Activity Log Event FilterAlert/Alert
Alert event for a filter alert
This activity type records operations for the following features:
| Field Type | Type | Availability | Description |
|---|---|---|---|
| actionIds | List of action IDs for when an alert or scheduled search trigger has been triggered for an event | ||
| actionInvocationIds | List of action invocation IDs for when an alert or scheduled search has been triggered | ||
| alertId | Alert ID; only for filter alerts | ||
| alertName | Alert name | ||
| alertTime | Timestamp when the alert was triggered | ||
| dataspace | Repository or view name | ||
| eventId | Event ID when an alert triggered on event; only for filter alerts | ||
| eventsAlreadyTriggered | For filter alerts, the number of events already triggered | ||
| eventsBeingTriggered | For filter alerts, the number of events being triggered | ||
| externalQueryId | External ID of the running query | ||
| @id | Unique identifier for the event. Can be used to refer to and re-find specific events. | ||
| ingestTimeForWhichAllEventsAreTriggered | Latest time when all events with smaller @ingesttimestmp have triggered actions | ||
| @ingesttimestamp | Timestamp when the event was ingested to the repository | ||
| isLiveQuery | Whether or not the alert executed in the event contained a live query | ||
| message | Message of the alert or event | ||
| orgId | Organization ID | ||
| query | Query executed during the event | ||
| queryEnd | End of the time interval for the query | ||
| queryStart | Start of the time interval for the query | ||
| @rawstring | Original string of the event | ||
| #repo | Repository tag of the event indicating where event is stored | ||
| status | Whether the alert, scheduled search, or scheduled report was successful (value Success) or failed (value Failure). An individual failure may be triggered for multiple reasons, but repeated failures over a period of time may indicate a problem that needs investigation. | ||
| subCategory | Subcategory of the event | ||
| @timestamp | Timestamp in milliseconds of the event | ||
| @timestamp.nanos | Extended precision of timestamp below millisecond | ||
| @timezone | Timezone the event originated in, if known. This is often set when the event's timestamp is parsed. | ||
| viewId | View ID |