Activity Log Event Query
Event for a query
| Field Type | Type | Availability | Description |
|---|---|---|---|
| @id | |||
| @ingesttimestamp | |||
| @rawstring | |||
| @timestamp | |||
| @timestamp.nanos | |||
| @timezone | |||
| cancelled | Indicates whether the query was cancelled | ||
| category | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch | ||
| data_scanned | Amount of data scanned in bytes during the event | ||
| error | Error message | ||
| #category | |||
| #repo | |||
| #severity | |||
| isLive | Was the query executed as a live query | ||
| live_cost | Total live cost of the event | ||
| live_cost_minute | Cost per minute of the event | ||
| message | Message of the alert or event | ||
| name | |||
| orgId | Organization ID | ||
| proxy | Was the request made through a proxy | ||
| queryEnd | End of the time interval for the query | ||
| queryInput | The query that was run | ||
| queryStart | Start of the time interval for the query | ||
| queued | |||
| resultPipelineExecutionCount | |||
| severity | Severity of the event | ||
| static_cost_total | Cost of the static (non-live) pat fot he query | ||
| time | Time for the request | ||
| timestamp | Timestamp in milliseconds of the event | ||
| user | User who runs the query | ||
| username | User name | ||
| viewId | View ID | ||
| warnings |