humio-audit Event types | LogScale System Repository Schema Guide | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

humio-audit Event types

The type field in each humio-audit event defins the type of operation recorded in the audit log. The list of possible types is provided below.

Table: humio-audittype Values

Field Value	Availability	Description	Functionality
`action.delete`		Action has been deleted	Deleting an Action
`alert.clear-error`		Alert error has been cleared	Editing an Alert
`alert.create`		Alert has been created	Creating Alerts
`alert.delete`		Alert has been deleted	Deleting Automated Alerts
`alert.disable`		Alert has been disabled	Disabling an Alert
`alert.enable`		Alert has been enabled	Disabling an Alert
`alert.update`		Alert has been updated	Editing Alerts
`baseaudit`		Generic auditing entry
`bucket-storage.update`		Bucket storage configuration has been updated
`bucket.storage.target.delete`		Bucket storage target has been deleted
`cachepolicy.delete`		Data caching policy has been deleted	removeRepoCachePolicy()
`cachepolicy.update`		Cache policy has been updated	setRepoCachePolicy()
`config.settings`		Configuration settings have been changed	Configuration Settings
`dashboard.create`		A dashboard has been created	Creating Dashboards and Widgets
`dashboard.delete`		A dashboard has been deleted	Main Operations
`dashboard.link.create`		A shared dashboard link has been created	Sharing Dashboards
`dashboard.link.delete`		A shared dashboard link has been deleted	Disabling Access to Shared Dashboards
`dashboard.link.update`		A shared dashboard link has been updated	Disabling Access to Shared Dashboards
`dashboard.update`		A dashboard has been edited	Editing Dashboards
`datasource.autoshard`		Datasource autosharding has started	Configure Auto-Sharding for High-Volume Data Sources
`datasource.autoshard`		Datasource autosharding has started	Configure Auto-Sharding for High-Volume Data Sources
`datasource.delete`		A datasource has been deleted
`datasource.max-autoshard-count`		DATASOURCE_MAX_AUTOSHARD_COUNT	Configure Auto-Sharding for High-Volume Data Sources
`datasource.stop-autoshard`		Autosharding for a datasource has stopped	Configure Auto-Sharding for High-Volume Data Sources
`dataspace.block`		Ingest has been paused	Disabling Ingestion
`dataspace.datatype`		Repository datatype has been updated
`dataspace.delete`		A repository has been deleted	Delete a Repository or View
`dataspace.kind`		Dataspace kind has been updated
`dataspace.limit-id`		Repository limit has been updated	Repository and View Settings
`dataspace.max-ingest-request-size`		Repository max ingest request size has been changed
`dataspace.query`		Query has been executed
`dataspace.retention`		Retention settings have been changed	Data Retention
`dataspace.settings`		Repository settings have been updated	Repository and View Settings
`dataspace.taggroupingrules`		Repository tag grouping rules have been updated	Tag Grouping
`dataspace.unblock`		The ingest pause has been cleared	Disabling Ingestion
`delete.events`		Events have been deleted
`dynamicconfig.set`		A dynamic configuration value has been updated	Dynamic Configuration
`email-action.create`		An email action has been created	Action Type: Email
`email-action.update`		An email action has been updated	Action Type: Email
`eventforwarder.delete`		An event forwarder has been deleted	Event Forwarders
`eventforwarder.disable`		An event forwarder has been disabled	Event Forwarders
`eventforwarder.enable`		An event forwarder has been enabled	Event Forwarders
`eventforwarder.kafka.create`		An event forwarder has been created	Event Forwarders
`eventforwarder.kafka.update`		An event forwarder has been updated	Event Forwarders
`eventforwardingrule.add`		An event forwarding rule has been added	Event Forwarding Rules
`eventforwardingrule.delete`		An event forwarding rule has been deleted	Event Forwarding Rules
`eventforwardingrule.update`		An event forwarding rule has been updated	Event Forwarding Rules
`fdrfeed-controls.update`		Falcon Data Replicator feed controls have been created	Ingesting FDR Data into a Repository
`fdrfeed.create`		Falcon Data Replicator feed configurations have been created	Ingesting FDR Data into a Repository
`fdrfeed.delete`		Falcon Data Replicator feed configurations have been deleted	Ingesting FDR Data into a Repository
`fdrfeed.update`		Falcon Data Replicator feed configurations have been updated	Ingesting FDR Data into a Repository
`featureflag.global.update`		A feature flag has been updated at the cluster level	Enabling & Disabling Feature Flags, Syntax
`featureflag.org.update`		A feature flag has been updated at the organization level	Enabling & Disabling Feature Flags, Syntax
`featureflag.user.update`		A feature flag has been updated at the user level	Enabling & Disabling Feature Flags, Syntax
`fieldaliasing.schema.create`		A field aliasing schemas has been created	Configuring Field Aliasing
`fieldaliasing.schema.delete`		A field aliasing schema has been deleted	Configuring Field Aliasing
`fieldaliasing.schema.disable-org`		A field aliasing schema in an organization has been disabled	Configuring Field Aliasing
