Log to a Humio Repository

The Humio Repository Action sends events from a trigger to a Humio repository. This can be used to summarize all such events, or to aggregate information from multiple triggers.

Parameter

Description

Ingest token

An ingest token for the repository receiving the events.

The events from the trigger are parsed and ingested using the ingest token. If the ingest token has an associated parser, it is used, otherwise, the built-in parser json-for-action is used.

The events sent to the parser contain the following fields:

Field

Value

Ingest token

@trigger.id

The id of the trigger.

@trigger.name

The user-made name of the trigger.

@trigger.description

The user-made description of the trigger.

@trigger.type

The type of the trigger. Either alert or scheduled-search.

@trigger.query.start

The query start time (e.g. 10m).

@trigger.query.end

The query end time (e.g. now).

@trigger.invocation.triggeredAt

The time at which the trigger was triggered, formatted as ISO 8601.

@trigger.invocation.uuid

A unique id for an invocation of the trigger. Can be used to identify events from the same invocation of the trigger.

@trigger.invocation.start

The actual query start time as Unix Time in milliseconds.

@trigger.invocation.end

The actual query end time as Unix Time in milliseconds.

@trigger.repository.name

The name of the repository in which the trigger is defined.

@rawstring

The original event from the trigger, encoded as JSON. A prefix # character in a field name is replaced by @tag., so that e.g. #source becomes @tag.source.

The default parser json-for-action will extract the original event from the @rawstring field, so that the parsed event contains all the original fields together with all the @trigger.XXX fields. It will not parse any timestamps, so if the original event does not contain a @timestamp field, the event will get “now” as timestamp.

The events you send through this Action count towards the daily ingest limit.