System event models

System events are used to store details about executed queries, auditing events, billing events and more. In order to query system events, you need the storage:system:read permission.

Query

Query system events.

fetch dt.system.events

Anomaly Detector Status Event

The anomaly detector status events are used for Davis anomaly detection. They track errors and warnings during the execution of an anomaly detector. Examples:

  • Query runs into a timeout
  • Query fails as unauthorized
  • Query result is truncated as the scanned bytes limit was reached

Query

Analyze anomaly detectors status events.

fetch dt.system.events
| filter event.kind == "ANOMALY_DETECTOR_STATUS_EVENT"
Attribute
Type
Description
Examples
client.application_context
string
stable
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbon
client.internal_service_context
string
experimental
A string that identifies the Dynatrace service that triggered the query.
dt.davis.datadriver
davis.anomaly_detector.message
string
experimental
Additional details about the anomaly detector status
Maximum number of concurrent queries per tenant reached.
davis.anomaly_detector.status
string
experimental
Severity of an anomaly detector status
ERROR; WARNING
dt.settings.object_id
string
experimental
The object ID of a settings value. This corresponds to the 'objectId' field/parameter in the Settings API.
vu9U3hXa3q0AAAABACFidWlsdGluOnJ1bS51c2VyLWV4cGVyaWVuY2Utc2NvcmUABnRlbmFudAAGdGVuYW50ACRhMzZmYmYwMy00NDY1LTNlNTYtOTZiOS1kOWMzOGQ3MzU1NmO-71TeFdrerQ
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
ANOMALY_DETECTOR_STATUS_EVENT
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123

AppEngine Functions - Small billing usage

Model describing a billing usage event of function invocations. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "AppEngine Functions - Small"
Attribute
Type
Description
Examples
billed_invocations
long
stable
Number of billed invocations. Unit is 1/4 GiB * min
8
caller.app.id
string
stable
The entity/app invoking the function or not set when not invoked by an app.
dynatrace.hub
caller.service.id
string
stable
The service invoking the function or not set when not invoked by a service.
AUTOMATION_ENGINE
dt.app.id
string
stable
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
dynatrace.notebooks; my.awesome.app
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
AppEngine Functions - Small
event.version
string
stable
Describes the version of the event.
1.0.0
function.duration_sec
long
stable
Duration of the function call in seconds. Measures not the actual execution time but the duration in the function proxy including network roundtrip to the Runtime. If the duration is bigger than the maximum allowed duration (which may happen due to technical reasons) the reported value is set to the maximum allowed duration.
60
function.execution_id
string
stable
If the execution of a resumable function last for more than 2 minutes, there will be multiple BILLING_USAGE_EVENTs created for that execution, which will have the same value in this field. It can therefore be used to join BILLING_USAGE_EVENTs for long running function invocations.
1bfa32fa-679e-4ac9-b683-2d2cdd4b6314
function.id
string
stable
The unique identifier of a function containing the app id and function id in the form of {app.id}.{function.id}. Missing for adhoc executions.
myapp.test/path/myfunction
function.memory_mib
long
stable
Runtime memory in MiB. Some of the memory is not available to the javascript code, because it is needed by the runtime itself.
128
function.type
string
stable
The identifier defining the function type.
STANDARD; ACTION; AD_HOC
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
AppEngine Functions - Small
AppEngine Functions - Small

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

function.type MUST be one of the following:

Value
Description
AD_HOC
Adhoc function execution
STANDARD
App function execution
ACTION
App function execution, but function is defined as an Action in the app manifest

Audit Event

For every API access, Dynatrace stores an audit event in the dt.system.events table.

Additionally the Audit Event allows to attach an arbitrary key/value map with string keys and string values to the event. Keys are prefixed with "details." during serialization.