`fieldaliasing.schema.disable-view`		Field aliasing on a view has been disabled	Configuring Field Aliasing
`fieldaliasing.schema.enable-org`		A field aliasing schemas has been enabled on an organization	Configuring Field Aliasing
`fieldaliasing.schema.enable-views`		A field aliasing schema has been enabled on a view	Configuring Field Aliasing
`fieldaliasing.schema.update`		A field aliasing schema has been updated	Configuring Field Aliasing
`filterAlert.clear-error`		A filter alert error condition has been cleared	Monitoring Alerts
`filterAlert.create`		A filter alerter has been created	Creating Alerts
`filterAlert.delete`		A filter alert has been deleted	Deleting an Alert
`filterAlert.disable`		A filter alert has been disabled	Disabling an Alert
`filterAlert.enable`		A filter alert has been enabled	Disabling an Alert
`filterAlert.update`		A filter alert has been updated	Editing Alerts
`fleet.collectors.unenroll`		Fleet collectors have been unenrolled	Unenroll LogScale Collector
`flushingstate.org.clear`
`flushingstate.org.update`
`group.membership.change`		A user has been added or removed in a group	Group Memberships
`group.organizationrole.assigned`		An organization role has been assigned to a group	Assigning Roles to Groups
`group.organizationrole.unassigned`			Assigning Roles to Groups
`group.role.assigned`		A role has been assigned to a group	Assigning Roles to Groups
`group.role.unassigned`		A role has been removed from a group	Assigning Roles to Groups
`group.systemrole.assigned`		The system role has been added to a group	Managing Groups
`group.systemrole.unassigned`		The system role has been removed from a group	Managing Groups
`hashedtokens.change`		An API token has been changed	API Tokens
`hashedtokens.rotate`		An API token has been rotated	API Tokens
`humio-repo-action.create`		A LogScale repo action has been created	Action Type: Falcon LogScale Repository
`humio-repo-action.update`		A LogScale repo action has been updated	Action Type: Falcon LogScale Repository
`identityProvider`		Identity providers have been changed	Authentication & Identity Providers
`ingest.block`
`ingestconsumer.force-release`
`ingestfeed.create`		An ingest feed has been created	Setting up a New Ingest Feed
`ingestfeed.delete`		An ingest feed has been deleted	Deleting an Ingest Feed
`ingestfeed.reset-quota`
`ingestfeed.update`		An ingest feed has been updated	Editing an Ingest Feed Configuration
`ingestlistener.create`		An ingest listener has been created	Ingest Listeners
`ingestlistener.delete`		Ingest listeners have been deleted	Ingest Listeners
`ingestlistener.update`		Ingest listeners have been updated	Ingest Listeners
`iocaccess.update`
`ipfilters.change`		An IP filter has been updated	Editing an IP Filter
`login.bridge.allowed.users`		Third party authentication allowed users has been updated
`login.bridge.change`		Third party authentication method has been changed
`login.bridge.delete`		Third party authentication method has been deleted
`login.bridge.generate.login`		Third party authentication user login request has been generated
`login.bridge.terms.change`		Third-party authentication has been updated
`no-op-action.create`
`no-op-action.update`
`notifications.create`		A notification has been created
`notifications.delete`		A notification has been deleted
`notifications.user.change`		Notification user has been updated
`notifications.user.create`		Notification user has been created
`notifications.user.delete`		Notification user has been deleted
`ops-genie-action.create`		OpsGenie action has been created	Action Type: OpsGenie
`ops-genie-action.update`		OpsGenie action has been updated	Action Type: OpsGenie
`org.datasources.import`
`org.metadata.import`
`org.metadata.import.rollback`
`org.segments.import`
`organizations`		Organization settings have been changed
`organizations.batch`
`organizations.buckets.readonly`
`organizations.cid.set`
`organizations.cross.change`
`organizations.link.create`
`organizations.link.unlink`
`organizations.link.unlink.child`
`organizations.queryhandles.ownership-batch.update`		Query ownership handles have been batch updated	Updating Organization Ownership for Existing Queries
`organizations.securitypolicies.actions.update`		The security policy for Actions has been updated	Changing Actions Security Policies
`organizations.securitypolicies.shared-dashboards.update`		Shared dashboard security policies have been updated	Dashboard Security Policies
`organizations.securitypolicies.tokens.update`		Security policy for API tokens has been updated	API Token Security Policies
`organizations.selected.batch`
`organizations.subscription.change`
`organizations.transfer.user`		A user has been moved between organizations
`organizations.update.foreignkey`
`organizations.users`		Organization users have been updated
`organizations.users.batch`		Users within an organization have been batch updated
`orgtransfer-job-status.create`
`orgtransfer-job-status.delete`
`package.entity.create`		An item (query, dashboard, widget) within a package has been changed
`package.entity.delete`		An item (query, dashboard, widget) within a package has been deleted
