System events are used to store details about executed queries, auditing events, billing events and more. In order to query system events, you need the storage:system:read permission.
Query system events.
fetch dt.system.events
The anomaly detector status events are used for Davis anomaly detection. They track errors and warnings during the execution of an anomaly detector. Examples:
Analyze anomaly detectors status events.
fetch dt.system.events| filter event.kind == "ANOMALY_DETECTOR_STATUS_EVENT"
| Attribute | Type | Description | Examples |
|---|---|---|---|
client.application_context | string | stable A Dynatrace app ID. | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.internal_service_context | string | experimental A string that identifies the Dynatrace service that triggered the query. | dt.davis.datadriver |
davis.anomaly_detector.message | string | experimental Additional details about the anomaly detector status | Maximum number of concurrent queries per tenant reached. |
davis.anomaly_detector.status | string | experimental Severity of an anomaly detector status | ERROR; WARNING |
dt.settings.object_id | string | experimental The object ID of a settings value. This corresponds to the 'objectId' field/parameter in the Settings API. | vu9U3hXa3q0AAAABACFidWlsdGluOnJ1bS51c2VyLWV4cGVyaWVuY2Utc2NvcmUABnRlbmFudAAGdGVuYW50ACRhMzZmYmYwMy00NDY1LTNlNTYtOTZiOS1kOWMzOGQ3MzU1NmO-71TeFdrerQ |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | ANOMALY_DETECTOR_STATUS_EVENT |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
Model describing a billing usage event of function invocations. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "AppEngine Functions - Small"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_invocations | long | stable Number of billed invocations. Unit is 1/4 GiB * min | 8 |
caller.app.id | string | stable The entity/app invoking the function or not set when not invoked by an app. | dynatrace.hub |
caller.service.id | string | stable The service invoking the function or not set when not invoked by a service. | AUTOMATION_ENGINE |
dt.app.id | string | resource stable The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'. | dynatrace.notebooks; my.awesome.app |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | AppEngine Functions - Small |
event.version | string | stable Describes the version of the event. | 1.0.0 |
function.duration_sec | long | stable Duration of the function call in seconds. Measures not the actual execution time but the duration in the function proxy including network roundtrip to the Runtime. If the duration is bigger than the maximum allowed duration (which may happen due to technical reasons) the reported value is set to the maximum allowed duration. | 60 |
function.execution_id | string | stable If the execution of a resumable function last for more than 2 minutes, there will be multiple BILLING_USAGE_EVENTs created for that execution, which will have the same value in this field. It can therefore be used to join BILLING_USAGE_EVENTs for long running function invocations. | 1bfa32fa-679e-4ac9-b683-2d2cdd4b6314 |
function.id | string | stable The unique identifier of a function containing the app id and function id in the form of {app.id}.{function.id}. Missing for adhoc executions. | myapp.test/path/myfunction |
function.memory_mib | long | stable Runtime memory in MiB. Some of the memory is not available to the javascript code, because it is needed by the runtime itself. | 128 |
function.type | string | stable The identifier defining the function type. | STANDARD; ACTION; AD_HOC |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.email | string | stable Email of the user. | user@mail.com |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | 35ba9499-f87c-4047-962c-14dc32e255e5; system |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
AppEngine Functions - Small | AppEngine Functions - Small |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
function.type MUST be one of the following:
| Value | Description |
|---|---|
AD_HOC | Adhoc function execution |
STANDARD | App function execution |
ACTION | App function execution, but function is defined as an Action in the app manifest |
For every API access, Dynatrace stores an audit event in the dt.system.events table.
Additionally the Audit Event allows to attach an arbitrary key/value map with string keys and string values to the event. Keys are prefixed with "details." during serialization.
Analyze audit events.