Query

Analyze audit events.

fetch dt.system.events
| filter event.kind == "AUDIT_EVENT"
Attribute
Type
Description
Examples
app.id
string
deprecated
Deprecated
Deprecated. Use dt.app.id instead.
easytravel
authentication.client.id
string
experimental
The OAuth2 client id if of type 'CLIENT_CREDENTIALS'.
dt0s02.UZCK6ENL.2YQ2A3DZUEISRJSUU5544J3SC3TMPXSEEMNA5HK7RW54SJ6XKLYGMWJNKL7B2DNH
authentication.grant.type
string
experimental
The grant type used during OAuth2 authentication.
AUTHORIZATION_CODE; CLIENT_CREDENTIALS
authentication.token
string
experimental
The public token identifier of authentication.type 'TOKEN'.
dt0c01.AM4SEYKIBROBEJ2N3HAXZ4IX
authentication.type
string
experimental
The method of authentication.
OAUTH2
dt.app.id
string
stable
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
dynatrace.notebooks; my.awesome.app
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
AUDIT_EVENT
event.outcome
string
stable
Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (e.g. an HTTP response code).
200; success; failure
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
API_GATEWAY
event.reason
string
stable
Describes why a certain event.outcome was set, typically this is some form of error description in case if a failure
user is missing permission "logs.read"
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
POST; PUT; GET
event.version
string
stable
Describes the version of the event.
1.0.0
origin.address
string
experimental
Source IP address of the request associated with this event if not of 'LOCAL' type.
10.11.12.13
origin.session
string
experimental
The id of the browser session (if present) associated with the event.
node0hfznc
origin.type
string
experimental
Origin type of the request associated with this event.
REST; LOCAL

Automation Workflow billing usage

Model describing a billing usage event of automation workflows. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events for AutomationEngine workflows.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Automation Workflow"
Attribute
Type
Description
Examples
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.end
string
stable
The event end timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
16481073970000
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.start
string
stable
The event start timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
16481073970000
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Automation Workflow
event.version
string
stable
Describes the version of the event.
1.0.0
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
workflow.actor
string
stable
The entity executing the workflow as UUID.
b22a50a0-2540-4f29-9452-bc330322fb1e
workflow.created_at
timestamp
stable
The time when the workflow was created.
1649822520123123123
workflow.description
string
stable
The description of the workflow.
This is a test workflow
workflow.id
string
stable
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
workflow.is_private
string
stable
The boolean identifier denoting the visibility of the workflow.
true; false
workflow.owner
string
stable
The entity owning the workflow as UUID.
f1358516-8136-4634-9012-d2e3dfee38dc

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Automation Workflow
Automation Workflow

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

AutomationEngine action execution event

Model describing an AutomationEngine action execution event. Action execution events are stored in the dt.system.events table.

Query

AutomationEngine action execution state change.

fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="ACTION_EXECUTION"
Attribute
Type
Description
Examples
dt.automation_engine.action.app
string
experimental
The app id of the app containing the executed action.
dynatrace.workflows
dt.automation_engine.action.function
string
experimental
Name of the function implementing the action.
task_1
dt.automation_engine.action_execution.id
string
experimental
The unique identifier of a action execution as UUID.
23e7b55a-884f-4497-8ad6-8d49d52b4348
dt.automation_engine.action_execution.loop.index
long
experimental
Loop index of the action execution.
dt.automation_engine.action_execution.retry.count
long
experimental
Retry count of the action execution.
dt.automation_engine.state
string
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
RUNNING; SUCCESS; ERROR
dt.automation_engine.state.is_final
boolean
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
true; false
dt.automation_engine.state_info
string
experimental
Additional info about current state of execution. Typically holds error details.
ERROR
dt.automation_engine.task.name
string
experimental
The identifier of a task within a workflow.
task_1
dt.automation_engine.task_execution.id
string
experimental
The unique identifier of a task execution as UUID.
6580d4af-6b1f-4e54-92fa-f47e94507acd
dt.automation_engine.workflow.id
string
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
string
experimental
The title of the workflow.
My Workflow
dt.automation_engine.workflow_execution.id
string
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.openpipeline.pipelines
string[]
experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
dt.openpipeline.source
string
experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
duration
duration
stable
The difference of start_time and end_time in nanoseconds.
42
end_time
timestamp
stable
End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time.
1649822520123123165
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
WORKFLOW_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
AUTOMATION_ENGINE

Values

event.kind MUST be one of the following:

Value
Description
WORKFLOW_EVENT
Event in context of a workflow

event.provider MUST be one of the following:

Value
Description
AUTOMATION_ENGINE
Event produced by AutomationEngine

event.type MUST be one of the following:

Value
Description
ACTION_EXECUTION
Task execution state change event

dt.automation_engine.state MUST be one of the following:

Value
Description
RUNNING
Action execution started.
SUCCESS
Action execution finished successfully.
ERROR
Action execution failed.

