System events are used to store details about executed queries, auditing events, billing events and more. In order to query system events, you need the storage:system:read permission.
Query
Query system events.
Anomaly Detector Status Event
The anomaly detector status events are used for Davis anomaly detection.
They track errors and warnings during the execution of an anomaly detector. Examples:
- Query runs into a timeout
- Query fails as unauthorized
- Query result is truncated as the scanned bytes limit was reached
- …
Query
Analyze anomaly detectors status events.
fetch dt.system.events
| filter event.kind == "ANOMALY_DETECTOR_STATUS_EVENT"
client.application_context
stable
A Dynatrace app ID.
local-dev-mode; dynatrace.notebooks; my.biz.carbon
client.internal_service_context
experimental
A string that identifies the Dynatrace service that triggered the query.
davis.anomaly_detector.message
experimental
Additional details about the anomaly detector status
Maximum number of concurrent queries per tenant reached.
davis.anomaly_detector.status
experimental
Severity of an anomaly detector status
experimental
The object ID of a settings value. This corresponds to the 'objectId' field/parameter in the Settings API.
vu9U3hXa3q0AAAABACFidWlsdGluOnJ1bS51c2VyLWV4cGVyaWVuY2Utc2NvcmUABnRlbmFudAAGdGVuYW50ACRhMzZmYmYwMy00NDY1LTNlNTYtOTZiOS1kOWMzOGQ3MzU1NmO-71TeFdrerQ
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
ANOMALY_DETECTOR_STATUS_EVENT
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
AppEngine Functions - Small billing usage
Model describing a billing usage event of function invocations. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "AppEngine Functions - Small"
stable
Number of billed invocations. Unit is 1/4 GiB * min
stable
The entity/app invoking the function or not set when not invoked by an app.
stable
The service invoking the function or not set when not invoked by a service.
resource stable
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
dynatrace.notebooks; my.awesome.app
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
AppEngine Functions - Small
stable
Describes the version of the event.
stable
Duration of the function call in seconds. Measures not the actual execution time but the duration in the function proxy including network roundtrip to the Runtime. If the duration is bigger than the maximum allowed duration (which may happen due to technical reasons) the reported value is set to the maximum allowed duration.
stable
If the execution of a resumable function last for more than 2 minutes, there will be multiple BILLING_USAGE_EVENTs created for that execution, which will have the same value in this field. It can therefore be used to join BILLING_USAGE_EVENTs for long running function invocations.
1bfa32fa-679e-4ac9-b683-2d2cdd4b6314
stable
The unique identifier of a function containing the app id and function id in the form of {app.id}.{function.id}. Missing for adhoc executions.
myapp.test/path/myfunction
stable
Runtime memory in MiB. Some of the memory is not available to the javascript code, because it is needed by the runtime itself.
stable
The identifier defining the function type.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
AppEngine Functions - Small
AppEngine Functions - Small
dt.security_context MUST be one of the following:
function.type MUST be one of the following:
App function execution, but function is defined as an Action in the app manifest
Audit Event
For every API access, Dynatrace stores an audit event in the dt.system.events table.
Additionally the Audit Event allows to attach an arbitrary key/value map with string keys and string values to the event. Keys are prefixed with "details." during serialization.
Query
Analyze audit events.
fetch dt.system.events
| filter event.kind == "AUDIT_EVENT"
experimental
The OAuth2 client id if of type 'CLIENT_CREDENTIALS'.
dt0s02.UZCK6ENL.2YQ2A3DZUEISRJSUU5544J3SC3TMPXSEEMNA5HK7RW54SJ6XKLYGMWJNKL7B2DNH
authentication.grant.type
experimental
The grant type used during OAuth2 authentication.
AUTHORIZATION_CODE; CLIENT_CREDENTIALS
experimental
The public token identifier of authentication.type 'TOKEN'.
dt0c01.AM4SEYKIBROBEJ2N3HAXZ4IX
experimental
The method of authentication.
resource experimental
Name or path of the App-Function that was executed.
check-ip.js; /api/send-message
resource stable
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
dynatrace.notebooks; my.awesome.app
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (for example an HTTP response code).