fetch dt.system.events| filter event.kind == "AUDIT_EVENT"
| Attribute | Type | Description | Examples |
|---|---|---|---|
authentication.client.id | string | experimental The OAuth2 client id if of type 'CLIENT_CREDENTIALS'. | dt0s02.UZCK6ENL.2YQ2A3DZUEISRJSUU5544J3SC3TMPXSEEMNA5HK7RW54SJ6XKLYGMWJNKL7B2DNH |
authentication.grant.type | string | experimental The grant type used during OAuth2 authentication. | AUTHORIZATION_CODE; CLIENT_CREDENTIALS |
authentication.token | string | experimental The public token identifier of authentication.type 'TOKEN'. | dt0c01.AM4SEYKIBROBEJ2N3HAXZ4IX |
authentication.type | string | experimental The method of authentication. | OAUTH2 |
dt.app.function | string | resource experimental Name or path of the App-Function that was executed. | check-ip.js; /api/send-message |
dt.app.id | string | resource stable The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'. | dynatrace.notebooks; my.awesome.app |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | AUDIT_EVENT |
event.outcome | string | stable Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (for example an HTTP response code). | 200; success; failure |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | API_GATEWAY |
event.reason | string | stable Describes why a certain event.outcome was set. Typically, this is some form of error description in the case of a failure. | user is missing permission "logs.read" |
event.type | string | stable The unique type identifier of a given event. Tags: permission | POST; PUT; GET |
event.version | string | stable Describes the version of the event. | 1.0.0 |
origin.address | string | experimental Source IP address of the request associated with this event. Must be set if origin.type is 'REST', must not be set otherwise. | 10.11.12.13 |
origin.session | string | experimental The ID of the browser session (if present) associated with the event. | node0hfznc |
origin.type | string | experimental Origin type of the request associated with this event. | REST; LOCAL |
origin.x_forwarded_for | string | experimental The verbatim value of the X-Forwarded-For HTTP request header (if present) of the request associated with the event. | 1.2.3.4 |
request.source | string | stable In case of a REST call audit event, this field contains the request source. | BROWSER; DT_SERVERLESS; OTHER |
resource | string | stable Generic reference to a resource like a REST resource URL or a settings ID. | /service/resource; 1234567890 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | 35ba9499-f87c-4047-962c-14dc32e255e5; system |
user.name | string | experimental Full name of the user. If the system itself has to be represented, the constant 'System' is used. | Wolfgang Amadeus Mozart; System |
user.organization | string | experimental Organization the user belongs to. | DYNATRACE; CUSTOMER; PARTNER |
Model describing a billing usage event of automation workflows. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events for AutomationEngine workflows.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Automation Workflow"
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.end | string | stable The event end timestamp in UTC (given in Grail preferred Linux timestamp nano precision format). | 16481073970000 |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.start | string | stable The event start timestamp in UTC (given in Grail preferred Linux timestamp nano precision format). | 16481073970000 |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Automation Workflow |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
workflow.actor | string | stable The entity executing the workflow as UUID. | b22a50a0-2540-4f29-9452-bc330322fb1e |
workflow.created_at | timestamp | stable The time when the workflow was created. | 1649822520123123123 |
workflow.description | string | stable The description of the workflow. | This is a test workflow |
workflow.id | string | stable The unique identifier of a workflow as UUID. | 26c0334e-a3e1-4585-8cd8-2d72742fe141 |
workflow.is_private | string | stable The boolean identifier denoting the visibility of the workflow. | true; false |
workflow.owner | string | stable The entity owning the workflow as UUID. | f1358516-8136-4634-9012-d2e3dfee38dc |
workflow.title | string | stable The title of the workflow. | Test Workflow |
workflow.trigger_type | string | stable The identifier that describes the trigger of the workflow. | schedule; manual |
workflow.updated_by | string | stable The entity updating the workflow last. | f1358516-8136-4634-9012-d2e3dfee38dc |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Automation Workflow | Automation Workflow |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing an AutomationEngine action execution event. Action execution events are stored in the dt.system.events table.
AutomationEngine action execution state change.
