.module.version_short
OneAgent short module version, to be expected only on record types where
dt.agent.module.version
's cardinality would be a problem1.269
dt.agent.module.id
OneAgent module ID.
031f613871fab0b4
; fc3cd1bb276f0bed
dt.agent.module.parent_id
OneAgent parent module ID, in case this is a so-called sub-agent
ea89eef5db8b85a9
dt.agent.module.type
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
apache
dotnet
dumpproc
extensions
go
iis
java
log_analytics
net
nettracer
nginx
nodejs
opentracingnative
os
php
plugin
process
python
remote_plugin
ruby
sdk
support
updater
varnish
wsmb
z
Davis metadata
Some attributes are used in the context of the Davis engine.
Fields
Configuration fields
These fields can be set in events to influence the Davis engine behavior.
dt.davis.timeout
The event timeout period (in minutes). Various event sources use this event property to keep an event active by regularly refreshing an initial event. The timeout defines how fast the event source must refresh an event to keep it active. To keep the event active, the event source must send the refresh within the timeout period. If no refresh is sent, the event is automatically closed by Dynatrace after the timeout period. Note that metric sources use their own configurable de-alerting windows to close events. Setting the timeout shorter than the de-alerting window will force events to close and increase the risk of false-positive alerts.
dt.davis.is_frequent_issue_detection_allowed
The flag controls whether the Davis® engine should consider suppressing frequent events (true) or bypassing frequent issues check (false).
dt.davis.analysis_time_budget
The time budget (in seconds) that the Davis® engine is granted before it must raise a problem. The analysis time budget can be set per event and controls the balance of sending out alerts early and granting the AI analysis enough time to finish its analysis. The trade-off of a short analysis budget is that the root cause and event merge analysis is limited or even skipped. For example, the time budget of 0 seconds means that the event raises a problem and sends the alert immediately, without any analysis.
dt.davis.analysis_trigger_delay
The time delay (in seconds) before the trigger of Davis® analysis. For example, the delay of 0 seconds triggers a Davis® problem and the root cause analysis immediately. The trigger delay can be used to hold the analysis until all the relevant root cause data has arrived to Dynatrace. For example, it might be beneficial for cloud integrations or log integrations that report data in different schedules - you can delay the analysis until data from all sources is available. Note that while longer delays means more data is available for root cause analysis, it also delays alerts delivery.
dt.davis.is_merging_allowed
This flag controls whether the Davis® engine is allowed to merge this event into a larger problem (true) or if a new problem must be created (false).
dt.davis.is_rootcause_relevant
This flag controls whether the Davis® engine should include this event within the root cause analysis (true) or if it is not (false) relevant.
dt.davis.is_problem_suppressed
This flag controls whether the Davis® engine suppresses the problem from showing up in the UI and sending notifications.
dt.davis.is_entity_remapping_allowed
This flag defines whether the remapping of the target entity is enabled (true) or disabled (false). If the remapping is enabled, Dynatrace can map the event to an entity extracted from the event metadata. If the remapping is disabled or the extraction is not possible, Dynatrace maps the event to the entity specified in the event configuration (for example, a specific host) or to the global environment entity.
dt.davis.preferred_entity_type
The preferred entity type for remapping. You can find possible values in Dynatrace UI under Settings > Topology model > Generic types. If the remapping (dt.event.allow_entity_remapping) is enabled, this property defines the entity type to which the event should be mapped. If no entity of the preferred type is extracted, no remapping is applied.
my.custom.entity.type
System fields
These fields can be set by Davis routines.
dt.davis.forecast.upper
The upper bound of the prediction interval of a given metric forecast.
dt.davis.forecast.point
The point value of a metric forecast.
dt.davis.forecast.lower
The lower bound of the prediction interval of a given metric forecast.
dt.davis.anomaly_detection.upper
The upper value range limit where any value above this point is considered abnormal.
dt.davis.anomaly_detection.lower
The lower value range limit where any value below this point is considered abnormal.
dt.davis.anomaly_detection.anomaly
Boolean timeseries of 0 and 1 showing whether a single timespan is outside the normal value range and therefore considered as abnormal.
dt.davis.anomaly_detection.alert
Boolean time series of 0 and 1 showing whether a single timespan was alerted due to continuous violations.
Dynatrace Entity IDs
The Dynatrace OneAgent associates monitoring data with a so called Monitored Entity ID (ME ID). On OneAgent monitored environments, whenever ME IDs are accessible within the monitored system they should be used to enrich monitoring data to facilitate correlations with data primarily addressed through ME IDs coming from other channels.
The structure for keys that signify entity IDs is dt.entity.{type of entity}
.
The value associated with such a key must be valid Dynatrace entity identifier
(see Topology and Smartscape API).
To allow linking Entity IDs across various different monitoring artifacts (logs, metrics, etc.), all string representations of Entity IDs are required to follow a canonical form, which for all current entities is defined as PREFIX-0123456789ABCDEF
.
Consumers should treat the token as an opaque value and must not infer any semantics on the ID itself. Producers need to match the Entity ID that is being returned by Dynatrace Entity API verbatim.
Producers of string representation must treat the string as if it was parsed case-sensitively, even though some parts of the product may be more lenient.
The structure of the entity ID is currently as follows: <ID-NAMESPACE>-<16-digit-hex-string>
. The <ID-NAMESPACE>
is type specific but cannot be used to determine the actual entity type reliably, especially in cases of CUSTOM_DEVICE
. The <16-digit-hex-string>
needs to be zero-padded (prefix) to a length of 16 digits and must use upper case letters A-F
.
Current entity IDs in cannonical form can be represented structurally with the following regular expression: [A-Z][A-Z_]*-[0-9A-F]{16}
.
Additional characters or changes in the format may happen in the future but will not invalidate existing IDs or ID generation rules.
When adding a name to an entity ID via the Grail function entityName, by default, the name of the respective entity will be represented as dt.entity.{type of entity}.name
. Similarly, further entity attributes can be added via the Grail function entityAttr, resulting in additional field(s) following the naming convention dt.entity.{type of entity}.{name of attribute}
.
Fields
dt.entity.host
An entity ID of an entity of type HOST.
Tags:
entity-id
HOST-E0D8F94D9065F24F
dt.entity.host_group
An entity ID of an entity of type HOST_GROUP.
Tags:
entity-id
HOST_GROUP-E7FBBCF7B1467174
dt.entity.process_group
An entity ID of an entity of type PROCESS_GROUP.
Tags:
entity-id
PROCESS_GROUP-E0D8F94D9065F24F
dt.entity.process_group_instance
An entity ID of an entity of type PROCESS_GROUP_INSTANCE.
Tags:
entity-id
PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
dt.entity.custom_device
An entity ID of an entity of type CUSTOM_DEVICE.
Tags:
entity-id
CUSTOM_DEVICE-E0D8F94D9065F24F
dt.entity.cloud_application_instance
An entity ID of an entity of type CLOUD_APPLICATION_INSTANCE.
Tags:
entity-id
CLOUD_APPLICATION_INSTANCE-E0D8F94D9065F24F
dt.entity.cloud_application
An entity ID of an entity of type CLOUD_APPLICATION.
Tags:
entity-id
CLOUD_APPLICATION-3AB5BBF3E09A7942
dt.entity.cloud_application_namespace
An entity ID of an entity of type CLOUD_APPLICATION_NAMESPACE.
Tags:
entity-id
CLOUD_APPLICATION_NAMESPACE-C61324AA70F57BCB
dt.entity.kubernetes_node
An entity ID of an entity of type KUBERNETES_NODE.
Tags:
entity-id
KUBERNETES_NODE-874C66B68CE15070
dt.entity.kubernetes_cluster
An entity ID of an entity of type KUBERNETES_CLUSTER.
Tags:
entity-id
KUBERNETES_CLUSTER-E0D8F94D9065F24F
dt.entity.kubernetes_service
An entity ID of an entity of type KUBERNETES_SERVICE.
Tags:
entity-id
KUBERNETES_SERVICE-FE6E75BB9DF02347
dt.entity.container_group
An entity ID of an entity of type CONTAINER_GROUP.
Tags:
entity-id
CONTAINER_GROUP-7C2B1C24FFB288CB
dt.entity.container_group_instance
An entity ID of an entity of type CONTAINER_GROUP_INSTANCE.
Tags:
entity-id
CONTAINER_GROUP_INSTANCE-F4A1347110826781
dt.entity.synthetic_location
An entity ID of an entity of type SYNTHETIC_LOCATION.
Tags:
entity-id
SYNTHETIC_LOCATION-D140F3B85BCCBD1A
dt.entity.service
An entity ID of an entity of type SERVICE.
Tags:
entity-id
SERVICE-57EC3CFC1FE72449
dt.entity.service_method
An entity ID of an entity of type SERVICE_METHOD.
Tags:
entity-id
SERVICE_METHOD-659B35CA9AAC96C1
dt.entity.service_method_group
An entity ID of an entity of type SERVICE_METHOD_GROUP.
Tags:
entity-id
SERVICE_METHOD_GROUP-02000E1DB1CDAF9F
dt.entity.application
The ME ID of a web application.
Tags:
entity-id
APPLICATION-DC92E74A7A844E6E
dt.entity.mobile_application
The ME ID of a mobile application.
Tags:
entity-id
MOBILE_APPLICATION-E8A8751A60D5BCE8
dt.entity.custom_application
The ME ID of a custom application.
Tags:
entity-id
CUSTOM_APPLICATION-343A92501A51F286
dt.entity.disk
An entity ID of an entity of type DISK
Tags:
entity-id
DISK-5472CBC1ED0981D6
dt.entity.network_interface
An entity ID of an entity of type NETWORK_INTERFACE
Tags:
entity-id
NETWORK_INTERFACE-FC7B4A5937FC125C
dt.entity.ec2_instance
An entity ID of an entity of type EC2_INSTANCE
Tags:
entity-id
EC2_INSTANCE-0004DD30F142D18C
dt.entity.aws_availability_zone
An entity ID of an entity of type AWS_AVAILABILITY_ZONE
Tags:
entity-id
AWS_AVAILABILITY_ZONE-6000A4E2BD2AB971
dt.entity.gcp_zone
An entity ID of an entity of type GCP_ZONE
Tags:
entity-id
GCP_ZONE-3699CB75E19C8505
dt.entity.azure_vm
An entity ID of an entity of type AZURE_VM
Tags:
entity-id
AZURE_VM-326478B733D6CFB0
dt.entity.azure_region
An entity ID of an entity of type AZURE_REGION
Tags:
entity-id
AZURE_REGION-0DD5C79E4034F0AA
Dynatrace Extensions
Additional extension information sent via self-monitoring.
Fields
dt.extension.ds
Name of the data source.
SNMPTrap
dt.extension.name
Name of the extension.
com.snmptrap.generic
dt.extension.config.id
Extension's monitoring configuration identifier.
vu9U3hXa3q0AAAABAAtleHQ6ZXh0LTA0MAAIYWdfZ3JvdXAAA0FHMQAkMjY2YTIyM2YtZDgxYi0zNTNjLThlYzctYzk2YzliZjg4OGQ3vu9U3hXa3q0
dt.extension.status
The status of the component reporting SFM event
AUTHENTICATION_ERROR
dt.extension.endpoint.hints
Hints to provide for the cluster in order to find proper endpoint in task registry.
[nat-test.lab.dynatrace.org, 1521, orc]
dt.extension.status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
AUTHENTICATION_ERROR
DEVICE_CONNECTION_ERROR
EEC_CONNECTION_ERROR
GENERIC_ERROR
INVALID_ARGS_ERROR
INVALID_CONFIG_ERROR
OK
UNKNOWN_ERROR
Process Grouping Fields
Attributes used for Process Group enrichment in extensions.
Dynatrace ingest fields
Attributes defined in this namespace are used by Dynatrace to describe different aspects of the ingested data.
Fields
dt.ingest.format
The format of the data ingested in Dynatrace via the various ingest channels. E.g., Generic log ingest, OTLP logs ingest
dtapi/json
; otlp/protobuf
dt.ingest.warnings
An array of strings that represent markers on not-expected situations that might affect correctness or completness of incomming data point. It may be for instance limits applied or processing rule failing. It should not be detailed log with what happened, just high-level class of issue that occured.
[attr_count_trimmed, content_trimmed]
dt.ingest.debug_messages
An array of strings that represent debug messages that provide a detailed debugging information. That could include even variable parts, like which attribute was modified, or which processing rules were applied.
[MyATTribute mapped to myAttribute]
dt.ingest.format
MUST be one of the following:
dtapi/json
dtapi/plaintext
otlp/json
otlp/protobuf
dt.ingest.warnings
MUST contain only values from the following list:
content_trimmed
content_trimmed_pipe
attr_count_trimmed
attr_count_trimmed_pipe
attr_key_case_mismatch
attr_val_count_trimmed
attr_val_count_trimmed_pipe
attr_val_size_trimmed
attr_val_size_trimmed_pipe
timestamp_corrected
common_attr_corrected
processing_batch_timeout
processing_transformer_timeout
processing_transformer_error
processing_transformer_throttled
processing_output_record_conversion_error
processing_prepare_input_error
Dynatrace
Fields
dt.host_group.id
see Organize your environment using host groups. Note that host groups are identified by their name. This is not the entity ID of Host Group Entity, for which see dt.entity.host_group
Tags:
permission
myHostGroup
dt.pg_detection.cluster.id
dt.pg_detection.declarative.id
dt.pg_detection.environment.id
DT_ENVIRONMENT_ID
environment variable
dt.pg_detection.node.id
dt.process_group.detected_name
The name of the process group as it was detect by the agent.
Apache Web Server httpd
; Redis unguard-redis-* redis
dt.security_context
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission modelhere
Tags:
permission
dt.source_entity
The ID of the entity considered the source of the measurement. The string needs to be in the format of any MONITORED_ENTITY type. 1
Tags:
entity-id
HOST-E0D8F94D9065F24F
; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
dt.source_entity.type
The entity type of the entity whose identifier is held in dt.source_entity. The value must be a valid entity type and consistent with dt.source_entity. Note, though, that the type identifiers are expected to be lower cased in alignment with suffixes of dt.entity.* keys.
host
; process_group_instance
; cloud:azure:resource_group
dt.cost.costcenter
Can be used to assign usage to a Cost Center.
Team A
dt.cost.product
Can be used to assign usage to a Product or Application ID.
Product A
dt.metrics.source
telegraf
; com.dynatrace.extension.sql-oracle
dt.query
timeseries avg(dt.host.cpu.idle)
; fetch logs
Value of this attribute will be based on one of dt.entity.<type>
attributes value. That means that both attributes dt.source_entity and corresponding dt.entity.<type>
will be set to the same ID.
This is the framework used for capturing, processing and forwarding metrics, not the emitting monitored entity. Exemplary custom value: name of an extension sending metrics.
dt.metrics.source
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
dynatrace_codemodule
dynatrace_ingest
dynatrace_osagent
micrometer
oneagent_metric_api
opentelemetry
statsd
telegraf
Dynatrace OpenPipeline fields
Fields defined in this namespace are used by Dynatrace to describe various aspects of the data ingested through OpenPipeline, providing detailed insights into the ingestion process.
Fields
dt.openpipeline.pipelines
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
dt.openpipeline.source
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events
; oneagent
Dynatrace RUM
The dt.rum namespace contains Dynatrace RUM specific fields.
Fields
dt.rum.schema_version
The Dynatrace RUM enrichment version.
0.1
dt.rum.application.id
The Dynatrace RUM application ID (UUID for Mobile, MEid for Web)
ea7c4b59f27d43eb
dt.rum.session.id
The user session id.
HOPCPWKILUKHFHWRRQGBHHPAFLUJUOSH-0
; 23626166142035610_1-0
dt.rum.instance.id
The RUM application instance id. (Formerly known as visitor id, the internal user id, the rxVisitor cookie value.)
3735928559
Settings
Fields for referencing Settings 2.0 objects, schemas and scopes.
Considerations on which fields to use
Although the dt.settings.object_id
is enough to identify a specific settings value within a dynatrace environment, adding explicit information about the schema, scope and/or scope type can be useful nonetheless. If your use-case will only ever involve a single schema, scope type and/or scope, documenting this is good enough - if multiple schemas, scope types and/or scopes can be involved, filling the corresponding fields is strongly recommended.
dt.settings.references
can be used if multiple settings objects need to be referenced. In that case, each entry in the array can hold a reference to a single settings object.
Top level fields
The top level fields contain generally relevant information for all monitoring data.
dt.settings.object_id
The object ID of a settings value. This corresponds to the 'objectId' field/parameter in the Settings API.
vu9U3hXa3q0AAAABACFidWlsdGluOnJ1bS51c2VyLWV4cGVyaWVuY2Utc2NvcmUABnRlbmFudAAGdGVuYW50ACRhMzZmYmYwMy00NDY1LTNlNTYtOTZiOS1kOWMzOGQ3MzU1NmO-71TeFdrerQ
dt.settings.object_summary
The human-readable summary or name of a single value of a multi-value settings schema. This corresponds to the 'summary' field in the Settings API.
Journey Service all errors
; Really, this can be anything
; My alerting rule
dt.settings.schema_id
The schema ID of a settings schema, as used in the Settings APIs.
builtin:problem.notifications
; app:dynatrace.jenkins:connection
dt.settings.schema_version
The version of the schema referenced by dt.settings.schema_id, as declared by the schema itself. Typically a semantic version number.
1.0.0
; 1.2.3
dt.settings.scope_type
The type of the scope that a settings object is persisted on.
environment
; host_group
; host
dt.settings.scope_id
The ID of the scope that a settings object is persisted on. This corresponds to the 'scope' field/parameter in the Settings API.
environment
; HOST-EFAB6D2FE7274823
dt.settings.scope_name
The human-readable name of the scope that a settings object is persisted on.
deb-10-k3s-oi-01.lab.dynatrace.org
dt.settings.relationship
The type of relationship to the referenced settings object. You can use arbitrary values (in
snake_case
) here that describe the relationship for your use-case.matched_rule
; triggered_alert
dt.settings.references
A collection of references to settings objects. Each entry in the array holds a reference to a single settings object.
[{'dt.settings.object_id': 'vu9U3hXa3q0AAAABACFidWlsdGluOnJ1bS51c2VyLWV4cGVyaWVuY2Utc2NvcmUABnRlbmFudAAGdGVuYW50ACRhMzZmYmYwMy00NDY1LTNlNTYtOTZiOS1kOWMzOGQ3MzU1NmO-71TeFdrerQ', 'dt.settings.relationship': 'matched_rule'}, {'dt.settings.object_id': 'vu9U3hXa3q0AAAABAB9idWlsdGluOmRhdmlzLmFub21hbHktZGV0ZWN0b3JzAAZ0ZW5hbnQABnRlbmFudAAkMzM2NTc3MTgtYWNjYi0zOGY1LTlmOGUtMTg5NTBiYmNjNmRhvu9U3hXa3q0', 'dt.settings.relationship': 'triggered_alert'}]
Dynatrace Synthetic
The dt.synthetic namespace contains Dynatrace synthetic specific fields.
Fields
dt.synthetic.step.id
The identifier of the step.
HTTP_CHECK_STEP-6349B98E1CD87352
dt.synthetic.batch.id
The identifier of the batch (defined for on-demand executions only).
dt.synthetic.monitor.id
The identifier of the monitor.
HTTP_CHECK-6349B98E1CD87352
dt.synthetic.location.id
The identifier of the location from where the monitor was executed.
SYNTHETIC_LOCATION-9BB04DAEBA71B8CA
dt.synthetic.execution.id
The identifier of the execution.
100681465183
dt.synthetic.execution.end_timestamp
The timestamp when execution was finished, in UTC milliseconds.
1629891695487
dt.synthetic.execution.type
The type of the execution.
on-demand
dt.synthetic.failed_execution.execution.id
The identifier of the execution.
dt.synthetic.failed_execution.execution.stage
The stage of the execution.
