Process
May 18, 2026 · View on GitHub
Process
Status:
type: process
Description: An operating system process.
Attributes:
| Role | Key | Stability | Requirement Level | Value Type | Description | Example Values |
|---|---|---|---|---|---|---|
| Identity | process.creation.time |  | Required | string | The date and time the process was created, in ISO 8601 format. | 2023-11-21T09:25:34.853Z |
| Identity | process.pid | | Required | int | Process identifier (PID). | 1234 |
| Description | process.command | | Recommended | string | The command used to launch the process (i.e. the command name). On Linux based systems, can be set to the zeroth string in proc/[pid]/cmdline. On Windows, can be set to the first parameter extracted from GetCommandLineW. | cmd/otelcol |
| Description | process.owner | | Recommended | string | The username of the user that owns the process. | root |
| Description | process.args_count | | Opt-In | int | Length of the process.command_args array [1] | 4 |
| Description | process.command_args | | Opt-In | string[] | All the command arguments (including the command/executable itself) as received by the process. On Linux-based systems (and some other Unixoid systems supporting procfs), can be set according to the list of null-delimited strings extracted from proc/[pid]/cmdline. For libc-based executables, this would be the full argv vector passed to main. SHOULD NOT be collected by default unless there is sanitization that excludes sensitive data. | ["cmd/otecol", "--config=config.yaml"] |
| Description | process.command_line | | Opt-In | string | The full command used to launch the process as a single string representing the full command. On Windows, can be set to the result of GetCommandLineW. Do not set this if you have to assemble it just for monitoring; use process.command_args instead. SHOULD NOT be collected by default unless there is sanitization that excludes sensitive data. | C:\cmd\otecol --config="my directory\config.yaml" |
| Description | process.interactive | | Opt-In | boolean | Whether the process is connected to an interactive shell. | |
| Description | process.linux.cgroup | | Opt-In | string | The control group associated with the process. [2] | 1:name=systemd:/user.slice/user-1000.slice/session-3.scope; 0::/user.slice/user-1000.slice/user@1000.service/tmux-spawn-0267755b-4639-4a27-90ed-f19f88e53748.scope |
| Description | process.parent_pid | | Opt-In | int | Parent Process identifier (PPID). | 111 |
| Description | process.title | | Opt-In | string | Process title (proctitle) [3] | cat /etc/hostname; xfce4-session; bash |
| Description | process.working_directory | | Opt-In | string | The working directory of the process. | /root |
[1] process.args_count: This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
[2] process.linux.cgroup: Control groups (cgroups) are a kernel feature used to organize and manage process resources. This attribute provides the path(s) to the cgroup(s) associated with the process, which should match the contents of the /proc/[PID]/cgroup file.
[3] process.title: In many Unix-like systems, process title (proctitle), is the string that represents the name or command line of a running process, displayed by system monitoring tools like ps, top, and htop.
Process Executable
Status:
type: process.executable
Description: The executable of a process.
Attributes:
| Role | Key | Stability | Requirement Level | Value Type | Description | Example Values |
|---|---|---|---|---|---|---|
| Identity | process.executable.build_id.htlhash | | Required | string | Deterministic build ID for executables. [4] | 600DCAFE4A110000F2BF38C493F5FB92 |
| Description | process.executable.name | | Recommended | string | The name of the process executable. On Linux based systems, this SHOULD be set to the base name of the target of /proc/[pid]/exe. On Windows, this SHOULD be set to the base name of GetProcessImageFileNameW. | otelcol |
| Description | process.executable.build_id.gnu | | Opt-In | string | The GNU build ID as found in the .note.gnu.build-id ELF section (hex string). | c89b11207f6479603b0d49bf291c092c2b719293 |
| Description | process.executable.build_id.go | | Opt-In | string | The Go build ID as retrieved by go tool buildid <go executable>. | foh3mEXu7BLZjsN9pOwG/kATcXlYVCDEFouRMQed_/WwRFB1hPo9LBkekthSPG/x8hMC8emW2cCjXD0_1aY |
| Description | process.executable.path | | Opt-In | string | The full path to the process executable. On Linux based systems, can be set to the target of proc/[pid]/exe. On Windows, can be set to the result of GetProcessImageFileNameW. | /usr/bin/cmd/otelcol |
[4] process.executable.build_id.htlhash: GNU and Go build IDs may be stripped or unavailable in some environments
(e.g., Alpine Linux, Docker images). This attribute provides a deterministic
build ID computed by hashing the first and last 4096 bytes of the file
along with its length:
Input ← Concat(File[:4096], File[-4096:], BigEndianUInt64(Len(File)))
Digest ← SHA256(Input)
BuildID ← Digest[:16]
The result is the first 16 bytes (128 bits) of the SHA256 digest, represented as a hex string.
Process Runtime
Status:
type: process.runtime
Description: The single (language) runtime instance which is monitored.
Attributes:
| Role | Key | Stability | Requirement Level | Value Type | Description | Example Values |
|---|---|---|---|---|---|---|
| Identity | process.runtime.name | | Recommended | string | The name of the runtime of this process. | OpenJDK Runtime Environment |
| Identity | process.runtime.version | | Recommended | string | The version of the runtime of this process, as returned by the runtime without modification. | 14.0.2 |
| Description | process.runtime.description | | Recommended | string | An additional description about the runtime of the process, for example a specific vendor customization of the runtime environment. | Eclipse OpenJ9 Eclipse OpenJ9 VM openj9-0.21.0 |