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
Describes why a certain event.outcome was set. Typically, this is some form of error description in the case of a failure.
user is missing permission "logs.read"
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
experimental
Source IP address of the request associated with this event if not of 'LOCAL' type.
experimental
The ID of the browser session (if present) associated with the event.
experimental
Origin type of the request associated with this event.
experimental
The verbatim value of the X-Forwarded-For HTTP request header (if present) of the request associated with the event.
stable
In case of a REST call audit event, this field contains the request source.
BROWSER; DT_SERVERLESS; OTHER
stable
Generic reference to a resource like a REST resource URL or a settings ID.
/service/resource; 1234567890
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
experimental
Full name of the user. If the system itself has to be represented, the constant 'System' is used.
Wolfgang Amadeus Mozart; System
experimental
Organization the user belongs to.
DYNATRACE; CUSTOMER; PARTNER
Automation Workflow billing usage
Model describing a billing usage event of automation workflows. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events for AutomationEngine workflows.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Automation Workflow"
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
The event end timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The event start timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
The entity executing the workflow as UUID.
b22a50a0-2540-4f29-9452-bc330322fb1e
stable
The time when the workflow was created.
stable
The description of the workflow.
stable
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
stable
The boolean identifier denoting the visibility of the workflow.
stable
The entity owning the workflow as UUID.
f1358516-8136-4634-9012-d2e3dfee38dc
stable
The title of the workflow.
stable
The identifier that describes the trigger of the workflow.
stable
The entity updating the workflow last.
f1358516-8136-4634-9012-d2e3dfee38dc
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
AutomationEngine action execution event
Model describing an AutomationEngine action execution event. Action execution events are stored in the dt.system.events table.
Query
AutomationEngine action execution state change.
fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="ACTION_EXECUTION"
dt.automation_engine.action.app
experimental
The app id of the app containing the executed action.
dt.automation_engine.action.function
experimental
Name of the function implementing the action.
dt.automation_engine.action_execution.id
experimental
The unique identifier of a action execution as UUID.
23e7b55a-884f-4497-8ad6-8d49d52b4348
dt.automation_engine.action_execution.loop.index
experimental
Loop index of the action execution.
dt.automation_engine.action_execution.retry.count
experimental
Retry count of the action execution.
dt.automation_engine.state
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
dt.automation_engine.state.is_final
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
dt.automation_engine.state_info
experimental
Additional info about current state of execution. Typically holds error details.
dt.automation_engine.task.name
experimental
The identifier of a task within a workflow.
dt.automation_engine.workflow.id
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
experimental
The title of the workflow.
dt.automation_engine.workflow_execution.id
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.openpipeline.pipelines
resource experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
resource experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
stable
The difference of start_time and end_time in nanoseconds.
stable
End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time.
stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Start time of a data point. Value is a UNIX Epoch time in nanoseconds and less or equal to the end_time.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
Values
event.kind MUST be one of the following:
Event in context of a workflow
event.provider MUST be one of the following:
Event produced by AutomationEngine
event.type MUST be one of the following:
Task execution state change event
dt.automation_engine.state MUST be one of the following:
Action execution started.
Action execution finished successfully.
AutomationEngine task execution event
Model describing an AutomationEngine task execution event. Task execution events are stored in the dt.system.events table.
Query
AutomationEngine task execution state change.
fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="TASK_EXECUTION"
dt.automation_engine.state
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
dt.automation_engine.state.is_final
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
dt.automation_engine.state_info
experimental
Additional info about current state of execution. Typically holds error details.
dt.automation_engine.task.name
experimental
The identifier of a task within a workflow.
dt.automation_engine.workflow.id
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
experimental
The title of the workflow.
dt.automation_engine.workflow_execution.id
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.openpipeline.pipelines
resource experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
resource experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
stable
The difference of start_time and end_time in nanoseconds.
stable
End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time.
stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Start time of a data point. Value is a UNIX Epoch time in nanoseconds and less or equal to the end_time.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
Values
event.kind MUST be one of the following:
Event in context of a workflow
event.provider MUST be one of the following:
Event produced by AutomationEngine
event.type MUST be one of the following:
Task execution state change event
dt.automation_engine.state MUST be one of the following:
Task skipped due to task conditions evaluation or task is disabled.
Task discarded due to predecessor task conditions evaluation.
Task waiting due to e.g. task option configuration.
Task execution has running action execution.
Task execution finished successfully.
Task execution cancelled manually/by API request.
Task execution finished due to at least one failed action execution and no retries configured/left to process.
