Activity Log Event Alert/Action

Event for an action from an alert

This activity type records operations for the following features:

Field TypeTypeAvailabilityDescription
actionIds   List of action IDs for when an alert or scheduled search trigger has been triggered for an event
actionInvocationIds   List of action invocation IDs for when an alert or scheduled search has been triggered
alertId   alert ID
alertName   Alert name
#category   Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch
dataspace   Repository or view name
events   Number of the events returned by the query
externalQueryId   External ID of the running query
@id   Unique identifier for the event. Can be used to refer to and re-find specific events.
@ingesttimestamp   Timestamp when the event was ingested to the repository
message   Message of the alert or event
orgId   Organization ID
queryProcessedEvents   Number of events processed to return the final result set
queryTimeMillis   Time elapsed in milliseconds to execute the query. This value can be used to help indicate the load of the query (and therefore any optimization or refinement), or to find outliers during execution.
@rawstring   Original string of the event
#repo   Repository tag of the event indicating where event is stored
#severity   Severity of the event
status   Whether the alert, scheduled search or scheduled report was successful (value Success) or failed (value Failure). An individual failure may be triggered for multiple reasons, but repeated failures over a period of time may indicate a problem that needs investigation.
subCategory   Subcategory of the event
@timestamp.nanos   Extended precision of timestamp below millisecond
@timezone   Timezone the event originated in, if known. This is often set when the event's timestamp is parsed.
user   User who runs the query
viewId   View ID