Event for an action from an alert
| Field Type | Type | Value | Availability | Description |
|---|---|---|---|---|
| actionInvocationIds | List of action invocation IDs for when an alert or scheduled search has been triggered | |||
| alertId | alert ID | |||
| alertName | Alert name | |||
| @id | ||||
| @ingesttimestamp | ||||
| @rawstring | ||||
| @timestamp | ||||
| @timestamp.nanos | ||||
| @timezone | ||||
| category | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch | |||
| dataspace | Repository or view name | |||
| events | Number of the events returned by the query | |||
| externalQueryId | External ID of the running query | |||
| #category | ||||
| #repo | ||||
| #severity | ||||
| message | Message of the alert or event | |||
| orgId | Organization ID | |||
| queryProcessedEvents | Number of events processed to return the final result set | |||
| queryTimeMillis | Time elapsed in milliseconds to execute the query. This value can be used to help indicate the load of the query (and therefore any optimization or refinement), or to find outliers during execution. | |||
| severity | Severity of the event | |||
| subCategory | Subcategory of the event | |||
| timestamp | Timestamp in milliseconds of the event | |||
| viewId | View ID |