AutomationEngine workflow execution event
Model describing an AutomationEngine workflow execution event. Workflow execution events are stored in the dt.system.events table.
Query
AutomationEngine workflow execution state change.
fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="WORKFLOW_EXECUTION"
dt.automation_engine.root_workflow.id
experimental
The unique identifier of the root workflow.
e6388e3a-9db2-4226-9327-2ba86eaf12f7
dt.automation_engine.root_workflow_execution.id
experimental
The unique identifier of the execution of the root workflow.
a641fb59-4627-44cd-abaf-b68d86455a5b
dt.automation_engine.state
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
dt.automation_engine.state.is_final
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
dt.automation_engine.workflow.id
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
experimental
The title of the workflow.
dt.automation_engine.workflow.type
experimental
Workflow type, either SIMPLE or STANDARD, where SIMPLE comes with restrictions.
dt.automation_engine.workflow_execution.id
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.automation_engine.workflow_execution.trigger.type
experimental
The identifier that describes the trigger of the workflow.
Schedule; Event; Workflow; Manual
dt.automation_engine.workflow_execution.trigger.user.id
experimental
The unique identifier of the user who triggered the workflow execution manually/via API.
dad18fa7-3c11-40a1-b760-1d8281bb5dcc
dt.automation_engine.workflow_execution.trigger.workflow_execution.id
experimental
The unique identifier of the workflow that triggered the workflow execution.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.openpipeline.pipelines
resource experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
resource experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
stable
The difference of start_time and end_time in nanoseconds.
stable
End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time.
stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Start time of a data point. Value is a UNIX Epoch time in nanoseconds and less or equal to the end_time.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
Values
event.kind MUST be one of the following:
Event in context of a workflow
event.provider MUST be one of the following:
Event produced by AutomationEngine
event.type MUST be one of the following:
Workflow execution state change event
dt.automation_engine.state MUST be one of the following:
Workflow execution started.
Workflow execution finished successfully.
Workflow execution failed due to at least one branch with a failed task without an on error successor.
Workflow execution cancelled manually/by API request.
AutomationEngine workflow lifecycle event
Model describing an AutomationEngine workflow lifecycle event. Workflow lifecycle events are stored in the dt.system.events table.
Query
AutomationEngine workflow lifecycle events.
fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and in(event.type, array("WORKFLOW_CREATED", "WORKFLOW_UPDATED", "WORKFLOW_DELETED"))
dt.automation_engine.workflow.id
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
experimental
The title of the workflow.
stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
Event in context of a workflow
event.provider MUST be one of the following:
Event produced by AutomationEngine
event.type MUST be one of the following:
Data Deletion Events
Dynatrace stores a data deletion event for each segment that got rewritten in the dt.system.events table.
Query
Analyze data deletion events.
fetch dt.system.events
| filter event.kind == "DATA_DELETION_EVENT"
experimental
A Dynatrace Grail bucket name.
default_logs; default_events
stable
The REST API version used by the client to perform the request.
experimental
End of a particular deletion.
experimental
Internal deletion request UUID.
c454347c-0ba9-4bd3-870e-d06dc1657f71
experimental
Start of a particular deletion.
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission experimental
A Dynatrace environment/tenant ID.
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
experimental
Additional information if query execution has 'FAILED'.
experimental
The query string.
fetch bizevents, from:-30m | limit 1
experimental
The number of rewritten bytes in the context of record deletion.
experimental
The outcome of the query.
experimental
Deletion task UUID returned by API.
03962cb6-aefc-4ca0-bad9-326099a977fe
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
resource deprecated
Used in Extension Framework 2.0
The SNMP version.
Dynatrace Self-monitoring Event
Events that are generated by Dynatrace components with self-monitoring information (health, status, unexpected situations)
Fields
experimental
Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source.
No keepalive from datasource statsd. Restarting
dt.active_gate.group.name
resource experimental
The name of a group that the ActiveGate instance belongs to.
resource stable
An entity ID of an entity of type HOST.
Tags: entity-id
experimental
Preregistered event key for self-monitoring events whitelisting.
extension.status; extension.engine.eec_status
resource experimental
Extension's monitoring configuration identifier.
vu9U3hXa3q0AAAABAAtleHQ6ZXh0LTA0MAAIYWdfZ3JvdXAAA0FHMQAkMjY2YTIyM2YtZDgxYi0zNTNjLThlYzctYzk2YzliZjg4OGQ3vu9U3hXa3q0
resource experimental
Name of the data source.
resource experimental
Name of the extension.
resource experimental
The status of the component reporting a self-monitoring event.
resource stableThe ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage.
