Falcon LogScale Repository
The Falcon LogScale Repository action sends events from a trigger to a LogScale repository. This can be used to summarize all such events, or to aggregate information from multiple triggers.
| Parameter | Description |
|---|---|
| Ingest token | An Ingest Tokens for the repository receiving the events. |
The events from the trigger are parsed and ingested using the ingest token. If the ingest token has an associated parser, it is used, otherwise, the built-in-parser json-for-action is used.
The events sent to the parser contain the following fields:
| Field | Value |
|---|---|
@trigger.id
| The id of the trigger. |
@trigger.name
| The user-made name of the trigger. |
@trigger.description
| The user-made description of the trigger. |
@trigger.type
|
The type of the trigger. Either
alert or
scheduled-search.
|
@trigger.query.start
| The query start time (e.g. 10m). |
@trigger.query.end
| The query end time (e.g. now). |
@trigger.invocation.triggeredAt
| The time at which the trigger was triggered, formatted as ISO 8601. |
@trigger.invocation.uuid
| A unique id for an invocation of the trigger. Can be used to identify events from the same invocation of the trigger. |
@trigger.invocation.start
| The actual query start time as Unix Time in milliseconds. |
@trigger.invocation.end
| The actual query end time as Unix Time in milliseconds. |
@trigger.repository.name
| The name of the repository in which the trigger is defined. |
| @rawstring |
The original event from the trigger, encoded as JSON. A prefix
# character in a field
name is replaced by @tag.,
so that e.g. #source becomes
@tag.source.
|
The default json-for-action
parser will extract the original event from the
@rawstring field, so that the parsed event contains
all the original fields together with all the
@trigger.XXX fields. It will not
parse any timestamps, so if the original event does not contain a
@timestamp field, the event will get "now" as
timestamp.
The events you send through this action count towards the daily ingest limit.