humio-audit Query Structure
The query structure defines information about the query used at the time of the audit event. A scheduled search or alert uses a query executed by a specific user with specific criteria. The basic format of the structure has the following fields:
query.allowEventSkipping — whether event skipping was enabled
query.end — the end time of the selected interval
query.includeDeletedEvents — did the query included deleted events
query.ingestEnd — timestamp end of when the returned events were ingested.
query.ingestStart — timestamp start of when the returned events were ingested.
query.isAlertQuery — was the query triggered as part of an alert
query.isInteractive — was the query interactive (i.e. through the UI rather than alert, or scheduled search)
query.isLive — was the query executed in live mode
query.isRepeatingSubquery — was it a repeating subquery of another query
query.languageVersion — what language version was used to parse the query string
query.noResultUntilDone — was the result delayed until the full data set was ready (uused in some alerts)
query.queryString — the query string
query.showQueryEventDistribution — whether query event distibution was enabled
query.start — the start time of the selected interval
query.timeZoneOffsetMinutes — timezone offset
query.useIngestTime — the timestamp when the data was ingested