1Tags:
entity-id HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
stableHuman-readable attribute that identifies a log stream.
2Tags:
permission stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.
2Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).
Events - Ingest & Process billing usage
Model describing a billing usage event of ingest for events. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events for the "Events - Ingest & Process" capability.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Ingest & Process"
| dedup event.id
stable
The number of bytes that will be billed.
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Display name for usage details.
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Events - Ingest & Process
stable
Describes the version of the event.
stable
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
experimental
A Dynatrace Grail usage event bucket name.
default_davis_custom_events
experimental
End time of the usage timeframe (exclusive).
2023-05-22T11:30:00.000000Z
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage event bucket name.
default_davis_custom_events
experimental
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
Events - Ingest & Process
Events - Ingest & Process
dt.security_context MUST be one of the following:
Events - Query billing usage
Model describing a billing usage event of a events query execution. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Query"
stable
Indicates if the query was executed to fetch records or to delete them.
stable
The number of bytes that will be billed.
client.application_context
stable
A Dynatrace app ID.
local-dev-mode; dynatrace.notebooks; my.biz.carbon
stable
Name of the function that executed the query.
api/execute-dql-query; my/function
stable
Dynatrace application that executed the query.
https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Display name for usage details.
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The UUID identifying a particular query.
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
A Dynatrace Grail usage event bucket name.
default_bizevents; default_davis_custom_events
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage event bucket name.
default_bizevents; default_davis_custom_events
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Events - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Retain"
stable
The number of bytes that will be billed.
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Display name for usage details.
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
A Dynatrace Grail usage event bucket name.
default_bizevents; default_davis_custom_events
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage event bucket name.
default_bizevents; default_davis_custom_events
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Foundation & Discovery billing usage
Model describing a billing usage event for the Foundation & Discovery DPS capability.
Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage for Foundation & Discovery on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Foundation & Discovery"
| dedup event.id
stable
How many host hours of the capability have been consumed by the host.
resource stable
Can be used to assign usage to a Cost Center.
resource stable
Can be used to assign usage to a Product or Application ID.
resource stable
An entity ID of an entity of type HOST.
Tags: entity-id
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
End time of the usage timeframe (exclusive).
2023-05-22T11:30:00.000000Z
experimental
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Full-Stack Monitoring billing usage
Model describing a billing usage event for the Full-Stack Monitoring DPS capability.
Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage for Full-Stack Monitoring on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Full-Stack Monitoring"
| dedup event.id
stable
How many gibibyte hours of the capability has been consumed by the host
resource stable
Can be used to assign usage to a Cost Center.
resource stable
Can be used to assign usage to a Product or Application ID.
resource stable
An entity ID of an entity of type HOST.
Tags: entity-id
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
End time of the usage timeframe (exclusive).
2023-05-22T11:30:00.000000Z
experimental
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Infrastructure Monitoring billing usage
Model describing a billing usage event for the Infrastructure Monitoring DPS capability.
Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage for Infrastructure Monitoring on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Infrastructure Monitoring"
| dedup event.id
stable
How many host hours of the capability have been consumed by the host.
resource stable
Can be used to assign usage to a Cost Center.
resource stable
Can be used to assign usage to a Product or Application ID.
resource stable
An entity ID of an entity of type HOST.
Tags: entity-id
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Infrastructure Monitoring
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
End time of the usage timeframe (exclusive).
2023-05-22T11:30:00.000000Z
experimental
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
Infrastructure Monitoring
Infrastructure Monitoring
dt.security_context MUST be one of the following:
Log Management & Analytics - Query billing usage
Model describing a billing usage event of a logs query execution. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Query"
stable
Indicates if the query was executed to fetch records or to delete them.
stable
The number of bytes that will be billed.
client.application_context
stable
A Dynatrace app ID.
local-dev-mode; dynatrace.notebooks; my.biz.carbon
stable
Name of the function that executed the query.
api/execute-dql-query; my/function
stable
Dynatrace application that executed the query.
https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Log Management & Analytics - Query
stable
Describes the version of the event.
stable
The UUID identifying a particular query.
