NOTE:
This document describes the data export schema prior to the May 2020 data model update. While data is no longer exported in the format this document describes, it remains relevant to historical data.

____________

The JSON files that Cmd writes to cloud storage contain data about either session events or command events. 

Outline:

  • Understanding time: Cloud object timestamps vs. event timestamps

  • 'Session event' data structure

  • 'Command event' data structure


Understanding time: Cloud object timestamps vs. event timestamps

The timestamps on the objects Cmd writes to cloud storage represent the time-of-export from Cmd’s systems. Usually the timestamps on the server events described in those objects are close to the time-of-export, however, connectivity issues may lead to inconsistencies between object and event timestamps.


Session event data structure

Cmd writes newline-delimited JSON objects to storage, which contain either session event or command event data. Files describing session events conform to the following naming convention:

sess-v1 *.json.gz 


(For a full example of the naming convention for these objects, see Introduction to Cmd data export.)

Within the JSON files, each line holds an object with the following structure (expanded over multiple lines here for clarity.)
Note: Cmd may add fields to this structure without changing the version number. Please ensure your data processing tools are configured to ignore unknown fields.

{
"id": "2d59283f-e900-4951-9f41-1b584e3afbf9",
"created": "2018-08-13T22:00:24.252554Z"
"login_user": "smokey",
"command": "bash",
"how_connected": "sshd",
"interactive": true,
"pid": 1364,
"ip": "10.128.125.37",
"tz_std": "UTC",
"tz_dst": "UTC",
"utc_offset": 0,
"has_dst": false,
"server_name": "staging-webapp-17",
"server_id": "SVR-WG6d123456-9ddc-21f9-af12-0476ac980002X",
"project_id": "PRJ-3NX",
"company_id": "CMP-3X",
"cmd_agent_version": "1.1.12-111",
}

 

Command event data structure

Cmd writes newline-delimited JSON objects to storage, which contain either session event or command event data. Files describing command events conform to the following naming convention:

cmd-v1*.json.gz 


(For a full example of the naming convention for these objects, see Introduction to Cmd data export.)

Within the JSON files, each line holds an object with the following structure (expanded over multiple lines here for clarity.)
Note: Cmd may add fields to this structure without changing the version number. Please ensure your data processing tools are configured to ignore unknown fields.

{   
"id": "80adee82-db4e-4dc0-8bb6-fd6d34c17474",  
"created": "2018-08-13T21:01:18.283820Z",  
"exec_user": "ubuntu",  
"command": "date",  
"command_line": "date",  
"command_type": "EXEC",  
"exec_path": "/bin/date",  
"cwd": "/home/ubuntu",  
"pwd": 1894,  
"parent_pid": 1829,  
"origin": "shell_uec",  
"parent_command_base": "bash",  
"top_command_base": "",  
"shell_type": "bash",  
"command_number": 2,  
"interactive_shell": true,  
"executing": true,  
"line_number": 1,  
"shell_login": 1,  
"startup_state": 1,  
"shell_version": "4.3.48(1)-release",  
"parent_id": "",  
"session_id": "2bbb30eb-4b4e-4940-99d6-42e3fd0d79d2",  
"server_id": "6d123456-9ddc-21f9-af12-0476ac980002",  
"project_id": "PRJ-3XX",  
"company_id": "CMP-3X",

 

Introduction to Cmd data export
 
 
 

Did this answer your question?