fetch dt.system.events| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="ACTION_EXECUTION"
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.automation_engine.action.app | string | experimental The app id of the app containing the executed action. | dynatrace.workflows |
dt.automation_engine.action.function | string | experimental Name of the function implementing the action. | task_1 |
dt.automation_engine.action_execution.id | string | experimental The unique identifier of a action execution as UUID. | 23e7b55a-884f-4497-8ad6-8d49d52b4348 |
dt.automation_engine.action_execution.loop.index | long | experimental Loop index of the action execution. | |
dt.automation_engine.action_execution.retry.count | long | experimental Retry count of the action execution. | |
dt.automation_engine.root_workflow.id | string | experimental The unique identifier of the root workflow. | e6388e3a-9db2-4226-9327-2ba86eaf12f7 |
dt.automation_engine.root_workflow_execution.id | string | experimental The unique identifier of the execution of the root workflow. | a641fb59-4627-44cd-abaf-b68d86455a5b |
dt.automation_engine.state | string | experimental The state of an execution. Values depend on type of execution (workflow-, task-, or action execution). | RUNNING; SUCCESS; ERROR |
dt.automation_engine.state.is_final | boolean | experimental Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen. | true; false |
dt.automation_engine.state_info | string | experimental Additional info about current state of execution. Typically holds error details. | ERROR |
dt.automation_engine.task.name | string | experimental The identifier of a task within a workflow. | task_1 |
dt.automation_engine.workflow.id | string | experimental The unique identifier of a workflow as UUID. | 26c0334e-a3e1-4585-8cd8-2d72742fe141 |
dt.automation_engine.workflow.title | string | experimental The title of the workflow. | My Workflow |
dt.automation_engine.workflow_execution.id | string | experimental The unique identifier of a workflow execution as UUID. | 737a248b-d1cb-49a4-bf08-7d4c37dbfb1e |
dt.openpipeline.pipelines | string[] | resource experimental Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey. | [[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]] |
dt.openpipeline.source | string | resource experimental Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline. | /platform/ingest/v1/events; oneagent |
duration | duration | stable The difference between start_time and end_time in nanoseconds. | 42 |
end_time | timestamp | stable End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time. | 1649822520123123165 |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | WORKFLOW_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | AUTOMATION_ENGINE |
event.type | string | stable The unique type identifier of a given event. Tags: permission | ACTION_EXECUTION |
start_time | timestamp | stable Start time of a data point. Value is a UNIX Epoch time in nanoseconds and less or equal to the end_time. | 1649822520123123123 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
WORKFLOW_EVENT | Event in context of a workflow |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
AUTOMATION_ENGINE | Event produced by AutomationEngine |
event.type MUST be one of the following:
| Value | Description |
|---|---|
ACTION_EXECUTION | Task execution state change event |
dt.automation_engine.state MUST be one of the following:
| Value | Description |
|---|---|
RUNNING | Action execution started. |
SUCCESS | Action execution finished successfully. |
ERROR | Action execution failed. |
Model describing an AutomationEngine task execution event. Task execution events are stored in the dt.system.events table.
AutomationEngine task execution state change.
fetch dt.system.events| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="TASK_EXECUTION"
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.automation_engine.root_workflow.id | string | experimental The unique identifier of the root workflow. | e6388e3a-9db2-4226-9327-2ba86eaf12f7 |
dt.automation_engine.root_workflow_execution.id | string | experimental The unique identifier of the execution of the root workflow. | a641fb59-4627-44cd-abaf-b68d86455a5b |
dt.automation_engine.state | string | experimental The state of an execution. Values depend on type of execution (workflow-, task-, or action execution). | RUNNING; SUCCESS; ERROR |
dt.automation_engine.state.is_final | boolean | experimental Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen. | true; false |
dt.automation_engine.state_info | string | experimental Additional info about current state of execution. Typically holds error details. | ERROR |
dt.automation_engine.task.name | string | experimental The identifier of a task within a workflow. | task_1 |
dt.automation_engine.workflow.id | string | experimental The unique identifier of a workflow as UUID. | 26c0334e-a3e1-4585-8cd8-2d72742fe141 |
dt.automation_engine.workflow.title | string | experimental The title of the workflow. | My Workflow |
dt.automation_engine.workflow_execution.id | string | experimental The unique identifier of a workflow execution as UUID. | 737a248b-d1cb-49a4-bf08-7d4c37dbfb1e |
dt.openpipeline.pipelines | string[] | resource experimental Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey. | [[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]] |
dt.openpipeline.source | string | resource experimental Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline. | /platform/ingest/v1/events; oneagent |
duration | duration | stable The difference between start_time and end_time in nanoseconds. | 42 |
end_time | timestamp | stable End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time. | 1649822520123123165 |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | WORKFLOW_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | AUTOMATION_ENGINE |
event.type | string | stable The unique type identifier of a given event. Tags: permission | TASK_EXECUTION |
start_time | timestamp | stable Start time of a data point. Value is a UNIX Epoch time in nanoseconds and less or equal to the end_time. | 1649822520123123123 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
WORKFLOW_EVENT | Event in context of a workflow |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
AUTOMATION_ENGINE | Event produced by AutomationEngine |
event.type MUST be one of the following:
| Value | Description |
|---|---|
TASK_EXECUTION | Task execution state change event |
dt.automation_engine.state MUST be one of the following:
| Value | Description |
|---|---|
SKIPPED | Task skipped due to task conditions evaluation or task is disabled. |
DISCARDED | Task discarded due to predecessor task conditions evaluation. |
WAITING | Task waiting due to e.g. task option configuration. |
RUNNING | Task execution has running action execution. |
SUCCESS | Task execution finished successfully. |
CANCELLED | Task execution cancelled manually/by API request. |
ERROR | Task execution finished due to at least one failed action execution and no retries configured/left to process. |
Model describing an AutomationEngine workflow execution event. Workflow execution events are stored in the dt.system.events table.