Data retrieved
dt.synthetic.failed_execution.execution.timestamp
The timestamp when execution was finished, in UTC milliseconds.
1629891693487
dt.synthetic.failed_execution.status.code
Numeric representation of the status.
599
dt.synthetic.failed_execution.status.message
The message returned by an execution or a status message.
TIMEOUT
dt.synthetic.failed_execution.status.details
Status details.
connection timed out after 5000 ms: google.com
dt.synthetic.failed_execution.status.on_demand.message
The on-demand status message.
Success
dt.synthetic.failed_execution.status.on_demand.details
The details of the status.
PERFORMANCE_THRESHOLD_VIOLATION
dt.synthetic.failed_execution.monitor.id
The identifier of the monitor.
HTTP_CHECK-6349B98E1CD87352
dt.synthetic.failed_execution.location.id
The identifier of the location from where the monitor was executed.
SYNTHETIC_LOCATION-9BB04DAEBA71B8CA
dt.synthetic.triggering_problem.execution.id
The identifier of the execution.
dt.synthetic.triggering_problem.entity.id
The identifier of the entity.
HTTP_CHECK-6349B98E1CD87352
dt.synthetic.triggering_problem.location.id
The identifier of the location from where the monitor was executed.
SYNTHETIC_LOCATION-9BB04DAEBA71B8CA
dt.synthetic.triggering_problem.details
The details of triggering problem.
Throttling on the location. Minimum duration between successive executions for a single user is 60 sec
dt.synthetic.triggering_problem.cause
The cause of not triggering entity.
Location not found
dt.synthetic.custom_log.timestamp
The custom log timestamp.
1629891695487
dt.synthetic.custom_log.loglevel
The log event severity level.
info
dt.synthetic.custom_log.message
The custom log message.
log message
dt.synthetic.result.statistics.duration
The duration of the step/sum of all step.
456
dt.synthetic.result.statistics.start_timestamp
The start timestamp of the execution.
dt.synthetic.failed_execution.execution.stage
MUST be one of the following:
Data retrieved
Executed
Not triggered
Timed out
Triggered
Waiting
Dynatrace system fields
The namespace dt.system
is reserved for Grail. These fields cannot be ingested but instead will be set by Grail directly. Every record that is fetched from Grail provides these fields, but by default they are hidden. You can display them by using the fieldsAdd
command.
Example query:
// display the bucket for each log recordfetch logs| fieldsAdd dt.system.bucket
Fields
dt.system.bucket
The Grail bucket that the record is stored in.
default_logs
; default_spans
; default_bizevents
dt.system.monitoring_source
Identifies the license under which the source is running.
fullstack_host
; infrastructure
dt.system.storage_interval
Identifies the timeframe represented by individual data structures stored under a metric key.
1 min
dt.system.table
The table that the record belongs to.
logs
; bizevents
dt.system.environment
The Dynatrace environment that the record belongs to.
wkf10640
dt.system.segment_id
The segment that the record belongs to.
5d97c09e-7337-443e-bab5-2f0474804687
dt.system.sampling_ratio
The selected sampling ratio.
1
dt.system.monitoring_source
MUST be one of the following:
discovery
fullstack_container
fullstack_host
infrastructure
mainframe
dt.system.storage_interval
MUST be one of the following:
1 min
Dynatrace specific tracing fields
Fields defined in this namespace are used by Dynatrace to describe different aspects of the context propagation between spans.
Fields
dt.tracing.custom_link.id
The custom link id to identify spans calling each other. The id is derived from the custom link bytes.
736bd2684696c4a8
dt.tracing.custom_link.type
The type of the custom link defines if a mapping of the
dt.tracing.custom_link.original_bytes
to the dt.tracing.custom_link.transformed_bytes
was applied.generic
dt.tracing.custom_link.original_bytes
The original binary data of the custom link.
ycXlxUBAQEDee9lm8pBcA8nF5cVAQEBA3nvZZvKQXAPee9lm8s4SAQ==
dt.tracing.custom_link.transformed_bytes
The transformed binary data of the custom link, only available if a mapping was applied.
ycXlxUBAQEDee9lm8pBcA8nF5cVAQEBA3nvZZvKQXAPee9lm8s4SAQ==
dt.tracing.link.id
Unique identifier for a dynatrace link.
dt.tracing.link.is_sync
true
indicates that caller waits on the response. Only available on span links with dt.tracing.link.direction
set to outgoing
.dt.tracing.foreign_link.text
An incoming foreign link (could be cross-environment, or cross-product).
FW4;129;12;-2023406815;4539717;0;17;66;c511;2h02;3h12345678;4h676767
; FW1;129;4711;59959450;-1859959450;3;17;0
dt.tracing.foreign_link.bytes
An incoming foreign link (could be cross-environment, or cross-product).
00000004000000010000000200000003000000040000002300000001
dt.tracing.response.headers
A collection of key-value pairs containing received response headers related to tracing from an outgoing call. There may be multiple values for each header. Used for cross-environment linking.
{'traceresponse': ['00-7b9e3e4068167838398f50017bfad358-d4ffc7e33530967a-01'], 'x-dt-tracestate': ['9651e1a8-19506b7c@dt']}
dt.tracing.link.direction
The direction of the span link to define the correct order between spans.
outgoing
dt.tracing.custom_link.type
MUST be one of the following:
generic
dt.tracing.custom_link.original_bytes
have no special meaning.ibm_mq
dt.tracing.custom_link.original_bytes
are an IBM MQ custom link.ibm_mq_ignore_qname
dt.tracing.custom_link.original_bytes
are an IBM MQ custom link, but the qname part should be ignored in mapping.dt.tracing.link.direction
MUST be one of the following:
incoming
outgoing
Elasticsearch
Fields
elasticsearch.cluster.name
elasticsearch.node.name
Endpoint
Endpoints define the public interface of services.
Fields
endpoint.name
The endpoint name is derived from endpoint detection rules and uniquely identifies one endpoint of a particular service. Endpoint names are usually technology specific and should be defined by attributes with low cardinality like http.route or rpc.method. Endpoints are exclusively detected on request root spans.
/
; /get-cart
; /productpage
; Reviews.GetReviews
Entity fields
Fields that describe entities.
entity.conditional_name
The entity name as defined by conditional naming rules. This name will be calculated based on a rules on the cluster side.
Cl-Prod1 Ser-1
entity.customized_name
The entity name as defined in the entity settings screen. This name is statically defined by the user for a particular entity.
Host 1234
entity.detected_name
The entity name as detected by Dynatrace or defined by the data source of the entity. Depending on the entity type this can involve different heuristics.
ip-10-100-200-5.eu-west-1.compute.internal
entity.name
All entities have an entity.name field. The following fields will be considered in order to determine the value:
entity.customized_name
, entity.conditional_name
, entity.detected_name
.easyTravel
entity.type
The entity type
host
; service
Equinox
Fields
equinox.config.path
ESB
Fields
esb.workflow.name
The name of the workflow, aka. the message flow for the IBM ESB.
myMessageFlow
; YourBusinessWorkflow
; any_flow
esb.application.name
The name of the application that holds the workflows of the business logic.
myBusinessApp
; YourServiceApp
; any_work
esb.library.name
The name of the library that hosts commonly used workflows to be re-used in applications.
myWebServicesLib
; YourMessagingLibrary
; any_tools
esb.vendor
The vendor of the ESB technology used.
ibm
; tibco
Event
The event namespace contains common identification, categorization and context on events in Dynatrace.
Fields
event.id
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.parent_id
Unique identifier string of a parent event to link parent and child events.
5547782627070661074_1647601319999
event.kind
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permission
INFRASTRUCTURE_EVENT
; DAVIS_EVENT
; BIZ_EVENT
; RUM_EVENT
; AUDIT_EVENT
; BILLING_USAGE_EVENT
event.category
Standard categorization based on the significance of an event (similar to the severity level in the previous Dynatrace).
Availability
event.type
The unique type identifier of a given event.
Tags:
permission
ESXI_HOST_MEMORY_SATURATION
; PROCESS_RESTART
; CPU_SATURATION
; MEMORY_SATURATION
; Automation Workflow
; AppEngine Functions - Small
event.provider
Source of the event, for example the name of the component or system that generated the event.
Tags:
permission
OneAgent
; K8S
; Davis
; VMWare
; GCP
; AWS
; LIMA_USAGE_STREAM
event.name
The human readable display name of an event type.
Process crashed
; CPU Saturation
event.description
Human-readable description of an event.
The current response time (11 s) exceeds the auto-detected baseline (767 ms) by 1,336 %
event.start
The event start timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
16481073970000
event.end
The event end timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
16481073970000
event.status
Status of an event as being either Active or Closed.
Active
event.status_transition
An enum that shows the transition of the above event state.
Recovered
event.group_label
Group label of an event.
Availability
event.outcome
Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (e.g. an HTTP response code).
200
; success
; failure
event.version
Describes the version of the event.
1.0.0
Values
Values are either in title-case or screaming snake case.
event.category
SHOULD be one of the following:
Availability
Error
Slowdown
Resource contention
Warning
Info
Vulnerability management
event.status
SHOULD be one of the following:
Active
Closed
event.status_transition
SHOULD be one of the following:
Created
Updated
Refreshed
Resolved
Recovered
Closed
Timed out
Reopened
Exception
Fields
exception.type
The type of the exception (its fully-qualified class name, if applicable).
java.net.ConnectException
; OSError
exception.message
The exception message.
Division by zero
exception.file.full
The full file location available when the exception happened. Can be an absolute URL or just the name of the file.
https://www.foo.bar/path/main.js
; main.js
exception.file.domain
The URI domain component extracted out of
exception.file.full
.www.foo.bar
exception.file.path
The URI path component extracted out of
exception.file.full
./path/main.js
exception.line_number
The line number where the exception happened.
1401
exception.column_number
The column number where the exception happened.
12304
exception.stack_trace
The stack trace of the exception. The format depends on the technology and source. While OneAgent formats stack traces to unify them across technologies, are stack traces from an OpenTelemetry source in the format they were sent to Dynatrace.
