Activity Log Event Query
Event for a query
This activity type records operations for the following features:
| Field Type | Type | Availability | Description |
|---|---|---|---|
| cancelled | Indicates whether the query was cancelled | ||
| #category | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch | ||
| data_scanned | Amount of data scanned in bytes during the event | ||
| error | Error message | ||
| @id | Unique identifier for the event. Can be used to refer to and re-find specific events. | ||
| @ingesttimestamp | Timestamp when the event was ingested to the repository | ||
| isLive | Was the query executed as a live query | ||
| live_cost | Total live cost of the event | ||
| live_cost_minute | Cost per minute of the event | ||
| message | Message of the alert or event | ||
| orgId | Organization ID | ||
| proxy | Was the request made through a proxy | ||
| queryEnd | End of the time interval for the query | ||
| queryInput | The query that was run | ||
| queryStart | Start of the time interval for the query | ||
| @rawstring | Original string of the event | ||
| #repo | Repository tag of the event indicating where event is stored | ||
| #severity | Severity of the event | ||
| static_cost_total | Cost of the static (non-live) pat fot he query | ||
| @timestamp.nanos | Extended precision of timestamp below millisecond | ||
| @timezone | Timezone the event originated in, if known. This is often set when the event's timestamp is parsed. | ||
| user | User who runs the query | ||
| username | User name | ||
| viewId | View ID |