Log to a Humio Repository

The Humio Repository Action sends events from a trigger to a Humio repository. This can be used to summarize all such events, or to aggregate information from multiple triggers.



Ingest token

An ingest token for the repository receiving the events.

The events from the trigger are parsed and ingested using the ingest token. If the ingest token has an associated parser, it is used, otherwise, the built-in parser json-for-action is used.

The events sent to the parser contain the following fields:



Ingest token


The id of the trigger.


The user-made name of the trigger.


The user-made description of the trigger.


The type of the trigger. Either alert or scheduled-search.


The query start time (e.g. 10m).


The query end time (e.g. now).


The time at which the trigger was triggered, formatted as ISO 8601.


A unique id for an invocation of the trigger. Can be used to identify events from the same invocation of the trigger.


The actual query start time as Unix Time in milliseconds.


The actual query end time as Unix Time in milliseconds.


The name of the repository in which the trigger is defined.


The original event from the trigger, encoded as JSON. A prefix # character in a field name is replaced by @tag., so that e.g. #source becomes @tag.source.

The default parser json-for-action will extract the original event from the @rawstring field, so that the parsed event contains all the original fields together with all the @trigger.XXX fields. It will not parse any timestamps, so if the original event does not contain a @timestamp field, the event will get “now” as timestamp.

The events you send through this Action count towards the daily ingest limit.