Activity Log Event Request
Event for an ingest request
| Field Type | Type | Value | Availability | Description |
|---|---|---|---|---|
| @id | A unique identifier for the event. Can be used to refer to and re-find specific events. | |||
| @ingesttimestamp | The timestamp of when the event was ingested. The value is milliseconds-since-epoch. | |||
| @rawstring | The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries. | |||
| @timestamp | Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp. | |||
| @timestamp.nanos | Extended precision of timestamp below millisecond. E.g. 295000 | |||
| @timezone | The timezone the event originated in, if known. This is often set when the event's timestamp is parsed. | |||
| category | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch | |||
| contentLength | Amount of data in bytes. If compressed, the size may differ; see decodedContentLength. | |||
| decodedContentLength | Amount of data in bytes after any compressed data is uncompressed | |||
| #category | Category of the event | |||
| #repo | Name of the repo where the event is stored | |||
| #severity | Severity of the event from original log source | |||
| internal | If the event was internal or not. If internal, URI is also shown. | |||
| logcollectorId | Log collector ID | |||
| message | Message of the alert or event | |||
| method | HTTP method type used during event | |||
| organisationId | Organization ID | |||
| organisationName | Organization name | |||
| orgId | Organization ID | |||
| parser | Name of the parser used to ingest data | |||
| remote | IP address of resource that created the event | |||
| repo | Repository name | |||
| repoID | Unique Repository ID | |||
| responseLength | If there is a response with the event, the response length | |||
| route | Source of the request | |||
| severity | Severity of the event | |||
| status | Whether the alert, scheduled search, or scheduled report was successful (value Success) or failed (value Failure). An individual failure may be triggered for multiple reasons, but repeated failures over a period of time may indicate a problem that needs investigation. | |||
| time | Time for the request | |||
| timedOut | Whether request timed out | |||
| timestamp | Timestamp in milliseconds of the event | |||
| token | ID of the token used during event | |||
| uri | URI of the original sqsMessage | |||
| user | User who runs the query | |||
| userAgent | Web browser identifying information for the event; only for request category | |||
| userID | User ID |