AutomationEngine task execution event

Model describing an AutomationEngine task execution event. Task execution events are stored in the dt.system.events table.

Query

AutomationEngine task execution state change.

fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="TASK_EXECUTION"
Attribute
Type
Description
Examples
dt.automation_engine.state
string
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
RUNNING; SUCCESS; ERROR
dt.automation_engine.state.is_final
boolean
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
true; false
dt.automation_engine.state_info
string
experimental
Additional info about current state of execution. Typically holds error details.
ERROR
dt.automation_engine.task.name
string
experimental
The identifier of a task within a workflow.
task_1
dt.automation_engine.task_execution.id
string
experimental
The unique identifier of a task execution as UUID.
6580d4af-6b1f-4e54-92fa-f47e94507acd
dt.automation_engine.workflow.id
string
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
string
experimental
The title of the workflow.
My Workflow
dt.automation_engine.workflow_execution.id
string
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.openpipeline.pipelines
string[]
experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
dt.openpipeline.source
string
experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
duration
duration
stable
The difference of start_time and end_time in nanoseconds.
42
end_time
timestamp
stable
End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time.
1649822520123123165
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
WORKFLOW_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
AUTOMATION_ENGINE
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
TASK_EXECUTION
start_time
timestamp
stable
Start time of a data point. Value is a UNIX Epoch time in nanoseconds and less or equal to the end_time.
1649822520123123123

Values

event.kind MUST be one of the following:

Value
Description
WORKFLOW_EVENT
Event in context of a workflow

event.provider MUST be one of the following:

Value
Description
AUTOMATION_ENGINE
Event produced by AutomationEngine

event.type MUST be one of the following:

Value
Description
TASK_EXECUTION
Task execution state change event

dt.automation_engine.state MUST be one of the following:

Value
Description
SKIPPED
Task skipped due to task conditions evaluation or task is disabled.
DISCARDED
Task discarded due to predecessor task conditions evaluation.
WAITING
Task waiting due to e.g. task option configuration.
RUNNING
Task execution has running action execution.
SUCCESS
Task execution finished successfully.
CANCELLED
Task execution cancelled manually/by API request.
ERROR
Task execution finished due to at least one failed action execution and no retries configured/left to process.

AutomationEngine workflow execution event

Model describing an AutomationEngine workflow execution event. Workflow execution events are stored in the dt.system.events table.

Query

AutomationEngine workflow execution state change.

fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="WORKFLOW_EXECUTION"
Attribute
Type
Description
Examples
dt.automation_engine.state
string
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
RUNNING; SUCCESS; ERROR
dt.automation_engine.state.is_final
boolean
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
true; false
dt.automation_engine.workflow.id
string
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
string
experimental
The title of the workflow.
My Workflow
dt.automation_engine.workflow.type
string
experimental
Workflow type, either SIMPLE or STANDARD, where SIMPLE comes with restrictions.
SIMPLE; STANDARD
dt.automation_engine.workflow_execution.id
string
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.automation_engine.workflow_execution.trigger.type
string
experimental
The identifier describing the trigger of the workflow.
Schedule; Event; Manual
dt.automation_engine.workflow_execution.trigger.user.id
string
experimental
The unique identifier of the user who triggered the workflow execution manually/via API.
dad18fa7-3c11-40a1-b760-1d8281bb5dcc
dt.openpipeline.pipelines
string[]
experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
dt.openpipeline.source
string
experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
duration
duration
stable
The difference of start_time and end_time in nanoseconds.
42
end_time
timestamp
stable
End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time.
1649822520123123165
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
WORKFLOW_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
AUTOMATION_ENGINE
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
WORKFLOW_EXECUTION
start_time
timestamp
stable
Start time of a data point. Value is a UNIX Epoch time in nanoseconds and less or equal to the end_time.
1649822520123123123