AutomationEngine workflow execution state change.
fetch dt.system.events| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="WORKFLOW_EXECUTION"
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.automation_engine.root_workflow.id | string | experimental The unique identifier of the root workflow. | e6388e3a-9db2-4226-9327-2ba86eaf12f7 |
dt.automation_engine.root_workflow_execution.id | string | experimental The unique identifier of the execution of the root workflow. | a641fb59-4627-44cd-abaf-b68d86455a5b |
dt.automation_engine.state | string | experimental The state of an execution. Values depend on type of execution (workflow-, task-, or action execution). | RUNNING; SUCCESS; ERROR |
dt.automation_engine.state.is_final | boolean | experimental Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen. | true; false |
dt.automation_engine.state_info | string | experimental Additional info about current state of execution. Typically holds error details. | ERROR |
dt.automation_engine.workflow.id | string | experimental The unique identifier of a workflow as UUID. | 26c0334e-a3e1-4585-8cd8-2d72742fe141 |
dt.automation_engine.workflow.last_execution_state_flip | boolean | experimental Indicates if the workflow execution state has changed since the last execution, ignoring draft executions. Always false for draft executions. | true; false |
dt.automation_engine.workflow.title | string | experimental The title of the workflow. | My Workflow |
dt.automation_engine.workflow.type | string | experimental Workflow type, either SIMPLE or STANDARD, where SIMPLE comes with restrictions. | SIMPLE; STANDARD |
dt.automation_engine.workflow_execution.id | string | experimental The unique identifier of a workflow execution as UUID. | 737a248b-d1cb-49a4-bf08-7d4c37dbfb1e |
dt.automation_engine.workflow_execution.trigger.type | string | experimental The identifier that describes the trigger of the workflow. | Schedule; Event; Workflow; Manual |
dt.automation_engine.workflow_execution.trigger.user.id | string | experimental The unique identifier of the user who triggered the workflow execution manually/via API. | dad18fa7-3c11-40a1-b760-1d8281bb5dcc |
dt.automation_engine.workflow_execution.trigger.workflow_execution.id | string | experimental The unique identifier of the workflow that triggered the workflow execution. | 737a248b-d1cb-49a4-bf08-7d4c37dbfb1e |
dt.openpipeline.pipelines | string[] | resource experimental Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey. | [[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]] |
dt.openpipeline.source | string | resource experimental Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline. | /platform/ingest/v1/events; oneagent |
duration | duration | stable The difference between start_time and end_time in nanoseconds. | 42 |
end_time | timestamp | stable End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time. | 1649822520123123165 |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | WORKFLOW_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | AUTOMATION_ENGINE |
event.type | string | stable The unique type identifier of a given event. Tags: permission | WORKFLOW_EXECUTION |
start_time | timestamp | stable Start time of a data point. Value is a UNIX Epoch time in nanoseconds and less or equal to the end_time. | 1649822520123123123 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
WORKFLOW_EVENT | Event in context of a workflow |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
AUTOMATION_ENGINE | Event produced by AutomationEngine |
event.type MUST be one of the following:
| Value | Description |
|---|---|
WORKFLOW_EXECUTION | Workflow execution state change event |
dt.automation_engine.state MUST be one of the following:
| Value | Description |
|---|---|
RUNNING | Workflow execution started. |
SUCCESS | Workflow execution finished successfully. |
ERROR | Workflow execution failed due to at least one branch with a failed task without an on error successor. |
CANCELLED | Workflow execution cancelled manually/by API request. |
Model describing an AutomationEngine workflow lifecycle event. Workflow lifecycle events are stored in the dt.system.events table.
AutomationEngine workflow lifecycle events.
fetch dt.system.events| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and in(event.type, array("WORKFLOW_CREATED", "WORKFLOW_UPDATED", "WORKFLOW_DELETED"))
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.automation_engine.workflow.id | string | experimental The unique identifier of a workflow as UUID. | 26c0334e-a3e1-4585-8cd8-2d72742fe141 |
dt.automation_engine.workflow.title | string | experimental The title of the workflow. | My Workflow |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | WORKFLOW_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | AUTOMATION_ENGINE |
event.type | string | stable The unique type identifier of a given event. Tags: permission | WORKFLOW_CREATED |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | 35ba9499-f87c-4047-962c-14dc32e255e5; system |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
WORKFLOW_EVENT | Event in context of a workflow |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
AUTOMATION_ENGINE | Event produced by AutomationEngine |
event.type MUST be one of the following:
| Value | Description |
|---|---|
WORKFLOW_CREATED | Workflow created event |
WORKFLOW_UPDATED | Workflow updated event |
WORKFLOW_DELETED | Workflow deleted event |
Model describing an AutomationEngine workflow throttle event. Workflow throttle events are stored in the dt.system.events table.
