Activity Log Event Request
Event for an ingest request
| Field Name | Type | Value | Availability | Description |
|---|---|---|---|---|
@id | Â | Â | Â | A unique identifier for the event. Can be used to refer to and re-find specific events. |
@ingesttimestamp | Â | Â | Â | The timestamp of when the event was ingested. The value is milliseconds-since-epoch. |
@rawstring | Â | Â | Â | The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries. |
@timestamp | Â | Â | Â | Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp. |
@timestamp.nanos | Â | Â | Â | Extended precision of timestamp below millisecond. E.g. 295000 |
@timezone | Â | Â | Â | The timezone the event originated in, if known. This is often set when the event's timestamp is parsed. |
category | Â | Â | Â | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch |
contentLength | Â | Â | Â | Amount of data in bytes. If compressed, the size may differ; see decodedContentLength. |
decodedContentLength | Â | Â | Â | Amount of data in bytes after any compressed data is uncompressed |
#category | Â | Â | Â | Category of the event |
#repo | Â | Â | Â | Name of the repo where the event is stored |
#severity | Â | Â | Â | Severity of the event from original log source |
internal | Â | Â | Â | If the event was internal or not. If internal, URI is also shown. |
logcollectorId | Â | Â | Â | ID of Log Collector |
message | Â | Â | Â | Message of the alert or event |
method | Â | Â | Â | HTTP method type used during event |
organisationId | Â | Â | Â | Organization ID |
organisationName | Â | Â | Â | Organization name |
orgId | Â | Â | Â | Organization ID |
parser | Â | Â | Â | Name of the parser used to ingest data |
remote | Â | Â | Â | IP address of resource that created the event |
repo | Â | Â | Â | Repository name |
repoID | Â | Â | Â | Unique Repository ID |
responseLength | Â | Â | Â | If there is a response with the event, the response length |
route | Â | Â | Â | Source of the request |
severity | Â | Â | Â | Severity of the event |
status | Â | Â | Â | Whether the alert, scheduled search, or scheduled report was successful (value Success) or failed (value Failure). An individual failure may be triggered for multiple reasons, but repeated failures over a period of time may indicate a problem that needs investigation. |
time | Â | Â | Â | Time for the request |
timedOut | Â | Â | Â | Whether request timed out |
timestamp | Â | Â | Â | Timestamp in milliseconds of the event |
token | Â | Â | Â | ID of the token used during event |
uri | Â | Â | Â | URI of the original sqsMessage |
user | Â | Â | Â | User who runs the query |
userAgent | Â | Â | Â | Web browser identifying information for the event; only for request category |
userID | Â | Â | Â | User ID |