Activity Log Event Alert/Action

Event for an action from an alert

Field TypeTypeValueAvailabilityDescription
actionInvocationIds    List of action invocation IDs for when an alert or scheduled search has been triggered
alertId    alert ID
alertName    Alert name
@id    A unique identifier for the event. Can be used to refer to and re-find specific events.
@ingesttimestamp    The timestamp of when the event was ingested. The value is milliseconds-since-epoch.
@rawstring    The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries.
@timestamp    Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp.
@timestamp.nanos    Extended precision of timestamp below millisecond. E.g. 295000
@timezone    The timezone the event originated in, if known. This is often set when the event's timestamp is parsed.
category    Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch
dataspace    Repository or view name
events    Number of the events returned by the query
externalQueryId    External ID of the running query
#category    Category of the event
#repo    Name of the repo where the event is stored
#severity    Severity of the event from original log source
message    Message of the alert or event
orgId    Organization ID
queryProcessedEvents    Number of events processed to return the final result set
queryTimeMillis    Time elapsed in milliseconds to execute the query. This value can be used to help indicate the load of the query (and therefore any optimization or refinement), or to find outliers during execution.
severity    Severity of the event
subCategory    Subcategory of the event
timestamp    Timestamp in milliseconds of the event
viewId    View ID