AutomationEngine workflow throttle events.
fetch dt.system.events| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="WORKFLOW_THROTTLE"
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.automation_engine.throttle.limit | long | experimental The workflow execution per hour limit that has been reached. | 1000 |
dt.automation_engine.workflow.id | string | experimental The unique identifier of a workflow as UUID. | 26c0334e-a3e1-4585-8cd8-2d72742fe141 |
dt.automation_engine.workflow.title | string | experimental The title of the workflow. | My Workflow |
end_time | timestamp | stable End time of a data point. Value is a UNIX Epoch time in nanoseconds and greater or equal to the start_time. | 1649822520123123165 |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | WORKFLOW_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | AUTOMATION_ENGINE |
event.type | string | stable The unique type identifier of a given event. Tags: permission | WORKFLOW_THROTTLED |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
WORKFLOW_EVENT | Event in context of a workflow |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
AUTOMATION_ENGINE | Event produced by AutomationEngine |
event.type MUST be one of the following:
| Value | Description |
|---|---|
WORKFLOW_THROTTLED | Workflow throttled event |
Dynatrace stores a data deletion event for each segment that got rewritten in the dt.system.events table.
Analyze data deletion events.
fetch dt.system.events| filter event.kind == "DATA_DELETION_EVENT"
| Attribute | Type | Description | Examples |
|---|---|---|---|
bucket | string | experimental A Dynatrace Grail bucket name. | default_logs; default_events |
client.api_version | string | stable The REST API version used by the client to perform the request. | 1 |
deletion_end | long | experimental End of a particular deletion. | 1649822520123123123 |
deletion_id | string | experimental Internal deletion request UUID. | c454347c-0ba9-4bd3-870e-d06dc1657f71 |
deletion_start | long | experimental Start of a particular deletion. | 1649822520123123123 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | |
environment | string | experimental A Dynatrace environment/tenant ID. | umsaywsjuo |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | DATA_DELETION_EVENT |
failure_reason | string | experimental Additional information if query execution has 'FAILED'. | QUEUE_TIMEOUT; THROTTLED |
query_string | string | experimental The query string. | fetch bizevents, from:-30m | limit 1 |
rewritten_bytes | long | experimental The number of rewritten bytes in the context of record deletion. | 1113359256 |
status | string | experimental The outcome of the query. | SUCCEEDED |
task.id | string | experimental Deletion task UUID returned by API. | b5998ff1-26fd-4aec-80c4-6c59633b5d66 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.email | string | stable Email of the user. | user@mail.com |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | 35ba9499-f87c-4047-962c-14dc32e255e5; system |
version | string | resource deprecated Used in Extension Framework 2.0 The SNMP version. | SNMPv3 |
Events that are generated by Dynatrace components with self-monitoring information (health, status, unexpected situations)
| Attribute | Type | Description | Examples |
|---|---|---|---|
content | string | experimental Unstructured content of the record. It should contain a human-readable message. Often it is the raw version of a record read from a source. | No keepalive from datasource statsd. Restarting |
dt.active_gate.group.name | string | resource experimental The name of a group that the ActiveGate instance belongs to. | GdanskLab |
dt.entity.host | string | resource stable An entity ID of an entity of type HOST. Tags: entity-id | HOST-E0D8F94D9065F24F |
dt.event.key | string | experimental Preregistered event key for self-monitoring events whitelisting. | extension.status; extension.engine.eec_status |
dt.extension.config.id | string | resource experimental Extension's monitoring configuration identifier. | vu9U3hXa3q0AAAABAAtleHQ6ZXh0LTA0MAAIYWdfZ3JvdXAAA0FHMQAkMjY2YTIyM2YtZDgxYi0zNTNjLThlYzctYzk2YzliZjg4OGQ3vu9U3hXa3q0 |
dt.extension.ds | string | resource experimental Name of the data source. | SNMPTrap |
dt.extension.name | string | resource experimental Name of the extension. | com.snmptrap.generic |
dt.extension.status | string | resource experimental The status of the component reporting a self-monitoring event. | AUTHENTICATION_ERROR |
dt.source_entity | string | resource stable The ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. 1 Tags: entity-id | HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F |
log.source | string | stable Human-readable attribute that identifies a log stream. 2 Tags: permission | dsfm; isfm |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.
