Activity Log Event Query
Event for a query
| Field Name | Type | Value | Availability | Description |
|---|---|---|---|---|
@id | Â | Â | Â | A unique identifier for the event. Can be used to refer to and re-find specific events. |
@ingesttimestamp | Â | Â | Â | The timestamp of when the event was ingested. The value is milliseconds-since-epoch. |
@rawstring | Â | Â | Â | The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries. |
@timestamp | Â | Â | Â | Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp. |
@timestamp.nanos | Â | Â | Â | Extended precision of timestamp below millisecond. E.g. 295000 |
@timezone | Â | Â | Â | The timezone the event originated in, if known. This is often set when the event's timestamp is parsed. |
cancelled | Â | Â | Â | Indicates whether the query was cancelled |
category | Â | Â | Â | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch |
customKey.alertId | Â | Â | Â | Custom alert ID extracted from query |
customKey.alertName | Â | Â | Â | Customer alert name extracted from query |
data_scanned | Â | Â | Â | Amount of data scanned in bytes during the event |
error | Â | Â | Â | Error message |
externalQueryId | Â | Â | Â | External ID of the running query |
#category | Â | Â | Â | Category of the event |
#repo | Â | Â | Â | Name of the repo where the event is stored |
#severity | Â | Â | Â | Severity of the event from original log source |
isLive | Â | Â | Â | Was the query executed as a live query |
live_cost | Â | Â | Â | Total live cost of the event |
live_cost_minute | Â | Â | Â | Cost per minute of the event |
message | Â | Â | Â | Message of the alert or event |
proxy | Â | Â | Â | Was the request made through a proxy |
queryEnd | Â | Â | Â | End of the time interval for the query |
queryInput | Â | Â | Â | The query that was run |
queryStart | Â | Â | Â | Start of the time interval for the query |
queued | Â | Â | Â | Whether query was queued before running |
resultPipelineExecutionCount | Â | Â | Â | Number of times the result calculation pipeline ran for the query |
severity | Â | Â | Â | Severity of the event |
static_cost_total | Â | Â | Â | Cost of the static (non-live) query |
time | Â | Â | Â | Time for the request |
timestamp | Â | Â | Â | Timestamp in milliseconds of the event |
user | Â | Â | Â | User who runs the query |
username | Â | Â | Â | User name |
viewId | Â | Â | Â | View ID |
warnings | Â | Â | Â | Warnings when query ran |