`package.error`		A package error has been triggered
`package.install`		A package has been installed	Installing & Updating Packages
`package.uninstall`		A package has been uninstalled	Installing & Updating Packages
`package.update`		A package has been updated	Installing & Updating Packages
`pager-duty-action.create`		A PagerDuty action has been created	Action Type: PagerDuty
`pager-duty-action.update`		A PagerDuty action has been updated	Action Type: PagerDuty
`parser.create`		A parser has been created	Creating a Parser
`parser.delete`		A parser has been deleted	Creating a Parser
`parser.update`		A parser has been updated
`query-blocklist.add`		Query blocklist has been created	Blocking Queries
`query-blocklist.remove`		Query blocklist has been removed	Blocking Queries
`query-quota.set`		Query quota setting has been updated	Query Quotas
`query.stop-all-queries`		All queries have been stopped	stopAllQueries()
`query.stop-exporting-queries`		All Streaming (live) queries have been stopped	stopStreamingQueries()
`query.stop-static-queries`		All historical queries have been stopped	stopHistoricalQueries()
`readonly.dashboard.accessed`		A read-only dashboard has been accessed	Sharing Dashboards
`readonly.dashboard.update`		A read-only dashboard has been updated
`redirectingest.org.clear`
`redirectingest.org.update`
`repo.users`		User access to a repo or view has been changed
`repository.create`		A repository has been created	Creating a Repository or View
`role.objectaction.change`		Role has been changed
`role.organizationpermissions.change`		Role organization permissions have been changed	Organization Administration Permissions, Managing Roles
`role.systempermissions.change`		Role system permissions have been change	Cluster Management Permissions, Managing Roles
`role.viewpermissions.change`		Role view or repository permissions have been change	Repository & View Permissions, Managing Roles
`s3-archiving.configure`
`s3-archiving.disable`
`s3-archiving.enable`
`s3-archiving.restart`
`saved-query.create`		A saved query has been created	User Functions (Saved Searches)
`saved-query.delete`		A saved query has been deleted	User Functions (Saved Searches)
`saved-query.update`		A saved query has been updated	User Functions (Saved Searches)
`scheduled-search.clear-error`		A scheduled search error condition has been cleared	Scheduled Searches
`scheduled-search.create`		A scheduled search has been created	Creating a Scheduled Search
`scheduled-search.delete`		A scheduled search has been deleted	Scheduled Searches
`scheduled-search.update`		A scheduled search has been updated	Scheduled Searches
`segment.delete`		A segment has been deleted
`sessions.revoke`		A user session has been revoked	revokeSession(), Managing Sessions within an Organization
`slack-action.update`		Slack action has been updated	Action Type: Slack
`slack-post-message-action.create`		Slack message action has been created	Action Type: Slack
`slack-post-message-action.update`		Slack message action has been updated	Action Type: Slack
`subdomain.remove`		Subdomains settings have been removed
`subdomain.set`		Subdomains settings have been updated
`system-repository.create`		LogScale system repository has been created
`tokens`		API or security tokens have been updated	API Tokens
`transfer.ingest-redirection`
`transfer.metadata`
`transfer.segment`
`transfer.snapshot`		TRANSFER_SNAPSHOT
`transfercheckmark.org.update`
`transfercheckmarks.org.update`
`transferjob.added`
`transferjob.cancelled`
`transferstate.org.update`
`upload-file-action.create`		Update file action has been created	Action Type: Upload File
`upload-file-action.update`		Update file action has been updated	Action Type: Upload File
`uploaded-file.create`		A lookup file has been created	Creating a File, `UploadFileAction`
`uploaded-file.delete`		An uploaded file has been deleted	Exporting or Deleting a File
`uploaded-file.update`		An uploaded file has been updated	`UploadFileAction`, Lookup Files
`user.accept-standard-mandatory-dod-notice-and-consent`		User has accepted the usage notice
`user.accept-terms`		User has accepted the terms
`user.invite-accepted`		User has accepted an invite	Managing Users
`user.invited`		A user has been invited to access the cluster	Managing Users
`user.profile`		User settings have been changed	Managing Users
`user.roles.change`		The roles assigned to a user have been changed	Managing Users
`user.signin`		User has signed in
`user.signout`		User has signed out (manually or automatically)
`victor-ops-action.create`		A VictorOps action has been created	Action Type: VictorOps (Splunk On-Call)
`victor-ops-action.update`		A VictorOps action has been updated	Action Type: VictorOps (Splunk On-Call)
`view.delete`		A repository or view has been deleted
`view.rename`		A repository or view has been renamed
`view.restore`		VIEW_RESTORE
`viewinteraction.create`
`viewinteraction.delete`
`viewinteraction.update`
`webhook-action.create`		A webhook action has been created	Action Type: Webhooks
`webhook-action.update`		A webhook action has been updated	Action Type: Webhooks

Enter search term