Values

event.kind MUST be one of the following:

Value
Description
WORKFLOW_EVENT
Event in context of a workflow

event.provider MUST be one of the following:

Value
Description
AUTOMATION_ENGINE
Event produced by AutomationEngine

event.type MUST be one of the following:

Value
Description
WORKFLOW_EXECUTION
Workflow execution state change event

dt.automation_engine.state MUST be one of the following:

Value
Description
RUNNING
Workflow execution started.
SUCCESS
Workflow execution finished successfully.
ERROR
Workflow execution failed due to at least one branch with a failed task without an on error successor.
CANCELLED
Workflow execution cancelled manually/by API request.

Data Deletion Events

Dynatrace stores a data deletion event for each segment that got rewritten in the dt.system.events table.

Query

Analyze data deletion events.

fetch dt.system.events
| filter event.kind == "DATA_DELETION_EVENT"
Attribute
Type
Description
Examples
bucket
string
experimental
A Dynatrace Grail bucket name
default_logs; default_events
client.api_version
string
stable
The REST API version used by the client to perform the request
1
deletion_end
long
experimental
End of a particular deletion
1649822520123123123
deletion_id
string
experimental
Internal deletion request UUID
c454347c-0ba9-4bd3-870e-d06dc1657f71
deletion_start
long
experimental
Start of a particular deletion
1649822520123123123
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
environment
string
experimental
A Dynatrace environment/tenant ID
umsaywsjuo
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
DATA_DELETION_EVENT
failure_reason
string
experimental
Additional information if query execution has 'FAILED'.
QUEUE_TIMEOUT; THROTTLED
query_string
string
experimental
The query string
fetch bizevents, from:-30m | limit 1
rewritten_bytes
long
experimental
The number of rewritten bytes in the context of record deletion
1113359256
status
string
experimental
The outcome of the query
SUCCEEDED
task.id
string
experimental
Deletion task UUID returned by API
03962cb6-aefc-4ca0-bad9-326099a977fe
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
user.email
string
stable
E-mail of the user.
user@mail.com
user.id
string
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
version
string
deprecated
Used in Extension Framework 2.0
The SNMP version.
SNMPv3

Dynatrace Self-monitoring Event

Events that are generated by Dynatrace components with self-monitoring information (health, status, unexpected situations)

Fields

Attribute
Type
Description
Examples
content
string
experimental
Unstructured content of the record. It should contain human readable message. Often it is raw version of record read from a source.
No keepalive from datasource statsd. Restarting
dt.active_gate.group.name
string
experimental
The name of group ActiveGate instance belongs to
GdanskLab
dt.entity.host
string
stable
An entity ID of an entity of type HOST.
Tags: entity-id
HOST-E0D8F94D9065F24F
dt.event.key
string
experimental
Preregistered event key for sfm events whitelisting
extension.status; extension.engine.eec_status
dt.extension.config.id
string
experimental
Extension's monitoring configuration identifier.
vu9U3hXa3q0AAAABAAtleHQ6ZXh0LTA0MAAIYWdfZ3JvdXAAA0FHMQAkMjY2YTIyM2YtZDgxYi0zNTNjLThlYzctYzk2YzliZjg4OGQ3vu9U3hXa3q0
dt.extension.ds
string
experimental
Name of the data source.
SNMPTrap
dt.extension.name
string
experimental
Name of the extension.
com.snmptrap.generic
dt.extension.status
string
experimental
The status of the component reporting SFM event
AUTHENTICATION_ERROR
dt.source_entity
string
stable
The ID of the entity considered the source of the measurement. The string needs to be in the format of any MONITORED_ENTITY type. 1
Tags: entity-id
HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
log.source
string
stable
Human-readable attribute that identifies a log stream. 2
Tags: permission
dsfm; isfm
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
1

Value of this attribute will be based on one of dt.entity.<type> attributes value. That means that both attributes dt.source_entity and corresponding dt.entity.<type> will be set to the same ID.

2

Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).