Can contain, for example, a file path, standard output, or an URI etc., depending on the log stream type. The value should be stable for one logical source (for example, not affected by log file rotation digits).
Dynatrace stores an enrichment execution event for the enrichment of threat observables in the dt.system.events table.
Analyze enrichment execution events.
fetch dt.system.events| filter event.kind == "ENRICHMENT_EXECUTION_EVENT"
The number of successful enrichments.
fetch dt.system.events| filter event.kind == "ENRICHMENT_EXECUTION_EVENT"| filter event.outcome == "success"| summarize count()
The number of failed enrichments.
fetch dt.system.events| filter event.kind == "ENRICHMENT_EXECUTION_EVENT"| filter event.outcome == "failure"| summarize count()
The number of enrichments by integration app.
fetch dt.system.events| filter event.kind == "ENRICHMENT_EXECUTION_EVENT"| summarize count(), by: {dt.enrichment.integration.id}
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.app.id | string | resource stable The unique application identifier of the app that triggered the enrichment. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'. | dynatrace.security.investigator |
dt.enrichment.duration | duration | experimental The duration of the enrichment execution in nanoseconds. | 4000000000 |
dt.enrichment.integration.connection.id | string | experimental The identifier of the connection settings object used to execute the enrichment. The connection settings object ID refers to the connection in the settings section of the integration app. | vu9U3hXa3q0AAAABACNhcHA6ZHluYXRyYWNlLmFidXNlaXBkYjpjb25uZWN0aW9ucwAGdGVuYW50AAZ0ZW5hbnQAJDA0NzY2OTJhLTIzMDItMzdhOS05MTk5LTc1ZWI3M2MzNjYwMr7vVN4V2t6t |
dt.enrichment.integration.id | string | experimental The unique application identifier of the integration app that provided the enrichment functionality. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'. | dynatrace.abuseipdb; dynatrace.virustotal |
dt.enrichment.integration.method.id | string | experimental The integration method ID of the integration app used to execute the enrichment. | check-ip; enrich-observable |
dt.enrichment.result.is_cached | boolean | experimental Indicates whether the enrichment execution result was retrieved from the cache. | true; false |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | ENRICHMENT_EXECUTION_EVENT |
event.outcome | string | stable Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (for example an HTTP response code). | success; failure |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | SECURITY_INTELLIGENCE_ENGINE |
event.reason | string | stable Describes why a certain event.outcome was set. Typically, this is some form of error description in the case of a failure. | user is missing permission "logs.read" |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | 35ba9499-f87c-4047-962c-14dc32e255e5; system |
Model describing a billing usage event of ingest for events. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events for the "Events - Ingest & Process" capability.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Ingest & Process"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.billing.category | string | stable Display name for usage details. | Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_CLIENT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Events - Ingest & Process |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
usage.bucket | string | stable A Dynatrace Grail usage event bucket name. | default_davis_custom_events |
usage.end | timestamp | experimental End time of the usage timeframe (exclusive). | 2023-05-22T11:30:00.000000Z |
usage.event_bucket | string | deprecated will be replaced by usage.bucket. A Dynatrace Grail usage event bucket name. | default_davis_custom_events |
usage.start | timestamp | experimental Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_CLIENT | LIMA Client Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Events - Ingest & Process | Events - Ingest & Process |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing a billing usage event of a events query execution. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Query"
| Attribute | Type | Description | Examples |
|---|---|---|---|
action_type | string | stable Indicates if the query was executed to fetch records or to delete them. | QUERY; DELETION |
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
client.application_context | string | stable A Dynatrace app ID. | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.function_context | string | stable Name of the function that executed the query. | api/execute-dql-query; my/function |
client.source | string | stable Dynatrace application that executed the query. | https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.billing.category | string | stable Display name for usage details. | Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Events - Query |
event.version | string | stable Describes the version of the event. | 1.0; 2.0 |
query_id | string | stable The UUID identifying a particular query. | e68e5cc8-c31e-4e57-90d7-c6dde20b19d5 |
query_start | long | stable Query start time. | 1683012271413 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.bucket | string | stable A Dynatrace Grail usage event bucket name. | default_bizevents; default_davis_custom_events |
user.email | string | stable Email of the user. | user@mail.com |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | 35ba9499-f87c-4047-962c-14dc32e255e5; system |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Events - Query | Events Query Execution |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Retain"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.billing.category | string | stable Display name for usage details. | Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Event - Retain |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.bucket | string | stable A Dynatrace Grail usage event bucket name. | default_bizevents; default_davis_custom_events |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Events - Retain | Events Retain |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing a billing usage event for the Foundation & Discovery DPS capability.
