Activity Log Event Request
Event for an ingest request
This activity type records operations for the following features:
| Field Type | Type | Availability | Description |
|---|---|---|---|
| #category | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch | ||
| contentLength | Amount of data in bytes. If compressed, the size may differ; see decodedContentLength. | ||
| decodedContentLength | Amount of data in bytes after any compressed data is uncompressed | ||
| @id | Unique identifier for the event. Can be used to refer to and re-find specific events. | ||
| @ingesttimestamp | Timestamp when the event was ingested to the repository | ||
| internal | If the event was internal or not. If internal, URI is also shown. | ||
| logcollectorId | Log collector ID | ||
| message | Message of the alert or event | ||
| method | HTTP method type used during event | ||
| organisationId | Organization ID | ||
| organisationName | Organization name | ||
| orgId | Organization ID | ||
| parser | Name of the parser used to ingest data | ||
| @rawstring | Original string of the event | ||
| rejections | If a request was rejected, rejections shown | ||
| remote | IP address of resource that created the event | ||
| repo | Repository name | ||
| repoID | Unique Repository ID | ||
| responseLength | If there is a response with the event, the response length | ||
| route | Source of the request | ||
| sessionId | Session ID | ||
| #severity | Severity of the event | ||
| status | Whether the alert, scheduled search, or scheduled report was successful (value Success) or failed (value Failure). An individual failure may be triggered for multiple reasons, but repeated failures over a period of time may indicate a problem that needs investigation. | ||
| time | Time for the request | ||
| @timestamp.nanos | Extended precision of timestamp below millisecond | ||
| @timezone | Timezone the event originated in, if known. This is often set when the event's timestamp is parsed. | ||
| token | ID of the token used during event | ||
| uri | URI of the original sqsMessage | ||
| user | User who runs the query | ||
| userAgent | Web browser identifying information for the event; only for request category | ||
| userID | User ID |