Events - Ingest & Process billing usage

Model describing a billing usage event of ingest for events. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events for the "Events - Ingest & Process" capability.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Ingest & Process"
| dedup event.id
Attribute
Type
Description
Examples
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.billing.category
string
stable
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_CLIENT
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Events - Ingest & Process
event.version
string
stable
Describes the version of the event.
1.0.0
timestamp
timestamp
stable
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z
usage.bucket
string
experimental
A Dynatrace Grail usage event bucket name.
default_davis_custom_events
usage.end
timestamp
experimental
End time of the usage timeframe (exclusive)
2023-05-22T11:30:00.000000Z
usage.event_bucket
string
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage event bucket name.
default_davis_custom_events
usage.start
timestamp
experimental
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_CLIENT
LIMA Client Service

event.type MUST be one of the following:

Value
Description
Events - Ingest & Process
Events - Ingest & Process

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Events - Query billing usage

Model describing a billing usage event of a events query execution. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Query"
Attribute
Type
Description
Examples
action_type
string
stable
Indicates if the query was executed to fetch records or to delete them
QUERY; DELETION
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
client.application_context
string
stable
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbon
client.function_context
string
stable
Name of the function that executed the query
api/execute-dql-query; my/function
client.source
string
stable
Dynatrace application by which query was executed
https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.billing.category
string
stable
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Events - Query
event.version
string
stable
Describes the version of the event.
1.0; 2.0
query_id
string
stable
The UUID identifying a particular query
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
query_start
long
stable
Query start time
1683012271413
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
usage.bucket
string
experimental
A Dynatrace Grail usage event bucket name.
default_bizevents; default_davis_custom_events

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Events - Query
Events Query Execution

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Events - Retain billing usage

Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Retain"
Attribute
Type
Description
Examples
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.billing.category
string
stable
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Event - Retain
event.version
string
stable
Describes the version of the event.
1.0.0
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
usage.bucket
string
experimental
A Dynatrace Grail usage event bucket name.
default_bizevents; default_davis_custom_events
usage.event_bucket
string
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage event bucket name.
default_bizevents; default_davis_custom_events

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Events - Retain
Events Retain

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Log Management & Analytics - Query billing usage

Model describing a billing usage event of a logs query execution. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Query"
Attribute
Type
Description
Examples
action_type
string
stable
Indicates if the query was executed to fetch records or to delete them
QUERY; DELETION
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
client.application_context
string
stable
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbon
client.function_context
string
stable
Name of the function that executed the query
api/execute-dql-query; my/function
client.source
string
stable
Dynatrace application by which query was executed
https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Log Management & Analytics - Query
event.version
string
stable
Describes the version of the event.
1.0
query_id
string
stable
The UUID identifying a particular query
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
query_start
long
stable
Query start time
1683012271413
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
user.email
string
stable
E-mail of the user.
user@mail.com

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Log Management & Analytics - Query
Logs Query Execution

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Log Management & Analytics - Retain billing usage

Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.

Query

Fetch Log Management & Analytics - Retain billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Retain"
Attribute
Type
Description
Examples
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Log Management & Analytics - Retain
event.version
string
stable
Describes the version of the event.
1.0.0
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
usage.bucket
string
experimental
A Dynatrace Grail usage log bucket name.
default_logs
usage.event_bucket
string
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage log bucket name.
default_logs

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Log Management & Analytics - Retain
Logs Retain

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Log Management and Analytics - Retain with Included Queries billing usage

Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.

Query

Fetch Log Management and Analytics - Retain with Included Queries usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management and Analytics - Retain with Included Queries"
Attribute
Type
Description
Examples
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074qi_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Log Management and Analytics - Retain with Included Queries
event.version
string
stable
Describes the version of the event.
1.0.0
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
usage.bucket
string
experimental
A Dynatrace Grail usage log bucket name.
default_logs

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Log Management and Analytics - Retain with Included Queries
Retain with Included Queries

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Metrics - Ingest & Process billing usage