@https://www.foo.bar/path/main.js:59:26 e@https://www.foo.bar/path/lib/1.1/lib.js:2:30315
exception.escaped
true
indicates that the exception was recorded at a point where it is known that the exception escaped the scope of the span.exception.id
The identifier of an exception, it should be unique within a list of exceptions. The identifier is used to reference the exception.
exception.caused_by_id
The
exception.id
of the exception the current exception was caused by.exception.is_caused_by_root
Is set to
true
if the exception is first exception of a caused by chain.Function as a Service (FaaS)
Fields that can be expected from serverless functions or Function as a Service (FaaS) on various cloud platforms.
Fields
Resource attributes
faas.name
my-function
; myazurefunctionapp/some-function-name
; test_function
faas.max_memory
The amount of memory available to the serverless function in Bytes.
This is the name of the function as configured/deployed on the FaaS
platform and is usually different from the name of the callback
function (which may be stored in the code.namespace
/code.function
span attributes).
Value of the field depends on a cloud provider. This field is not set for Azure.
Span attributes
faas.invoked_provider
The cloud provider of the invoked function. Will be equal to the
cloud.provider
resource attribute of the invoked function.alibaba_cloud
faas.invoked_name
The name of the invoked function.
my-function
faas.coldstart
A boolean that is true if the serverless function is executed for the first time (aka cold-start).
faas.trigger
Type of the trigger which caused this function invocation.
datasource
Will be equal to the cloud.region
resource attribute of the invoked function.
faas.invoked_provider
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
alibaba_cloud
aws
azure
gcp
tencent_cloud
faas.trigger
MUST be one of the following:
datasource
http
other
pubsub
timer
Feature Flag
feature_flag.key
The unique identifier of the feature flag.
logo-color
feature_flag.provider_name
The name of the service provider that performs the flag evaluation.
Flag Manager
feature_flag.variant
SHOULD be a semantic identifier for a value. If one is unavailable, a stringified version of the value can be used. 1
red
; true
; on
A semantic identifier, commonly referred to as a variant, provides a means
for referring to a value without including the value itself. This can
provide additional context for understanding the meaning behind a value.
For example, the variant red
maybe be used for the value #c05543
.
A stringified version of the value can be used in situations where a semantic identifier is unavailable. String representation of the value should be determined by the implementer.
Google Cloud Platform
Fields
gcp.app_engine.instance
gcp.app_engine.service
gcp.cloud_run.service
gcp.instance.id
A permanent identifier that is unique within your Google Cloud project.
6639848141313102286
gcp.region
A region is a specific geographical location where you can host your resources.
europe-west3
gcp.zone
A zone is a subset of a region. Each region has three or more zones.
europe-west3-c
gcp.location
Region or zone the instance of the GCP resource is running on.
europe-west3-c
gcp.project.id
The identifier of the GCP project associated with this resource.
Tags:
permission
dynatrace-gcp-extension
gcp.instance.name
The name to display for the instance in the Cloud Console.
single-vm-test
gcp.resource.type
The name of a resource type.
cloudsql_database
gcp.resource.name
The globally unique resource name in Google Cloud Platform convention
//cloudfunctions.googleapis.com/projects/gcp-example-project/locations/us-central1/functions/examplefunction
Geolocation
The geo namespace contains geo location information. This section only holds all currently agreed upon fields in the Dynatrace Semantic Dictionary. Aligned closely to the ECS, with some adaptions around field groupings
Fields
geo.continent.name
English name of the continent.
North America
geo.country.name
English name of the country.
Canada
geo.region.name
English name of the region.
Quebec
geo.city.name
English name of the city.
Montreal
Glassfish
Fields
glassfish.domain.name
The name of the domain this instance belongs to.
glassfish.instance.name
The instance's name.
Go
Fields
go.linkage
Host
Fields describing a host.
Host naming
Dynatrace aims to use the best fitting name for the field host.name
. See below, how Dynatrace determines the host name in an ordered by precedence fashion:
1. Customized host name
Dynatrace supports customizing the host.name
property. A custom set host name takes precedence over the auto detection mechanisms described further down.
- Place a configuration file containing the desired name in a specific directory as described in this Documentation
- Alternatively, the
oneagentctl
tool can be used to set a custom host name. See Documentation for details.
2. Cloud vendor metadata
If no customized name is set locally, the OneAgent attempts to determine the host.name
value by accessing cloud metadata where applicable.
- AWS EC2:
- If access to EC2 tags was granted (see AWS Documentation) and a tag with a key
name
(case insensitive) is found, the tag's value is used as thehost.name
. - If tags can not be accessed, the EC2 instance's
instance-id
property is used.
- If access to EC2 tags was granted (see AWS Documentation) and a tag with a key
- Azure VM:
- The VM's
name
(case insensitive) instance metadata property is used. See Microsoft Azure documentation
- The VM's
- Google Compute Engine:
- The VM's
hostname
instance metadata property is used. See Google Cloud documentation.
- The VM's
3a. Linux & AIX
- The result of the system call to the standard C library's
gethostname()
if it can be interpreted as a fully qualified domain name (FQDN) and doesn't contain "localhost". - Otherwise, a system call to
getaddrinfo()
for port 80 is issued, again sanity checking whether the returned name is an FQDN and doesn't contain "localhost".
3b. Windows
- On Windows, the system call
GetComputerNameExA
is used to determine a host's name. In particular, the resulting name is composed of<hostname>.<domainname>
with the following detailshostname
= ComputerNameDnsHostname retrieved by GetComputerNameExdomainname
= ComputerNameDnsDomain retrieved by GetComputerNameEx
- Defaults to the string
EmptyHostName
if neither property can be resolved.
Fields
host.name
The host name as determined on the data source (e.g. OneAgent, extensions, OpenTelemetry, …).
Important: This is not the name of the host entity, which can be modified based on naming rules.
Tags:
permission
ip-10-178-54-32.ec2.internal
host.ip
A list of IP adresses (IPv4 or IPv6) of this host.
[194.232.104.141, 2a01:468:1000:9::140]
HTTP
http.request.method
HTTP request method.
GET
; POST
; HEAD
http.response.reason_phrase
The HTTP reason phrase (HTTP1 only).
Not found
http.request.body.size
The size of the request payload body in bytes. This is the number of bytes transferred excluding headers and is often, but not always, present as the Content-Length header. For requests using transport encoding, this should be the compressed size.
3495
http.response.body.size
The size of the response payload body in bytes. This is the number of bytes transferred excluding headers and is often, but not always, present as the Content-Length header. For requests using transport encoding, this should be the compressed size.
3495
http.request.header.__key__
HTTP request headers,
__key__
being the lowercase HTTP header name, e.g. "http.request.header.accept-encoding". The value is a string. If there are multiple headers with the same name or multiple header values, the values will be comma separated into a single string.Tags:
sensitive-spans
https://www.foo.bar/
; gzip, deflate, br
; 1.2.3.4, 1.2.3.5
http.response.header.__key__
HTTP response headers,
__key__
being the lowercase HTTP header name, e.g. "http.response.header.content-type". The value is a string. If there are multiple headers with the same name or multiple header values, the values will be comma separated into a single string.909
; text/html; charset=utf-8
; abc, def
http.route
The matched route (path template in the format used by the respective server framework).
/users/:userID?
; Home/Index/{id?}
http.server_name
The server name as configured by the webserver if available. If no such name exists the local hostname and bound port. In Kubernetes the base pod name is used.
MyServer
; localhost:8000
Hybris
Fields
hybris.bin.dir
/opt/hybris-60/hybris/bin
hybris.config.dir
/opt/hybris-60/hybris/config
hybris.data.dir
/opt/hybris-60/hybris/data
Reference
IBM
Fields
ibm.ace.integration_node.name
The name of the integration node (aka. broker) that manages one or more integration server.
myIntegrationNode
; YourBroker
; the_management_instance
ibm.ace.integration_server.name
The name of the either broker-managed or standalone integration server (formerly known as execution group or dataflow engine).
myIntegrationServer
; YourExecutionGroup
; dataflow_engine
ibm.cics.aor
ibm.cics.region
ibm.cics.program
The name of the CICS program.
EDUCHAN
ibm.cics.tor
ibm.ctg.name
ibm.ims.connect
ibm.ims.control
ibm.ims.mpr
ibm.ims.soap_gw.name
Iis
Fields
iis.app_pool.name
iis.role.name
Java
Fields
java.jar.file
java.jar.path
java.main.class
java.main.module
JBoss
Fields
jboss.home
The instance's home directory.
jboss.mode
The instance's operating mode.
org.jboss.as.standalone
; org.jboss.as.server
jboss.server.name
The instance's server name.
JDBC
Fields
jdbc.connection.pool.name
The name of the JDBC connection pool.
jdbc/db2
Kubernetes
Fields
k8s.cluster.name
(Optional) The name of the cluster in Dynatrace. Doesn't need to be unique, nor immutable.
Tags:
permission
unguard-dev
; k3s-oneagent
k8s.cluster.uid
A pseudo-ID for the cluster, set to the UID of the kube-system namespace.
1c7a24c7-ff51-46e0-bcc9-c52637ceec57
k8s.node.name
The name of the Node.
cluster-pool-1-c3c7423d-azth
k8s.container.name
The name of the Container from Pod specification, must be unique within a Pod. Container runtime usually uses different globally unique name (
container.name
).redis
k8s.namespace.name
The name of the namespace that the pod is running in.
Tags:
permission
default
k8s.pod.name
The name of the Pod.
opentelemetry-pod-autoconf
k8s.pod.uid
The UID of the Pod.
275ecb36-5aa8-4c2a-9c47-d8bb681b9aff
k8s.workload.name
The name of the Workload.
checkoutservice
k8s.workload.kind
The type of the Workload.
deployment
; statefulset
; cronjob
; job
; daemonset
; replicaset
k8s.service.name
The name of the Kubernetes Service.
my-service
Standard fields used for log events
Fields relevant for log events
Fields
loglevel
The log event severity level.