Billing usage events are stored in the dt.system.events table.
Analyze billing usage for Foundation & Discovery on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Foundation & Discovery"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_host_hours | long | stable How many host hours of the capability have been consumed by the host. | 2 |
dt.cost.costcenter | string | resource stable Can be used to assign usage to a Cost Center. | Team A |
dt.cost.product | string | resource stable Can be used to assign usage to a Product or Application ID. | Product A |
dt.entity.host | string | resource stable An entity ID of an entity of type HOST. Tags: entity-id | HOST-E0D8F94D9065F24F |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_CLIENT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Foundation & Discovery |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.end | timestamp | experimental End time of the usage timeframe (exclusive). | 2023-05-22T11:30:00.000000Z |
usage.start | timestamp | experimental Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_CLIENT | LIMA Client Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Foundation & Discovery | Foundation & Discovery |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing a billing usage event for the Full-Stack Monitoring DPS capability.
Billing usage events are stored in the dt.system.events table.
Analyze billing usage for Full-Stack Monitoring on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Full-Stack Monitoring"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_gibibyte_hours | double | stable How many gibibyte hours of the capability has been consumed by the host | 16.02 |
dt.cost.costcenter | string | resource stable Can be used to assign usage to a Cost Center. | Team A |
dt.cost.product | string | resource stable Can be used to assign usage to a Product or Application ID. | Product A |
dt.entity.host | string | resource stable An entity ID of an entity of type HOST. Tags: entity-id | HOST-E0D8F94D9065F24F |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_CLIENT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Full-Stack Monitoring |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.end | timestamp | experimental End time of the usage timeframe (exclusive). | 2023-05-22T11:30:00.000000Z |
usage.start | timestamp | experimental Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_CLIENT | LIMA Client Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Full-Stack Monitoring | Full-Stack Monitoring |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
GenAI events are emitted when a GenAI skill is invoked or feedback is provided. They provide tracking data for skill usage and user feedback. Examples:
Retrieve all GenAI events.
fetch dt.system.events| filter event.kind == "GENAI_EVENT"
Count of GenAI skill invocations.
fetch dt.system.events| filter event.kind == "GENAI_EVENT"| filter event.type == "GenAi Skill Invocation"| summarize count()
Count the GenAI invocations per skill.
fetch dt.system.events| filter event.kind == "GENAI_EVENT"| filter event.type == "GenAi Skill Invocation"| summarize invocations=count(), by: skill
Count of the GenAI feedback type per skill.
fetch dt.system.events| filter event.kind == "GENAI_EVENT"| filter event.type == "GenAi Feedback"| summarize count(), by: {feedback.type, skill}
Time series of the GenAI execution duration per skill.