Model describing a billing usage event of ingest & process for metrics. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Ingest & Process"
Attribute
Type
Description
Examples
data_points
long
stable
The number of billable metrics data points.
1500
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Metrics - Ingest & Process
event.version
string
stable
Describes the version of the event.
1.0.0
metric.type
string
stable
Identifies the type of metric and therefore the timeseries rollup functions it supports.
summary_stats
monitoring_source
string
stable
Monitoring source that originally reported the data. See 'dt.system.monitoring_source'.
fullstack_host
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
usage.bucket
string
experimental
A Dynatrace Grail usage metrics bucket name.
default_metrics
usage.end
timestamp
experimental
End time of the usage timeframe (exclusive)
2023-05-22T11:30:00.000000Z
usage.event_bucket
string
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage metrics bucket name.
default_metrics
usage.start
timestamp
experimental
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Metrics - Ingest & Process
Metrics - Ingest & Process

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Metrics - Retain billing usage

Model describing the billing usage event for retention of metrics per Grail bucket. Billing usage events are stored in the dt.system.events table.

Query

Fetch Metrics Retain billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Retain"
Attribute
Type
Description
Examples
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Metrics - Retain
event.version
string
stable
Describes the version of the event.
1.0.0
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
usage.bucket
string
experimental
A Dynatrace Grail usage metric bucket name.
default_metrics

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Metrics - Retain
Metrics Retain

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Query Execution Events

Dynatrace stores a query execution event for each query that got executed in the dt.system.events table.

Query

Analyze query execution events.

fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"

The amount of succeeded queries.

fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"
| filter status == "SUCCEEDED"
| summarize countDistinct(query_id)

The amount of failed queries.

fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"
| summarize sum(failed_count)
Attribute
Type
Description
Examples
analysis_timeframe.end
timestamp
experimental
End time of query analysis timeframe
2023-05-22T13:15:57.416654000
analysis_timeframe.start
timestamp
experimental
Start time of query analysis timeframe
2023-05-22T11:15:57.416654000
bucket
string
experimental
A Dynatrace Grail bucket name
default_logs; default_events
client.api_version
string
stable
The REST API version used by the client to perform the request
1
client.application_context
string
stable
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbon
client.function_context
string
stable
Name of the function that executed the query
api/execute-dql-query; my/function
client.internal_service_context
string
experimental
A string that identifies the Dynatrace service that triggered the query.
dt.davis.datadriver
client.source
string
stable
Dynatrace application by which query was executed
https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09
delivered_records
long
experimental
The number of records returned by the query
1000
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
environment
string
experimental
A Dynatrace environment/tenant ID
umsaywsjuo
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
QUERY_EXECUTION_EVENT
execution_duration_ms
long
deprecated
The duration of the query in milliseconds.
123
failed_count
long
experimental
Number of failed queries represented by the record. failed_count > 1 represents cases like 'failure_reason=THROTTLED' with individual queries aggregated into a single record.
1; 321
failure_reason
string
experimental
Additional information if query execution has 'FAILED'.
QUEUE_TIMEOUT; THROTTLED
query_end
long
stable
Query end time. For aggregated events the query end time may be zero and not reflect the exact end time.
1683012271413
query_id
string
stable
The UUID identifying a particular query. For aggregated events this field is null.
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
query_pool
string
experimental
The resource pool of the query
DASHBOARDS
query_queue_time_ms
long
deprecated
The time query spent in queued state (in milliseconds).
456
query_start
long
stable
Query start time. For failed queries the start time may be aggregated and not reflect the exact start time but rather the aggregation time.
1683012271413
query_string
string
experimental
The query string. For aggregated events this field is null.
fetch bizevents, from:-30m | limit 1

Values

failure_reason MUST be one of the following:

Value
Description
QUEUE_TIMEOUT
Query timed out before execution due to resource or tenant quota limit
THROTTLED
Query was rejected due to too many queries waiting in the queue. Reported either as records with full details or as aggregated batches with limited metadata.
INVALID_QUERY
Query is invalid.
PARSING_FAILED
Query cannot be parsed because of syntax error or it is too complex
EXECUTION_FAILED
Execution of the submitted query failed because of internal an error.
INSUFFICIENT_PERMISSIONS
Query cannot be executed because the requester doesn't have permissions to a queried table.
EXECUTION_TIMEOUT
Query execution was canceled because it exceeded the allowed running time .
FUNCTION_LIMIT
Query execution was canceled because of user-defined functions limit is exceeded.
RECORD_SIZE_LIMIT
Query execution was canceled because record size limit is exceeded.
TABLE_SIZE_LIMIT
Query execution was canceled because table size limit is exceeded.
FAILIF_CONDITION
Query execution was canceled because the condition of a failIf command was met.