ERROR
; INFO
; TRACE
log.source
/var/log/messages
; Windows Event Log
; Docker Container Output
; stdout
log.source.origin
The log source origin indicates where the log derives from.
CUSTOM
; IIS_LOG_DETECTOR
log.iostream
The I/O stream to which the log was emitted.
stdout
; stderr
log.file.path
The full path to the file.
/var/log/messages
; /var/log/dynatrace/agent.log
log.file.name
The basename of the file.
messages
; agent.log
Can contain e.g. a file path, standard output, an URI etc., depending on log stream type. The value should be stable for one logical source, so e.g. not affected by log file rotation digits.
loglevel
MUST be one of the following:
ALERT
CRITICAL
DEBUG
EMERGENCY
ERROR
FATAL
INFO
NONE
NOTICE
SEVERE
TRACE
WARN
log.source.origin
MUST be one of the following:
CONTAINER_LOG_DETECTOR
CUSTOM_LOG
IIS_LOG_DETECTOR
OPEN_LOG_DETECTOR
SYSTEM_LOG_DETECTOR
log.iostream
MUST be one of the following:
stderr
stdout
Messaging
Fields
messaging.system
An identifier for the messaging system. See below for a list of well-known identifiers.
kafka
; rabbitmq
messaging.operation.type
peek
messaging.message.id
A value used by the messaging system as an identifier for the message, represented as a string.
452a7c7c7c7048c2f887f61572b18fc2
messaging.message.conversation_id
The conversation ID identifying the conversation to which the message belongs, represented as a string. Sometimes called "Correlation ID".
MyConversationId
messaging.message.body.size
The (uncompressed) size of the message payload in bytes.
2738
messaging.destination.kind
The kind of message destination
queue
; topic
messaging.destination.temporary
A boolean that is true if the message destination is temporary and might not exist anymore after messages are processed.
messaging.source.kind
The kind of message source
queue
; topic
messaging.source.temporary
A boolean that is true if the message source is temporary and might not exist anymore after messages are processed.
If a custom value is used for messaging.operation.type
, it MUST be of low cardinality.
Destination name SHOULD uniquely identify a specific queue, topic or other entity within the broker.
Manager name SHOULD uniquely identify the broker.
Source name SHOULD uniquely identify a specific queue, topic, or other entity within the broker.
Manager name SHOULD uniquely identify the broker.
messaging.system
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
activemq
artemis
aws_sns
aws_sqs
azure_eventgrid
azure_eventhubs
azure_servicebus
gcp_pubsub
hornetq
jms
kafka
mqseries
msmq
rabbitmq
rocketmq
sag_webmethods_is
tibco_ems
weblogic
websphere
messaging.operation.type
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
peek
process
publish
receive
messaging.destination.kind
MUST be one of the following:
queue
topic
messaging.source.kind
MUST be one of the following:
queue
topic
Akka Messaging
messaging.akka.actor.system
Name of the actor system.
RequesterSystem
; ResponseSystem
messaging.akka.actor.path
Path to actor inside actor system.
/system/log1-Logging$DefaultLogger
; /remote/akka.tcp/RequesterSystem@localhost:52133/user/requestActor/$a
messaging.akka.actor.kind
system
; user
messaging.akka.actor.type
Fully qualified type name of actor.
com.acme.RespondingActor
messaging.akka.message.type
Fully qualified type name of the message.
java.lang.String
; akka.event.Logging$Info2
; com.acme.twosuds.ResponseActor$RequestMessage
Module Insights
In webserver technologies a multitude of modules might be contributing to handling a single web request. Module insights provides timings for these, where available.
Fields
module_insights.modules
Modules executed as part of this web request, represented as map from module name to duration in nanoseconds spent.
{'HttpRedirectionModule': 10299, 'BasicAuthenticationModule': 4665}
Network
These attributes may be used for any network related operation.
Fields
network.transport
tcp
; udp
network.protocol.name
amqp
; http
; mqtt
network.protocol.version
Version of the application layer protocol used.
1.1
; 3.1.1
network.carrier.name
Name of the mobile carrier.
Magenta
; AT&T
network.connection.type
Internet connection type.
cellular
; wifi
network.connection.subtype
Details connection.type, like cellular or wifi technology.
lte
; 802.11x
network.transport
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
inproc
other
pipe
tcp
udp
unix
Signals that there is only in-process communication not using a "real" network protocol in cases where network attributes would normally be expected. Usually all other network attributes can be left out in that case.
network.type
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
ipv4
ipv6
Network device
Fields that are used in extensions to describe network devices.
Fields
device
Used in Extension Framework 2.0
Address (IP address with port) used by a monitored device to communicate with an extension.
10.102.0.45:161
device.address
Used in Extension Framework 2.0
IP address used by a monitored device to communicate with an extension.
10.102.0.45
device.port
Used in Extension Framework 2.0
Port used by a monitored device to communicate with an extension.
161
device.name
Used in Extension Framework 2.0
Name of a device monitored by an extension.
AT1i-WLC-TestingLab.dynatrace.org
Nodejs
Fields
nodejs.app.base.dir
nodejs.app.name
nodejs.script.name
Openstack
Fields that can come from applications running on Openstack.
Fields
Resource attributes
openstack.availability_zone
A specific availability zone in given openstack region.
us-east-1a
openstack.instance_uuid
UUID of specific openstack instance.
6790cb48-f8e9-4773-bcea-001469de0599
Origin
The origin of a request associated with this event.
origin.type
Origin type of the request associated with this event.
REST
; LOCAL
origin.address
Source IP address of the request associated with this event if not of 'LOCAL' type.
10.11.12.13
origin.x_forwarded_for
The verbatim value of the X-Forwarded-For HTTP request header (if present) of the request associated with the event.
1.2.3.4
origin.session
The id of the browser session (if present) associated with the event.
node0hfznc
origin.type
MUST be one of the following:
LOCAL
REST
OS
The os namespace contains information on the operating system running an application.
Fields
os.name
Human readable operating system name.
iOS
os.version
Version of the operating system.
15.3.1
OpenTelemetry scope
Fields
otel.scope.name
The name of the instrumentation scope - (
InstrumentationScope.Name
in OTLP).io.opentelemetry.contrib.mongodb
otel.scope.version
The version of the instrumentation scope - (
InstrumentationScope.Version
in OTLP).1.0.0
Php
Fields
php.cli.script.path
php.cli.working.dir
php.drupal.application.name
php.fpm.pool.name
php.symfony.application.name
php.wordpress.blog.name
Process
Fields
process.executable.name
The name of the process executable. On Linux based systems, can be set to the
Name
in proc/[pid]/status
. On Windows, can be set to the base name of GetProcessImageFileNameW
.otelcol
process.executable.path
The full path to the process executable. On Linux based systems, can be set to the target of
proc/[pid]/exe
. On Windows, can be set to the result of GetProcessImageFileNameW
./usr/bin/cmd/otelcol
process.pid
Process Identifier (PID) as observed by the monitored process.
1234
Request
Fields
request.id
Present on every span of a request. All spans within one request share the same identifier. The ID is a hex-encoded numerical value and not globally unique, but guaranteed to be unique within one particular trace.
95efd70fcdb5b7b3
; 96835e1d65490b48
request.is_root_span
Marks the root of a request. This means the first span that is the start of the request within a service.
request.is_failed
Indicates that the request is considered failed according to the failure detection rules. Only present on the request root span.
Request Attributes
Request scoped attributes (e.g. method parameters, return values, class names, …) captured by the OneAgent based on a request attribute definition. The actual name of the attribute is the prefix "request_attribute" plus the "request attribute name" defined in the request attributes configuration. Request attributes are built based on captured attributes and other attributes like HTTP header values or "normal" span attributes, on which the aggregations (first/last value, distinct values, ...), type conversion and normalizations defined in the request attribute configuration are performed. They are evaluated for an entire request (possibly consisting of multiple spans) and are stored only on the request root node.
Fields
request_attribute.__attribute_name__
Contains the request scoped reconciled values of the attribute named
__attribute_name__
defined by the request attribute configuration. The data type of the value depends on the request attribute definition.Tags:
sensitive-spans
42
; Platinum
; ['Product A', 'Product B']
; ['Special Offer', '1702']
Remote Procedure Calls
Fields
rpc.system
A string identifying the remoting system or framework. See below for a list of well-known identifiers.
apache_cxf
; dotnet_wcf
; grpc
; jax_ws
rpc.service
The full (logical) name of the service being called, including its package name, if applicable. 1
myservice.EchoService
rpc.namespace
The namespace of the method being called. In SOAP, it would be the XML namespace.
tempuri.org
This is the logical name of the service from the RPC interface perspective, which can be different from the name of any implementing class. The code.namespace
attribute may be used to store the latter (despite the attribute name, it may include a class name; e.g., class with method actually executing the call on the server side, RPC client stub class on the client side).
This is the logical name of the method from the RPC interface perspective, which can be different from the name of any implementing method/function. The code.function
attribute may be used to store the latter (e.g., method actually executing the call on the server side, RPC client stub method on the client side).
rpc.system
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
apache_axis
apache_cxf
apache_wink
dotnet_remoting
dotnet_wcf
grpc
java_rmi
jax_ws
jboss
jersey
openedge
resteasy
restlet
spring_ws
tibco_ws
weblogic_ws
webmethods
Server
The server namespace contains information on the responder of a network connection.
Fields
server.address
Logical server hostname, matches server FQDN if available, and IP or socket address if FQDN is not known.
example.com
server.resolved_ips
A list of IP adresses that are the result of DNS resolution of
server.address
.[194.232.104.141, 2a01:468:1000:9::140]
server.port
Logical server port number.
65123
; 80
Service
Fields
service.name
The logical name of the service.
shoppingcart
Servlet
Fields
servlet.context.name
also see https://docs.oracle.com/javaee/6/api/javax/servlet/ServletContext.html#getServletContextName
servlet.context.path
also see https://docs.oracle.com/javaee/6/api/javax/servlet/ServletContext.html#getContextPath
SNMP
Fields that are used in SNMP extensions.
Fields
version
Used in Extension Framework 2.0
The SNMP version.
SNMPv3
trap_oid
Used in Extension Framework 2.0
The trap OID of a given event.
SNMPv2-MIB::coldStart
Softwareag
Fields
softwareag.install.root
softwareag.product.prop.name
Span
Fields
span.id
A unique identifier for a span within a trace. The
span.id
is a 8-byte id and hex-encoded if shown as a string.f76281848bd8288c
span.parent_id
The
span.id
of this span's parent span. The span.parent_id
is a 8-byte id and hex-encoded if shown as a string.f76281848bd8288c
span.alternate_parent_id
The alternative
span.id
of this span's parent span. In case a trace is monitored by more tracing systems (e.g. OneAgent + OpenTelemetry) there might be two potential parent spans. If these two spans differ, span.parent_id
holds the span.id
of the parent which is known to originate from same tenant and this attribute shows the other. The span.alternate_parent_id
is a 8-byte id and hex-encoded if shown as a string.f76281848bd8288c
span.is_subroutine
true
indicates that this span is a subroutine of its parent span. The spans represent functions running on the same thread on the same call stack.span.kind
Distinguishes between spans generated in a particular context.
server
span.events
A collection of events. An event is an optional time-stamped annotation of the span, consisting of a name and key-value pairs.
span.links
A collection of links. A link is a reference from this span to a whole trace or a span in the same or different trace.
span.is_exit_by_exception
Set to
true
if the span was exited by an exception. If set to false
the span has exception events but the span was not exited by one of them.span.exit_by_exception_id
The
exception.id
of the exception the its span.events
with the current span exited. The referenced exception has set the attribute exception.escaped
to true.span.timing.cpu
The overall CPU time spent executing the span including the CPU times of child spans which are running on the same thread on the same call stack.
span.timing.cpu_self
The CPU time spent exclusively on executing this span not including the CPU times of any children.
span.status_code
Defines the status of a span, predominantly used to indicate a processing error. This field is not present if the reported span status is
unset
.error
span.status_message
An optional text that can provide a descriptive error message in case the
span.status_code
is error
.Connection closed before message completed
; Error sending request for url
span.name
The span name identifies the work represented by the span, for example, the route in an HTTP controller, an RPC method name, a function name, or the name of a subtask or stage within a larger computation.
prepareOrderItemsAndShippingQuoteFromCart
; org.example.CheckoutService/PlaceOrder
; orders process
; GET /products/{product_id}
; HTTP POST
span.kind
MUST be one of the following:
client
consumer
producer
request.internal
link
producer
server
span.status_code
MUST be one of the following:
error
ok
Span Event
Fields
span_event.name
Some span events have a defined semantics based on the name of the span event.
exception
span_event.name
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
bizevent
exception
feature_flag
Reference
Language Independent Interface Types For OpenTelemetry
Spring
Fields
spring.application.name
also see https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html#application-properties.core.spring.application.name
spring.profile.name
the active profile (last value of spring.profiles.active)
spring.startup.class
Supportability
Additional information about the attributes of a data point.
Fields
supportability.non_persisted_attribute_keys
A string array of attributes keys which where not stored as they where not allow-listed or where removed during the pipeline steps.
["my_span_attribute", "db.name"]
supportability.dropped_attributes_count
The number of attributes that were discarded on the source. Attributes can be discarded because their keys are too long or because there are too many attributes.
1
supportability.dropped_events_count
The number of span events that were discarded on the source.
1
supportability.dropped_links_count
The number of span links that were discarded on the source.
1
supportability.endpoint_name_rule
Name of the pipeline rule that generated the unified service
endpoint.name
.http.route
; rpc.method
supportability.flaws
A string array of one or multiple error codes indicating issues in the assembly of a trace in Dynatrace. Typically, issues come from erroneous (3rd party) instrumentations (e.g. not sending a required field), data loss due to network connectivity (e.g. missing parent span) or conditions implied by the nature of the trace (e.g. trace exceeding the depth limit). The attribute is only present in case an assembly issue was detected (the list will not be empty). For more information and details about specific error codes, please reach out to Dynatrace support.
[C4, S3, A2]
supportability.custom_service.rule_id
The id of a custom service configuration rule. This field is only present if a custom service was configured as automatic instrumentation rule in Dynatrace.
4d76194c11a9426197a9062548f9e66e
supportability.atm_sampling_ratio
The denominator of the sampling ratio of an adative traffic management (ATM) aware sampler. The attribute is always present if a ATM aware sampler is active (this applies for example to the Dynatrace OneAgent). A numerator is not specified as it is always 1. If for example the Dynatrace OneAgent samples with a probability of 1/16 (6,25%) the value of
supportability.atm_sampling_ratio
would be 16 and the numerator is 1.16
supportability.alr_sampling_ratio
The denominator of the sampling ratio of the Dynatrace cluster, the attribute is only set if adaptive load redution (ALR) is active on the Dynatrace cluster. A numerator is not specified as it is always 1. If for example the Dynatrace cluster samples with a probability of 1/8 (12,5%) the value of
supportability.alr_sampling_ratio
would be 8 and the numerator is 1.8
supportability.original_start_time
The original start time of the span. Only available if the value of the
start_time
attribute was truncated. Truncating the start time is technically required for long running spans that have a start time older than three days in the past.1649822520123123123
supportability.serverid.processing
The id of the Dynatrace cluster node that received and processed this span.
5
supportability.serverid.addressee
The id of the Dynatrace cluster node this span was addressed to. This is only available if it differs from the value of
supportability.serverid.processing
.5
Telemetry
The telemetry.sdk.*
fields are used to describe the telemetry SDK in OpenTelemetry or ODIN ingest. It can be considered the closest equivalent of ODIN/OTel data to dt.agent.module.*
.
The telemetry.exporter.*
fields are used to define the exporter that exports telemetry data and is expected to be different for each exporter in case when multiple exporters co-exist.
Fields
telemetry.exporter.name
The exporter name.
odin
telemetry.exporter.version
The full agent/exporter version.
1.285.1.20240101-256988
telemetry.exporter.package_version
The version as exposed to the package manager (e.g. npm).
1.285.1
telemetry.sdk.name
The name of the telemetry SDK.
odin
; opentelemetry
telemetry.sdk.version
The version string of the telemetry SDK.
1.20.0
telemetry.sdk.language
The programming language/tech of the telemetry SDK.
nodejs
; python
; java
Thread
Fields
thread.id
Current "managed" thread id (as opposed to OS thread id).
42
thread.name
Current thread name.
main
thread.pool.name
The name of the thread pool.
WorkerThreadPool
TIBCO Business Works
Fields
tibco.businessworks_ce.app.name
tibco.businessworks_ce.version
tibco.businessworks.app.node.name
tibco.businessworks.app.space.name
tibco.businessworks.domain.name
tibco.businessworks.home
tibco.businessworks.property.file.path
tibco.businessworks.property.file.name
Time correction
The time_correction namespace contains information on time corrections applied to the timestamps of an event like "timestamp", "event.start" or "event.end". Time corrections may be necessary if events are reported with timestamps that are completely off compared to cluster time, for example data reported by RUM agents can be off depending on client time.
Fields
time_correction.offset
The offset of the original timestamps to the corrected timestamps in nanoseconds (
<corrected timestamp>
= <original timestamp>
+ <offset>
). May be a negative number. Example: original timestamp: 1670399998423233001, offset: 127927969312, corrected timestamp: 1670400126351202313127927969312
time_correction.is_applied
Gives hint if the time correction has already been applied to the timestamps of this event.
Trace
Fields
trace.id
A unique identifier for a trace. The
trace.id
is a 16-byte id and hex-encoded if shown as a string.357bf70f3c617cb34584b31bd4616af8
trace.state
The trace state in the w3c-trace-context format.
f4fe05b2-bd92206c@dt=fw4;3;abf102d9;c4592;0;0;0;2ee;5607;2h01;3habf102d9;4h0c4592;5h01;6h5f9a543f1184a52b1b744e383038911c;7h6564df6f55bd6eae,apmvendor=boo,foo=bar
trace.alternate_id
The preserved trace id when OneAgent and other tracing systems monitor the same process and the trace id from the other tracing system was replaced by the OneAgent trace id. The
trace.alternate_id
is a 16-byte id and hex-encoded if shown as a string.357bf70f3c617cb34584b31bd4616af8
URL
The url namespace contains semantic conventions for URL and its components.
Fields
url.scheme
The URI scheme component identifying the used protocol.
https
; ftp
; telnet
url.full
Absolute URL describing a network resource according to RFC3986.
Tags:
sensitive-spans
https://www.foo.bar/docs/search?q=OpenTelemetry#SemConv
url.path
The URI path component.
/docs/search
url.truncated_path
Truncated URI path component for endpoint detection of certain technologies that do not provide a
http.route
. The truncation logic depends on the technology and is a best effort to provide a stable value. Example Adobe Experience Manager (AEM): First two parts of url.path
. Truncated value of /content/wknd/us/en/
is /content/wknd
./docs
url.query
The URI query component.
Tags:
sensitive-spans
q=OpenTelemetry
url.fragment
The URI fragment component.
SemConv
url.domain
The URI domain component.
www.foo.bar
; google.com
; wikipedia.org
url.port
The URI port component.
443
; 80
User
Representation of a physical or logical user.
user.id
Unique identifer of a user.
35ba9499-f87c-4047-962c-14dc32e255e5
user.organization
Organization the user belongs to.
DYNATRACE
; CUSTOMER
; PARTNER
user.name
Full name of the user.
Wolfgang Amadeus Mozart
user.email
E-mail of the user.
user@mail.com
user.organization
MUST be one of the following:
CUSTOMER
DYNATRACE
PARTNER
user.organization
MUST be one of the following:
DYNATRACE
CUSTOMER
PARTNER
VMware
Fields that can come from applications running on VMware.
