Activity Log Event AggregateAlert/Query

Event for a query as part of an aggregate alert

Field TypeTypeValueAvailabilityDescription
alertId    alert ID
alertName    Alert name
@id    A unique identifier for the event. Can be used to refer to and re-find specific events.
@ingesttimestamp    The timestamp of when the event was ingested. The value is milliseconds-since-epoch.
@rawstring    The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries.
@timestamp    Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp.
@timestamp.nanos    Extended precision of timestamp below millisecond. E.g. 295000
@timezone    The timezone the event originated in, if known. This is often set when the event's timestamp is parsed.
bucketSpan    Bucket span of aggregate alert query
category    Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch
dataspace    Repository or view name
externalQueryId    External ID of the running query
#category    Category of the event
#repo    Name of the repo where the event is stored
#severity    Severity of the event from original log source
ingestTimeKnownGood    Latest known ingest time for digested data
isLiveQuery    Whether or not the alert executed in the event contained a live query
lastSuccessfulQueryPollTime    Timestamp of when query was last successfully polled
message    Message of the alert or event
orgId    Organization ID
query    Query executed during the event
queryProcessedEvents    Number of events processed to return the final result set
queryTimestampType    Timestamp used for the aggregate alert query
severity    Severity of the event
subCategory    Subcategory of the event
timestamp    Timestamp in milliseconds of the event
triggerMode    Trigger mode of the event; can be complete or immediate.
viewId    View ID