Security Posture Management Billing Usage

Model describing a billing usage event for Security Posture Management. Billing usage events are stored in the dt.system.events table.

Query

Analyze usage events for the "Security Posture Management" capability.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Security Posture Management"
| dedup event.id
Attribute
Type
Description
Examples
dt.entity.kubernetes_cluster
string
stable
An entity ID of an entity of type KUBERNETES_CLUSTER.
Tags: entity-id
KUBERNETES_CLUSTER-E0D8F94D9065F24F
dt.entity.kubernetes_node
string
stable
An entity ID of an entity of type KUBERNETES_NODE.
Tags: entity-id
KUBERNETES_NODE-874C66B68CE15070
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Security Posture Management
event.version
string
stable
Describes the version of the event.
1.0.0
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Security Posture Management
Security Posture Management

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Traces - Ingest & Process billing usage

Model describing a billing usage event for ingest and process of traces. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events for the "Traces - Ingest & Process" capability.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Ingest & Process"
| dedup event.id
Attribute
Type
Description
Examples
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_CLIENT
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Traces - Ingest & Process
event.version
string
stable
Describes the version of the event.
1.0.0
ingested_bytes
long
experimental
The size in bytes of ingested spans.
1113359256
ingested_spans
long
experimental
The number of ingested spans.
1113359256
licensing_type
string
experimental
The origin/type of the ingested spans.
fullstack-adaptive
timestamp
timestamp
stable
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z
usage.end
timestamp
experimental
End time of the usage timeframe (exclusive)
2023-05-22T11:30:00.000000Z
usage.start
timestamp
experimental
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_CLIENT
LIMA Client Service

event.type MUST be one of the following:

Value
Description
Traces - Ingest & Process
Traces - Ingest & Process

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

licensing_type MUST be one of the following:

Value
Description
fullstack-adaptive
The ingested_bytes origins from an ATM aware fullstack source.
fullstack-fixed-rate
The ingested_bytes origins from an ATM unaware fullstack source.
otlp-trace-ingest
The ingested_bytes origins from the "OTLP Trace Ingest API".
serverless
The ingested_bytes origins from a serverless source.

Traces - Query billing usage

Model describing a billing usage event of a traces query execution. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Query"
Attribute
Type
Description
Examples
action_type
string
stable
Indicates if the query was executed to fetch records or to delete them
QUERY; DELETION
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
client.application_context
string
stable
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbon
client.function_context
string
stable
Name of the function that executed the query
api/execute-dql-query; my/function
client.source
string
stable
Dynatrace application by which query was executed
https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Traces - Query
event.version
string
stable
Describes the version of the event.
1.0
query_id
string
stable
The UUID identifying a particular query
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
query_start
long
stable
Query start time
1683012271413
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
user.email
string
stable
E-mail of the user.
user@mail.com

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Traces - Query
Traces Query Execution

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

Traces - Retain billing usage

Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.

Query

Analyze billing usage events.

fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Retain"
Attribute
Type
Description
Examples
billed_bytes
long
stable
The number of bytes that will be billed.
1113359256
dt.security_context
string
stable
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model
Tags: permission
BILLING_USAGE_EVENT
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
BILLING_USAGE_EVENT
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
LIMA_USAGE_STREAM
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
Traces - Retain
event.version
string
stable
Describes the version of the event.
1.0.0
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123
usage.bucket
string
experimental
A Dynatrace Grail usage span bucket name.
default_spans
usage.event_bucket
string
deprecated
will be replaced by usage.bucket.
A Dynatrace Grail usage span bucket name.
default_spans

Values

event.kind MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event

event.provider MUST be one of the following:

Value
Description
LIMA_USAGE_STREAM
LIMA Usage Stream Service

event.type MUST be one of the following:

Value
Description
Traces - Retain
Traces Retain

dt.security_context MUST be one of the following:

Value
Description
BILLING_USAGE_EVENT
Billing usage event