Action Type: Falcon LogScale Repository

The Falcon LogScale Repository action sends events from a trigger to a LogScale repository. This can be used to summarize all such events, or to aggregate information from multiple triggers.

Parameter Description
Ingest token An Ingest Tokens for the repository receiving the events.

The events from the trigger are parsed and ingested using the ingest token. If the ingest token has an associated parser, it is used, otherwise, the built-in-parser json-for-action is used.

The events sent to the parser contain the following fields in addition the fields in the event:

Field Value
@trigger.id The id of the trigger.
@trigger.name The user-made name of the trigger.
@trigger.description The user-made description of the trigger.
@trigger.type The type of the trigger. Either alert or scheduled-search.
@trigger.query.start The query start time (e.g. 10m).
@trigger.query.end The query end time (e.g. now).
@trigger.invocation.triggeredAt The time at which the trigger was triggered, formatted as ISO 8601.
@trigger.invocation.uuid A unique id for an invocation of the trigger. Can be used to identify events from the same invocation of the trigger.
@trigger.invocation.start The actual query start time as Unix Time in milliseconds.
@trigger.invocation.end The actual query end time as Unix Time in milliseconds.
@trigger.repository.name The name of the repository in which the trigger is defined.
@rawstring The original event from the trigger, encoded as JSON. A prefix # character in a field name is replaced by @tag., so that e.g. #source becomes @tag.source.

The default json-for-action parser will extract the original event from the @rawstring field, so that the parsed event contains all the original fields together with all the @trigger.XXX fields. It will not parse any timestamps, so if the original event does not contain a @timestamp field, the event will get "now" as timestamp.

The events you send through this action count towards the daily ingest limit.