Storage schema

The following list shows the schema used when storing data in AxoStore. You can use these fields when searching on the Storage page.

log_attributes

Type: object
Related schema element: log.attributes

Additional attributes that describe the specific event occurrence. Every attribute key must be unique.

body

Type: string
Related schema element: log.body

The body of the log record, which can contain strings and structured data composed of arrays and maps of other values.

observed_time

Time when the event was observed by the data pipeline, in UNIX Epoch time (nanoseconds elapsed since 00:00:00 UTC on 1 January 1970). A value of 0 indicates unknown or missing timestamp.

  • For events that originate in OpenTelemetry, this timestamp is typically set at the generation time and is equal to time_unix_nano.
  • For events originating externally and collected by an Axoflow agent or an AxoRouter, this is the time when the Axoflow pipeline observed the event. type: datetime

severity_number

Type: number
Related schema element: log.severity_number

Numerical value of the severity, normalized to values described in Log Data Model.

severity_text

Type: string
Related schema element: log.severity_text

The severity as a string (log level). The original string representation as described at the source. For the numerical to string mapping, see log.severity_number.

timestamp

Type: datetime
Related schema element: log.time_unix_nano

The time when the event occurred in UNIX Epoch time (nanoseconds elapsed since 00:00:00 UTC on 1 January 1970). A value of 0 indicates unknown or missing timestamp.

meta_raw

Type: object
Related schema element: meta

Metadata about a specific message record, for example, a log message.

connection

Type: object
Related schema element: meta.connection

Information about the network connection that transmitted the message.

host_labels

Type: object
Related schema element: meta.host.labels

The labels set in the inventory for the host the message originates from. Note that if the host is sending data to an AxoRouter connector that doesn’t perform automatic classification, then changing the product and vendor labels can affect the final metadata in the destination, for example, the sourcetype assigned to the data in Splunk.

host_name

Type: string
Related schema element: meta.host.name

The name of the host the message originates from (based on the inventory).

host_candidate

Type: object
Related schema element: meta.host_candidate

product

Type: string
Related schema element: meta.product

The product name of the appliance, application, or service that generated the message.

axo_host_labels

Type: object
Related schema element: meta.router.labels

Labels of the AxoRouter instance that processed the message.

axo_host_name

Type: string
Related schema element: meta.router.name

The hostname of the AxoRouter instance that processed the message.

service

Type: string
Related schema element: meta.service.name

Name of the service that generated the message. For syslog messages, that’s usually the value of the PROGRAM field.

vendor

Type: string
Related schema element: meta.vendor

The vendor of the appliance, application, or service that generated the message.

resource_attributes

Type: object
Related schema element: resource.attributes

Attributes that describe the resource. Every attribute key must be unique.

scope_attributes

Type: object
Related schema element: scope.attributes

Attributes that describe the log scope. Every attribute key must be unique.

scope_name

Type: string
Related schema element: scope.name

Name of the log scope

scope_version

Type: string
Related schema element: scope.version

Version of the log scope