Fields
Resource attributes
vmware.hypervisor.name
ESXi Host.
my-hypervisor.lab.dynatrace.org
vmware.vcenter.name
The name of the vCenter server with multi-hypervisor environment.
my-vcenter.lab.dynatrace.org
vmware.nic.name
ESXi Host Network Interface.
vmnic0
; vmnic1
; vmnic2
vmware.datacenter.name
The name of data center hypervisor is running in.
srvwasapp1Cell01
vmware.vm.name
The name of the virtual machine.
easytravel-demo
vmware.disk.name
ESXi Host Disk.
srvwasapp1Cell01
Vulnerability
Fields
vulnerability.id
Dynatrace unique identifier for the vulnerability.
2039861408676243188
vulnerability.display_id
Dynatrace user-readable identifier for the vulnerability.
S-1234
vulnerability.external_id
External provider's unique identifier for the vulnerability.
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646
vulnerability.type
Classification of the vulnerability based on commonly accepted enums, such as CWE.
Improper Input Validation
vulnerability.stack
Level of the vulnerable component in the technological stack.
CODE
; CODE_LIBRARY
; SOFTWARE
; CONTAINER_ORCHESTRATION
vulnerability.technology
Technology of the vulnerable component.
JAVA
; DOTNET
; GO
; PHP
; NODE_JS
vulnerability.title
Title of the vulnerability.
Improper Input Validation
vulnerability.description
Description of the vulnerability.
More detailed description about improper input validation vulnerability.
vulnerability.url
Dynatrace URL to the details page of the vulnerability. |
https://example.com
vulnerability.external_url
External provider's URL to the details page of the vulnerability.
https://example.com
vulnerability.references.cve
List of the vulnerability's CVE IDs.
[CVE-2021-41079]
vulnerability.references.cwe
List of the vulnerability's CWE IDs.
[CWE-20]
vulnerability.references.owasp
List of vulnerability's OWASP IDs.
[2021:A3]
vulnerability.resolution.status
Vulnerability's resolution status.
OPEN
; RESOLVED
vulnerability.resolution.change_date
Timestamp of the vulnerability's last resolution status change.
2023-03-22T13:19:37.466Z
vulnerability.cvss.base_score
Vulnerability's CVSS base score provided by NVD.
8.1
vulnerability.cvss.version
Vulnerability's CVSS score version.
3.1
vulnerability.risk.score
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.
8.1
vulnerability.risk.level
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.risk.scale
Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.
Davis Security Score
vulnerability.davis_assessment.score
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.
8.1
vulnerability.davis_assessment.level
Vulnerability's risk level based on Davis Security Score.
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.davis_assessment.exposure_status
Vulnerability's internet exposure status.
NOT_AVAILABLE
; NOT_DETECTED
; PUBLIC_NETWORK
; ADJACENT_NETWORK
vulnerability.davis_assessment.data_assets_status
Vulnerability's reachability of related data assets by affected entities.
NOT_AVAILABLE
; NOT_DETECTED
; REACHABLE
vulnerability.davis_assessment.assessment_mode
Availability of the information based on which the vulnerability assessment has been done.
FULL
; NOT_AVAILABLE
; REDUCED
vulnerability.davis_assessment.assessment_mode_reasons
Reasons for the assessment mode.
[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]
vulnerability.davis_assessment.exploit_status
Vulnerability's public exploits status.
AVAILABLE
; NOT_AVAILABLE
vulnerability.davis_assessment.vulnerable_function_status
Usage status of the vulnerable functions causing the vulnerability.
IN_USE
; NOT_AVAILABLE
; NOT_IN_USE
vulnerability.first_seen
Timestamp of when the vulnerability was first detected.
2023-03-22T13:19:36.945Z
vulnerability.parent.resolution.status
Current status of the vulnerability.
OPEN
; RESOLVED
vulnerability.parent.resolution.change_date
Timestamp of the vulnerability's last resolution status change.
2023-03-22T13:19:37.466Z
vulnerability.parent.risk.score
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.
8.1
vulnerability.parent.risk.level
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.parent.davis_assessment.score
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.
8.1
vulnerability.parent.davis_assessment.level
Vulnerability's Davis Security Score level.
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.parent.davis_assessment.exposure_status
Vulnerability's internet exposure status.
NOT_AVAILABLE
; NOT_DETECTED
; PUBLIC_NETWORK
; ADJACENT_NETWORK
vulnerability.parent.davis_assessment.data_assets_status
Vulnerability's reachability of related data assets by affected entities.
NOT_AVAILABLE
; NOT_DETECTED
; REACHABLE
vulnerability.parent.davis_assessment.assessment_mode
Availability of the information based on which the vulnerability assessment has been done.
FULL
; NOT_AVAILABLE
; REDUCED
vulnerability.parent.davis_assessment.vulnerable_function_status
Usage status of vulnerable functions causing the vulnerability. Status is
IN_USE
when there's at least one vulnerable function in use by an application.IN_USE
; NOT_AVAILABLE
; NOT_IN_USE
vulnerability.parent.first_seen
Timestamp of when the vulnerability was first detected.
2023-03-22T13:19:36.945Z
vulnerability.parent.mute.status
Vulnerability's mute status.
MUTED
; NOT_MUTED
vulnerability.mute.status
Vulnerability's mute status.
MUTED
; NOT_MUTED
vulnerability.mute.user
User who last changed the vulnerability's mute status.
user@example.com
vulnerability.parent.mute.user
User who last changed the vulnerability's mute status.
user@example.com
vulnerability.mute.reason
Reason for muting or unmuting the vulnerability.
FALSE_POSITIVE
; IGNORE
; AFFECTED
; CONFIGURATION_NOT_AFFECTED
; OTHER
vulnerability.parent.mute.reason
Reason for muting or unmuting the vulnerability.
FALSE_POSITIVE
; IGNORE
; AFFECTED
; CONFIGURATION_NOT_AFFECTED
; OTHER
vulnerability.mute.change_date
Timestamp of the vulnerability's last muted or unmuted action.
2023-03-22T13:19:36.945Z
vulnerability.parent.mute.change_date
Timestamp of the last mute or unmute action of the vulnerability.
2023-03-22T13:19:36.945Z
vulnerability.previous.risk.score
Vulnerability's previous risk score (in case the risk score has changed).
8.1
vulnerability.previous.risk.level
Vulnerability's previous risk score level (in case the risk score level has changed).
LOW
; MEDIUM
; HIGH
; CRITICAL
vulnerability.previous.cvss.base_score
Vulnerability's previous CVSS base score (in case the CVSS base score has changed).
8.1
vulnerability.previous.davis_assessment.score
Vulnerability's previous Davis Security Score (in case Davis Security Score has changed).
8.1
vulnerability.previous.davis_assessment.level
Vulnerability's previous risk level (in case the risk level has changed).
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.previous.davis_assessment.exploit_status
Vulnerability's previous public exploit status (in case the public exploit status has changed).
AVAILABLE
; NOT_AVAILABLE
vulnerability.previous.davis_assessment.exposure_status
Vulnerability's previous internet exposure status (in case the internet exposure status has changed).
NOT_AVAILABLE
; NOT_DETECTED
; PUBLIC_NETWORK
; ADJACENT_NETWORK
vulnerability.previous.davis_assessment.data_assets_status
Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).
NOT_AVAILABLE
; NOT_DETECTED
; REACHABLE
vulnerability.previous.davis_assessment.vulnerable_function_status
Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed).
IN_USE
; NOT_AVAILABLE
; NOT_IN_USE
vulnerability.previous.mute.status
Vulnerability's previous mute status (in case the mute status has changed).
MUTED
; NOT_MUTED
vulnerability.previous.mute.user
User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).
user@example.com
vulnerability.previous.mute.reason
Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).
Muted: False positive
vulnerability.previous.mute.change_date
Timestamp of the vulnerability's previous mute status (in case the mute status has changed).
2023-03-22T13:19:36.945Z
vulnerability.previous.resolution.status
Vulnerability's previous resolution status (in case the resolution status has changed).
OPEN
; RESOLVED
vulnerability.code_location.name
Name of the code location where the code-level vulnerability was detected.
org.dynatrace.profileservice.BioController.markdownToHtml(String):80
vulnerability.remediation.description
Description of the vulnerability's remediation advice.
Upgrade component to version 1.2.3 or higher
vulnerability.is_fix_available
Indicates if a vulnerability fix is available.
vulnerability.stack
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
CODE
CODE_LIBRARY
CONTAINER_ORCHESTRATION
SOFTWARE
vulnerability.technology
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
DOTNET
GO
JAVA
NODE_JS
PHP
vulnerability.resolution.status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
OPEN
RESOLVED
vulnerability.risk.level
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
CRITICAL
HIGH
LOW
MEDIUM
NONE
vulnerability.davis_assessment.level
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
CRITICAL
HIGH
LOW
MEDIUM
NONE
vulnerability.davis_assessment.exposure_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
ADJACENT_NETWORK
NOT_AVAILABLE
NOT_DETECTED
PUBLIC_NETWORK
vulnerability.davis_assessment.data_assets_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
NOT_AVAILABLE
NOT_DETECTED
REACHABLE
vulnerability.davis_assessment.assessment_mode
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
FULL
NOT_AVAILABLE
REDUCED
vulnerability.davis_assessment.exploit_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
AVAILABLE
NOT_AVAILABLE
vulnerability.davis_assessment.vulnerable_function_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
IN_USE
NOT_AVAILABLE
NOT_IN_USE
vulnerability.parent.resolution.status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
OPEN
RESOLVED
vulnerability.parent.risk.level
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
CRITICAL
HIGH
LOW
MEDIUM
NONE
vulnerability.parent.davis_assessment.level
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
CRITICAL
HIGH
LOW
MEDIUM
NONE
vulnerability.parent.davis_assessment.exposure_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
ADJACENT_NETWORK
NOT_AVAILABLE
NOT_DETECTED
PUBLIC_NETWORK
vulnerability.parent.davis_assessment.data_assets_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
NOT_AVAILABLE
NOT_DETECTED
REACHABLE
vulnerability.parent.davis_assessment.assessment_mode
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
FULL
NOT_AVAILABLE
REDUCED
vulnerability.parent.davis_assessment.vulnerable_function_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
IN_USE
NOT_AVAILABLE
NOT_IN_USE
vulnerability.parent.mute.status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
MUTED
NOT_MUTED
vulnerability.mute.status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
MUTED
NOT_MUTED
vulnerability.mute.reason
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
AFFECTED
CONFIGURATION_NOT_AFFECTED
FALSE_POSITIVE
IGNORE
OTHER
vulnerability.parent.mute.reason
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
AFFECTED
CONFIGURATION_NOT_AFFECTED
FALSE_POSITIVE
IGNORE
OTHER
vulnerability.previous.risk.level
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
CRITICAL
HIGH
LOW
MEDIUM
NONE
vulnerability.previous.davis_assessment.level
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
CRITICAL
HIGH
LOW
MEDIUM
NONE
vulnerability.previous.davis_assessment.exploit_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
AVAILABLE
NOT_AVAILABLE
vulnerability.previous.davis_assessment.exposure_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
ADJACENT_NETWORK
NOT_AVAILABLE
NOT_DETECTED
PUBLIC_NETWORK
vulnerability.previous.davis_assessment.data_assets_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
NOT_AVAILABLE
NOT_DETECTED
REACHABLE
vulnerability.previous.davis_assessment.vulnerable_function_status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
IN_USE
NOT_AVAILABLE
NOT_IN_USE
vulnerability.previous.mute.status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
MUTED
NOT_MUTED
vulnerability.previous.resolution.status
has the following list of well-known values. If one of them applies, then the respective value MUST be used, otherwise a custom value MAY be used.
OPEN
RESOLVED
WebLogic
Fields
weblogic.cluster.name
The name of the cluster this instance belongs to.
OrderManagement2
weblogic.domain.name
The name of the domain this instance belongs to.
CustomerManagementFulfillmentSvc
weblogic.home
The instance's home directory.
/apps/infra/wls/bin/10.3.6_64/wlserver_10.3/server
weblogic.server.name
The instance's server name.
OrderManagement2Srv1
WebSphere
Fields
websphere.cell.name
The name of the cell this instance belongs to.
srvwasapp1Cell01
websphere.cluster.name
The name of the cluster this instance belongs to.
CluApp1
websphere.node.name
The name of the node this instance belongs to.
nodeSrvApp2
websphere.server.name
The instance's server name.
SrvApp2
WebSphere Liberty
Fields
websphere_liberty.server.name
The instance's server name.
defaultServer
z/OS
Fields zos resource attributes
zos.address_space_id
The address space identifier (ASID) of the z/OS address space.
1
; 296
zos.job_name
The jobname of the z/OS address space.
CICSAOR0
; CTGATM00
; IMSCR15
zos.job_id
The job id of the z/OS address space.
JOB12345
zos.job_step_id
The step id within the job within the z/OS address space.
00000001
; 00000002
zos.lpar_name
The name of the LPAR that the z/OS address space executes within.
S0W1
; ABCD
zos.sys_id
The system ID of the CICS/IMS address space.
C259
; CICS
; IMSF
Fields zos transactions general
zos.transaction.id
The ID of this transaction.
CEMT
; DTAX
; IVTNO
zos.transaction.call_type
The type of transaction call that was invoked.
CTG
zos.transaction.job_name
The jobname of the z/OS address space that the transaction executed in.
CICSAOR0
; CTGATM00
; IMSCR15
zos.transaction.lpar_name
The name of the LPAR that the transaction executed on.
S0W1
; ABCD
zos.transaction.program_type
The type of transaction that was executed.
DLI_DB
; DLI_DC
; MQ
; DB2
zos.transaction.call_type
MUST be one of the following:
CTG
DPL
HTTP
IMS_CONNECT
IMS_CONNECT_API
ITRA
MQ
MSC
PGM_SWITCH
SDK
SHARED_QUEUE
SOAP
START
TTX
TX
ZOS_CONNECT
zos.transaction.program_type
MUST be one of the following:
DB2
DLI_DB
DLI_DC
MQ
Fields cics transasctions
cics.transaction.system_id
The system ID of the CICS region that this transaction executed on.
C259
; CICS
cics.transaction.task_id
The CICS task ID of this transaction.
1234
cics.transaction.unit_of_work_id
The unit of work ID for this transaction, which is normally represented as a hex value.
15977055984148641282
; 15977055491352760323
cics.transaction.path.name
The path name, only applicable for web requests.
/dtrouter
; ``cics.transaction.user_id
The user ID of the user who triggered this transaction.
USER1
; anon
cics.transaction.client.ip
IP address of the client (IPv4 or IPv6) that made the request that triggered the transaction.
194.232.104.141
; 2a01:468:1000:9::140
cics.transaction.client.port
Port number of the client that made the request that triggered the transaction.
65123
; 80
cics.transaction.class_name
The name of the transaction class of this transaction.
null
; DFHTCL00
cics.transaction.wlm.service_class_name
The name of the z/OS Workload Manager (WLM) service class of this transaction.
null
; SYSSTC
; VEL15I5
cics.transaction.wlm.reporting_service_class_name
The name of the z/OS Workload Manager (WLM) reporting service class of this transaction.
null
; BAT_ATM
; RC_CICS
Fields cics files
cics.file_name
The logical name of the file, as defined in CEDA.
EXMPCAT
; CICSFILE
cics.file.is_local
A boolean that is true if the file is defined within the CICS region that it executed in.
True
cics.file.defining_region_name
The system ID of the CICS region that is defined on the request.
C259
; CICS
Fields ims transactions
ims.message.transaction.terminal_name
The terminal name that this IMS transaction executed on.
HWSAM5ZD
; 10505
ims.message.transaction.unit_of_work_id
The unit of work ID for this transaction, which is normally represented as a hex value.
5981228500318430862871015129591113287966852300630664295044916520394057871645605888
; 5981112713529734741010744557477214433959078921583025076794253743298954785382793216
ims.message.transaction.user_id
The user ID of the user who triggered this transaction.
USER1
; anon
ims.message.transaction.message.size
The size of the message.
10
; 421
ims.message.transaction.message.segment_count
The number of segments in the message.
1
; 5
Fields ims execution transactions
ims.execution.transaction.psb_name
The PSB name that this IMS transaction executed on.
HWSAM5ZD
; 10505
ims.execution.transaction.unit_of_work_id
The unit of work ID for this transaction, which is normally represented as a hex value.
5981228500318430862871015129591113287966852300630664295044916520394057871645605888
; 5981112713529734741010744557477214433959078921583025076794253743298954785382793216
ims.execution.transaction.schedule_count
The schedule count for this transaction.
346613
; 421
ims.execution.transaction.commit_count
The commit count for this transaction.
4
; 5
ims.execution.transaction.execution_class
The execution class of this transaction.
45
; 66
ims.execution.transaction.current_priority
The current priority of this transaction.
1
; 5
Fields ims connect transactions
ims.connect.transaction.user_id
The user ID of the user who triggered this transaction.
USER1
; anon
ims.connect.transaction.client.ip
IP address of the client (IPv4 or IPv6) that made the request that triggered the transaction.
194.232.104.141
; 2a01:468:1000:9::140
ims.connect.transaction.server.port
Port number on the IMS Connect server that received the request for this transaction
65123
; 80
Fields ims tm resource adapter (ITRA) transactions
ims.tm.resource.adapter.semantic_detection_version
The detection version for this transaction.
1
ims.tm.resource.adapter.transaction.datastore_name
The datastore name used by this transaction.
IMS1500
ims.tm.resource.adapter.transaction.lpar_name
The name of the LPAR that the transaction executed on.
S0W1
; ABCD
ims.tm.resource.adapter.transaction.client.ip
IP address of the client (IPv4 or IPv6) that made the request that triggered the transaction.
194.232.104.141
; 2a01:468:1000:9::140
ims.tm.resource.adapter.transaction.client.port
Port number of the client that made the request that triggered the transaction.
65123
; 80
ims.tm.resource.adapter.transaction.interaction_verb
The interaction verb that triggered the transaction.
0
ims.tm.resource.adapter.transaction.commit_mode
The commit mode of the transaction.
0
ims.tm.resource.adapter.transaction.sync_level
Indicates the synchronization level of the transaction. This only applies when the interaction verb is set to "SYNC_SEND_RECEIVE", "SYNC_SEND", or "SYNC_RECEIVE_CALLOUT". This attribute applies to both conversational and non-conversational applications. It is used in conjuction with the ims.transaction.request.transaction.commit_mode attribute.
0
ims.tm.resource.adapter.transaction.interaction_verb
MUST be one of the following:
0
1
3
4
5
6
7
ims.tm.resource.adapter.transaction.commit_mode
MUST be one of the following:
0
1
ims.tm.resource.adapter.transaction.sync_level
MUST be one of the following:
0
1
z/OS Connect
Fields
zosconnect.request.id
The z/OS Connect request ID.
2215
zosconnect.service.provider.name
The service provider name.
CICS-1.0
zosconnect.sor.reference
The system of record reference.
cicsConn
zosconnect.sor.identifier
localhost:8080
zosconnect.sor.resource
Identifier for the resource invoked on the system of record. The format differs depending on the SOR type. 2
01,DFH0XCMN
zosconnect.sor.type
The system of record type.
CICS
zosconnect.request.body.size
The size of the request payload in bytes.
234
zosconnect.response.body.size
The size of the response payload in bytes.
125
zosconnect.api.name
The z/OS Connect API name.
catalog
zosconnect.service.name
The z/OS Connect service name.
placeOrder
zosconnect.api.description
The z/OS Connect API description.
API for the CICS catalog manager sample application
zosconnect.service.description
The z/OS Connect service description.
EDUCHAN service using the CICS Service Provider
zosconnect.api.version
The z/OS Connect API version.
1.0.0
zosconnect.service.version
The z/OS Connect service version.
2.0
zosconnect.sor.type
MUST be one of the following:
CICS
IMS
MQ
REST
WOLA
zosconnect.request.type
MUST be one of the following:
ADMIN
API
SERVICE
UNKNOWN