| actionId | | | |
ID of triggered action; only set for the invocation of a specific
action
|
| actionInvocationId | | | |
Unique ID for the invocation of an action, can be used to
correlate logs; only set for the invocation of a specific action
|
| actionName | | | |
Name of the triggered action; only set for the invocation of a
specific action
|
| @id | | | |
A unique identifier for the event. Can be used to refer to and
re-find specific events.
|
| @ingesttimestamp | | | |
The timestamp of when the event was ingested. The value is
milliseconds-since-epoch.
|
| @rawstring | | | |
The original text of the event. As it keeps the original data on
ingestion, this field allows you to do free-text searching across
all logs and to extract virtual fields in queries.
|
| @timestamp | | | |
Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of
the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has
an identifiable timestamp.
|
| @timestamp.nanos | | | |
Extended precision of timestamp below millisecond. E.g. 295000
|
| @timezone | | | |
The timezone the event originated in, if known. This is often set
when the event's timestamp is parsed.
|
| category | | | |
Category of the event, such as Alert, Request, IngestFeed, Fdr,
Query, Action, and ScheduledSearch
|
| dataspace | | | |
Repository or view name
|
| #category | | | |
Category of the event
|
| #repo | | | |
Name of the repo where the event is stored
|
| #severity | | | |
Severity of the event from original log source
|
| invoker | | | | |
| message | | | |
Message of the alert or event
|
| orgId | | | |
Organization ID
|
| severity | | | |
Severity of the event
|
| subCategory | | | |
Subcategory of the event
|
| timestamp | | | |
Timestamp in milliseconds of the event
|
| viewId | | | |
View ID
|