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Log Management & Analytics - Query
dt.security_context MUST be one of the following:
Log Management & Analytics - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Query
Fetch Log Management & Analytics - Retain billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Retain"
stable
The number of bytes that will be billed.
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Log Management & Analytics - Retain
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
A Dynatrace Grail usage log bucket name.
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage log bucket name.
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Log Management & Analytics - Retain
dt.security_context MUST be one of the following:
Log Management & Analytics - Retain with Included Queries billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Query
Fetch Log Management & Analytics - Retain with Included Queries usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Retain with Included Queries"
stable
The number of bytes that will be billed.
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074qi_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Log Management & Analytics - Retain with Included Queries
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
A Dynatrace Grail usage log bucket name.
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Log Management and Analytics - Retain with Included Queries
Retain with Included Queries
dt.security_context MUST be one of the following:
Metrics - Ingest & Process billing usage
Model describing a billing usage event of ingest & process for metrics. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Ingest & Process"
stable
The number of billable metrics data points.
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Metrics - Ingest & Process
stable
Describes the version of the event.
stable
Identifies the type of metric and therefore the timeseries rollup functions it supports.
stable
Monitoring source that originally reported the data. See 'dt.system.monitoring_source'.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
A Dynatrace Grail usage metrics bucket name.
experimental
End time of the usage timeframe (exclusive).
2023-05-22T11:30:00.000000Z
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage metrics bucket name.
experimental
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Metrics - Ingest & Process
Metrics - Ingest & Process
dt.security_context MUST be one of the following:
Metrics - Retain billing usage
Model describing the billing usage event for retention of metrics per Grail bucket. Billing usage events are stored in the dt.system.events table.
Query
Fetch Metrics Retain billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Retain"
stable
The number of bytes that will be billed.
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
A Dynatrace Grail usage metric bucket name.
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Query Execution Events
Dynatrace stores a query execution event for each query that got executed in the dt.system.events table.
Query
Analyze query execution events.
fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"
The amount of succeeded queries.
fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"
| filter status == "SUCCEEDED"
| summarize countDistinct(query_id)
The amount of failed queries.
fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"
| summarize sum(failed_count)
experimental
End time of query analysis timeframe.
2023-05-22T13:15:57.416654000
experimental
Start time of query analysis timeframe.
2023-05-22T11:15:57.416654000
experimental
A Dynatrace Grail bucket name.
default_logs; default_events
stable
The REST API version used by the client to perform the request.
client.application_context
stable
A Dynatrace app ID.
local-dev-mode; dynatrace.notebooks; my.biz.carbon
stable
Name of the function that executed the query.
api/execute-dql-query; my/function
client.internal_service_context
experimental
A string that identifies the Dynatrace service that triggered the query.
stable
Dynatrace application that executed the query.
https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09
experimental
The number of records returned by the query. Might differ from actual number of records delivered to the client due to the additional response size limits (max result bytes, max result records, etc.).
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission experimental
A Dynatrace environment/tenant ID.
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
deprecated
The duration of the query in milliseconds.
experimental
Number of failed queries represented by the record. failed_count > 1 represents cases like 'failure_reason=THROTTLED' with individual queries aggregated into a single record.
experimental
Additional information if query execution has 'FAILED'.
stable
Query end time. For aggregated events the query end time may be zero and not reflect the exact end time.
stable
The UUID identifying a particular query. For aggregated events this field is null.
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
experimental
The resource pool of the query.
deprecated
The time query spent in queued state (in milliseconds).
stable
Query start time. For failed queries the start time may be aggregated and not reflect the exact start time but rather the aggregation time.
experimental
The query string. For aggregated events this field is null.
fetch bizevents, from:-30m | limit 1
experimental
The sampling ratio of the executed query.
experimental
The number of scanned bytes.
experimental
Number of scanned data points for metric queries.
experimental
The number of scanned records.
experimental
The outcome of the query.
experimental
A Dynatrace Grail table name.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
The user ID that triggered the query. For aggregated events this field is null.
stable
The user email that triggered the query. For aggregated events this field is null.
stable
The user UUID that triggered the query. For aggregated events this field is null.
03962cb6-aefc-4ca0-bad9-326099a977fe
resource deprecated
Used in Extension Framework 2.0
The record version
Values
failure_reason MUST be one of the following:
Query timed out before execution due to resource or tenant quota limit.
Query was rejected due to too many queries waiting in the queue. Reported either as records with full details or as aggregated batches with limited metadata.
