Activity Log Event Alert/Alert

Event for an alert

This activity type records operations for the following features:

Field TypeTypeAvailabilityDescription
actionIds   List of action IDs for when an alert or scheduled search trigger has been triggered for an event
actionInvocationIds   List of action invocation IDs for when an alert or scheduled search has been triggered
alertId   alert ID
alertName   Alert name
alertTime   Timestamp when the alert was triggered
#category   Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch
dataspace   Repository or view name
events   Number of the events returned by the query
externalQueryId   External ID of the running query
@id   Unique identifier for the event. Can be used to refer to and re-find specific events.
@ingesttimestamp   Timestamp when the event was ingested to the repository
lastAlertTime   Timestamp of last time the alert triggered
message   Message of the alert or event
orgId   Organization ID
queryProcessedEvents   Number of events processed to return the final result set
queryTimeMillis   Time elapsed in milliseconds to execute the query. This value can be used to help indicate the load of the query (and therefore any optimization or refinement), or to find outliers during execution.
@rawstring   Original string of the event
#repo   Repository tag of the event indicating where event is stored
status   Whether the alert, scheduled search, or scheduled report was successful (value Success) or failed (value Failure). An individual failure may be triggered for multiple reasons, but repeated failures over a period of time may indicate a problem that needs investigation.
subCategory   Subcategory of the event
@timestamp.nanos   Extended precision of timestamp below millisecond
@timezone   Timezone the event originated in, if known. This is often set when the event's timestamp is parsed.
viewId   View ID
warnings   Any warnings generated by the query during execution