humio-audit Query Structure

The query structure defines information about the query used at the time of the audit event.For, a scheduled search or alert will use a query that will be executed by a specific user with specific criteria. The basic format of the structure has the following fields:

query.allowEventSkipping — whether event skipping was enabled
query.end — timestamp for when the query execution stopped
query.includeDeletedEvents — did the query included deleted events
query.ingestEnd — timestamp end of when the returned events were ingested.
query.ingestStart — timestamp start of when the returned events were ingested.
query.isAlertQuery — was the query triggered as part of an alert
query.isInteractive — was the query interactive (i.e. through the UI rather than alert, or scheduled search)
query.isLive — was the query executed in live mode
query.isRepeatingSubquery — was it a repeating subquery of another query
query.languageVersion — what language version was used to parse the query string
query.noResultUntilDone — was the result delayed until the full data set was ready (uused in some alerts)
query.queryString — the query string
query.showQueryEventDistribution — whether query event distibution was enabled
query.start — when the query started
query.timeZoneOffsetMinutes — timezone offset
query.useIngestTime — the timestamp when the data was ingested

LogScale System Repository Schema Guide

LogScale System Repository Schema Guide

The humio Repository

The humio-audit Repository

The humio-fleet Repository

The humio-measurements Repository

The humio-metrics Repository

The humio-usage

humio-audit Query Structure

Enter search term