Query cannot be parsed due to a syntax error.
Query cannot be parsed because it exceeds the complexity limit of the parser.
Query cannot be parsed due to an internal error.
Execution of the submitted query failed because of internal an error.
Query cannot be executed because the requester doesn't have permissions to a queried table.
Query execution was canceled because it exceeded the allowed running time.
Query execution was canceled because memory usage limit is exceeded.
Query execution was canceled because of user-defined functions limit is exceeded.
Query execution was canceled because record size limit is exceeded.
Query execution was canceled because table size limit is exceeded.
Query execution was canceled because the condition of a failIf command was met.
Runtime Application Protection billing usage
Model describing a billing usage event for the Runtime Application Protection DPS capability.
Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage for Runtime Application Protection on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Runtime Application Protection"
| dedup event.id
stable
How many gibibyte hours of the capability has been consumed by the host
resource stable
Can be used to assign usage to a Cost Center.
resource stable
Can be used to assign usage to a Product or Application ID.
resource stable
An entity ID of an entity of type HOST.
Tags: entity-id
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Runtime Application Protection
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
End time of the usage timeframe (exclusive).
2023-05-22T11:30:00.000000Z
experimental
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
Runtime Application Protection
Runtime Application Protection
dt.security_context MUST be one of the following:
Runtime Vulnerability Analytics billing usage
Model describing a billing usage event for the Runtime Vulnerability Analytics DPS capability.
Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage for Runtime Vulnerability Analytics on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Runtime Vulnerability Analytics"
| dedup event.id
stable
How many gibibyte hours of the capability has been consumed by the host
resource stable
Can be used to assign usage to a Cost Center.
resource stable
Can be used to assign usage to a Product or Application ID.
resource stable
An entity ID of an entity of type HOST.
Tags: entity-id
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Runtime Vulnerability Analytics
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
End time of the usage timeframe (exclusive).
2023-05-22T11:30:00.000000Z
experimental
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
Runtime Vulnerability Protection
Runtime Vulnerability Protection
dt.security_context MUST be one of the following:
Security Posture Management Billing Usage
Model describing a billing usage event for Security Posture Management. Billing usage events are stored in the dt.system.events table.
Query
Analyze usage events for the "Security Posture Management" capability.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Security Posture Management"
| dedup event.id
dt.entity.kubernetes_cluster
resource stable
An entity ID of an entity of type KUBERNETES_CLUSTER.
Tags: entity-id
KUBERNETES_CLUSTER-E0D8F94D9065F24F
dt.entity.kubernetes_node
resource stable
An entity ID of an entity of type KUBERNETES_NODE.
Tags: entity-id
KUBERNETES_NODE-874C66B68CE15070
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Security Posture Management
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Security Posture Management
Security Posture Management
dt.security_context MUST be one of the following:
Traces - Ingest & Process billing usage
Model describing a billing usage event for ingest and process of traces. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events for the "Traces - Ingest & Process" capability.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Ingest & Process"
| dedup event.id
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Traces - Ingest & Process
stable
Describes the version of the event.
experimental
The size in bytes of ingested spans.
experimental
The number of ingested spans.
experimental
The origin/type of the ingested spans.
stable
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
experimental
End time of the usage timeframe (exclusive).
2023-05-22T11:30:00.000000Z
experimental
Start time of the usage timeframe (inclusive).
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
Traces - Ingest & Process
Traces - Ingest & Process
dt.security_context MUST be one of the following:
licensing_type MUST be one of the following:
The ingested_bytes origins from an ATM aware fullstack source.
The ingested_bytes origins from an ATM unaware fullstack source.
The ingested_bytes origins from the "OTLP Trace Ingest API".
The ingested_bytes origins from a serverless source.
Traces - Query billing usage
Model describing a billing usage event of a traces query execution. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Query"
stable
Indicates if the query was executed to fetch records or to delete them.
stable
The number of bytes that will be billed.
client.application_context
stable
A Dynatrace app ID.
local-dev-mode; dynatrace.notebooks; my.biz.carbon
stable
Name of the function that executed the query.
api/execute-dql-query; my/function
stable
Dynatrace application that executed the query.
https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The UUID identifying a particular query.
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Traces - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Retain"
stable
The number of bytes that will be billed.
resource stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event; is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
A Dynatrace Grail usage span bucket name.
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage span bucket name.
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following: