Container Fields
Overview
The container fields describe isolated execution environments that run applications or processes within a virtualized or constrained context. Containers abstract the underlying system resources, enabling consistent behavior across different hosts and deployment environments.
Design and Usage
Container-related fields capture identifying and contextual information about the container instance, such as unique identifiers, names, and namespaces. These fields support correlation across containerized workloads, orchestration systems, and host telemetry. The schema design assumes containers operate as discrete yet transient entities within broader system or cluster environments.
Common Use Cases
- Tracking container activity within security or performance monitoring data.
- Correlating events across multiple containers or orchestration namespaces.
- Identifying workloads involved in alerts, deployments, or process lineage analysis.
Implementation Notes
The container entity represents a top-level schema component and should not be modeled as a sub-entity. Field naming conventions follow the standard prefix pattern (container_<suffix>). Implementations rely on stable identifiers to enable event correlation even when containers are ephemeral.
| field | field_type | description | example_values |
|---|---|---|---|
|
container_id |
keyword |
Unique container ID |
|
|
container_name |
keyword |
Container name |
|
|
container_namespace |
keyword |
Namespace the container is running in |
