elastic · klacabane · Sep 7, 2022 · Sep 6, 2022
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -11,3 +11,5 @@
 - name: service.address
   type: keyword
   description: Address where data about this service was collected from.
+- name: error.message
+  external: ecs
@@ -353,6 +353,7 @@ Cluster actions metrics documentation
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
@@ -465,6 +466,7 @@ Cluster rules metrics
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
@@ -577,6 +579,7 @@ Node actions metrics
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
@@ -685,6 +688,7 @@ Node rules metrics
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |

@@ -23,3 +23,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
@@ -23,3 +23,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs