Activity Log Event FilterAlert/Query

Event for a query as part of a filter alert

This activity type records operations for the following features:

Field TypeTypeAvailabilityDescription
alertId   alert ID
alertName   Alert name
#category   Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch
dataspace   Repository or view name
eventsAlreadyTriggered   For filter alerts, the number of events already triggered
eventsBeingTriggered   For filter alerts, the number of events being triggered
eventsToTriggerOn   When polling a filter alert query
externalQueryId   External ID of the running query
@id   Unique identifier for the event. Can be used to refer to and re-find specific events.
ingestTimeForWhichAllEventsAreTriggered   Latest time when all events with smaller @ingesttimestmp have triggered actions
@ingesttimestamp   Timestamp when the event was ingested to the repository
isLiveQuery   Whether or not the alert executed in the event contained a live query
message   Message of the alert or event
orgId   Organization ID
query   Query executed during the event
queryEnd   End of the time interval for the query
queryStart   Start of the time interval for the query
@rawstring   Original string of the event
#repo   Repository tag of the event indicating where event is stored
#severity   Severity of the event
status   Whether the alert, scheduled search, or scheduled report was successful (value Success) or failed (value Failure). An individual failure may be triggered for multiple reasons, but repeated failures over a period of time may indicate a problem that needs investigation.
subCategory   Subcategory of the event
@timestamp.nanos   Extended precision of timestamp below millisecond
@timezone   Timezone the event originated in, if known. This is often set when the event's timestamp is parsed.
viewId   View ID