Activity Log Event ScheduledSearch/Action
Event for actions from a scheduled search
| Field Type | Type | Value | Availability | Description |
|---|---|---|---|---|
| actionId | ID of triggered action; only set for the invocation of a specific action | |||
| actionIds | List of action IDs for when an alert or scheduled search trigger has been triggered for an event | |||
| actionInvocationId | Unique ID for the invocation of an action, can be used to correlate logs; only set for the invocation of a specific action | |||
| actionInvocationIds | List of action invocation IDs for when an alert or scheduled search has been triggered | |||
| actionName | Name of the triggered action; only set for the invocation of a specific action | |||
| @id | A unique identifier for the event. Can be used to refer to and re-find specific events. | |||
| @ingesttimestamp | The timestamp of when the event was ingested. The value is milliseconds-since-epoch. | |||
| @rawstring | The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries. | |||
| @timestamp | Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp. | |||
| @timestamp.nanos | Extended precision of timestamp below millisecond. E.g. 295000 | |||
| @timezone | The timezone the event originated in, if known. This is often set when the event's timestamp is parsed. | |||
| category | Category of the event, such as Alert, Request, IngestFeed, Fdr, Query, Action, and ScheduledSearch | |||
| dataspace | Repository or view name | |||
| events | Number of the events returned by the query | |||
| exception | The exception class that caused an error | |||
| exceptionMessage | Detailed error message that will include errors at the cluster-level that may have contributed; for example permission, API, or network issues | |||
| externalQueryId | External ID of the running query | |||
| failureOrigin | Indicates a best guess as to whether this failure is due to a system error or due to a user error, such as errors in the query. | |||
| #category | Category of the event | |||
| #repo | Name of the repo where the event is stored | |||
| #severity | Severity of the event from original log source | |||
| message | Message of the alert or event | |||
| orgId | Organization ID | |||
| plannedExecutionTime | Planned execution timestamp | |||
| query | Query executed during the event | |||
| queryFinishedTime | Time in milliseconds when query in scheduled search finished | |||
| queryIntervalEndTime | End of time range for scheduled search query | |||
| queryIntervalStartTime | Start of time range for scheduled search | |||
| queryProcessedEvents | Number of events processed to return the final result set | |||
| queryTimeMillis | Time elapsed in milliseconds to execute the query. This value can be used to help indicate the load of the query (and therefore any optimization or refinement), or to find outliers during execution. | |||
| scheduledSearchId | Scheduled search ID | |||
| scheduledSearchName | Scheduled search name | |||
| severity | Severity of the event | |||
| status | Whether the alert, scheduled search, or scheduled report was successful (value Success) or failed (value Failure). An individual failure may be triggered for multiple reasons, but repeated failures over a period of time may indicate a problem that needs investigation. | |||
| subCategory | Subcategory of the event | |||
| suggestion | Suggestion text for how to resolve the error or warning from the event | |||
| timestamp | Timestamp in milliseconds of the event | |||
| viewId | View ID |