fetch dt.system.events| filter event.kind == "GENAI_EVENT"| filter event.type == "GenAi Skill Invocation"| makeTimeseries avg(execution_duration_ms), by: {skill}
| Attribute | Type | Description | Examples |
|---|---|---|---|
client.application_context | string | stable A Dynatrace app ID. | dynatrace.davis.copilot |
client.originating_application_context | string | experimental Name of the originating application if the conversation started from another app. | dynatrace.davis.problems |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | GENAI_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | DAVIS_COPILOT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | GenAi Skill Invocation; GenAi Feedback |
execution_duration_ms | long | deprecated The duration of the query in milliseconds. | 42 |
failure_message | string | experimental Detailed error message or justification for failure, intended for end users. | Prompt blocked by guardrail. |
failure_reason | string | experimental Additional information if query execution has 'FAILED'. | BAD_REQUEST_ERROR; CONTENT_FILTER; GUARDRAIL_CHECK_FAILED; INVALID_DQL_GENERATED |
feedback.category | string | experimental Category of feedback, selected by the user. | error; incomplete; incorrect; misunderstood; other |
feedback.text | string | experimental Unmasked free-text feedback provided by the user. | The answer was not correct. |
feedback.type | string | experimental Type of feedback provided by the user, such as positive or negative. | positive; negative |
response | string | experimental The response was generated by the skill. | Here are today's errors... |
skill | string | experimental The name of the skill that was executed. | nl2dql; chat; dql2nl; document-search |
status | string | experimental The outcome of the query. | SUCCEEDED; FAILED |
supplementary | string | experimental Additional context information was provided for the skill (chat only). | Error details: ... |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
topic | string | experimental General topic addressed by the user input (for chat events only). | metrics; errors |
user.email | string | stable Email of the user. | john.doe@dynatrace.com |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | b5998ff1-26fd-4aec-80c4-6c59633b5d66 |
user_input | string | experimental The user input was provided for the skill. | Show me errors for today |
event.type MUST be one of the following:
| Value | Description |
|---|---|
GenAi Skill Invocation | GenAI skill was invoked. |
GenAi Skill Feedback | Feedback for a GenAI skill was provided. |
skill MAY be one of the following:
| Value | Description |
|---|---|
chat | Events associated with the conversations skill also used in the Davis CoPilot Chat App. |
nl2dql | Events associated with the skill translating natural language into DQL queries. |
dql2nl | Events associated with the skill explaining DQL queries in natural text. |
status MUST be one of the following:
| Value | Description |
|---|---|
SUCCEEDED | Skill invocation succeeded. |
FAILED | Skill invocation failed. |
failure_reason MAY be one of the following:
| Value | Description |
|---|---|
BAD_REQUEST_ERROR | There was a technical problem. |
CONTENT_FILTER | Content filter check failed. |
GUARDRAIL_CHECK_FAILED | Guardrail check failed. |
INVALID_DQL_GENERATED | Generated DQL was invalid. |
feedback.type MUST be one of the following:
| Value | Description |
|---|---|
positive | Positive feedback. |
negative | Negative feedback. |
feedback.category MAY be one of the following:
| Value | Description |
|---|---|
error | The execution of the skill did not work. |
incomplete | The response was incomplete. |
incorrect | The response was incorrect. |
misunderstood | The response misunderstood the question. |
other | No provided feedback category fits. |
Model describing a billing usage event for the Infrastructure Monitoring DPS capability.
Billing usage events are stored in the dt.system.events table.
Analyze billing usage for Infrastructure Monitoring on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Infrastructure Monitoring"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_host_hours | long | stable How many host hours of the capability have been consumed by the host. | 2 |
dt.cost.costcenter | string | resource stable Can be used to assign usage to a Cost Center. | Team A |
dt.cost.product | string | resource stable Can be used to assign usage to a Product or Application ID. | Product A |
dt.entity.host | string | resource stable An entity ID of an entity of type HOST. Tags: entity-id | HOST-E0D8F94D9065F24F |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_CLIENT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Infrastructure Monitoring |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.end | timestamp | experimental End time of the usage timeframe (exclusive). | 2023-05-22T11:30:00.000000Z |
usage.start | timestamp | experimental Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_CLIENT | LIMA Client Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Infrastructure Monitoring | Infrastructure Monitoring |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing a billing usage event of a logs query execution. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Query"
| Attribute | Type | Description | Examples |
|---|---|---|---|
action_type | string | stable Indicates if the query was executed to fetch records or to delete them. | QUERY; DELETION |
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
client.application_context | string | stable A Dynatrace app ID. | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.function_context | string | stable Name of the function that executed the query. | api/execute-dql-query; my/function |
client.source | string | stable Dynatrace application that executed the query. | https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Log Management & Analytics - Query |
event.version | string | stable Describes the version of the event. | 1.0 |
query_id | string | stable The UUID identifying a particular query. | e68e5cc8-c31e-4e57-90d7-c6dde20b19d5 |
query_start | long | stable Query start time. | 1683012271413 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.email | string | stable Email of the user. | user@mail.com |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | 35ba9499-f87c-4047-962c-14dc32e255e5; system |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Log Management & Analytics - Query | Logs Query Execution |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Fetch Log Management & Analytics - Retain billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Retain"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Log Management & Analytics - Retain |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.bucket | string | stable A Dynatrace Grail usage log bucket name. | default_logs |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Log Management & Analytics - Retain | Logs Retain |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Fetch Log Management & Analytics - Retain with Included Queries usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Retain with Included Queries"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074qi_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Log Management & Analytics - Retain with Included Queries |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.bucket | string | stable A Dynatrace Grail usage log bucket name. | default_logs |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Log Management and Analytics - Retain with Included Queries | Retain with Included Queries |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing a billing usage event of ingest & process for metrics. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Ingest & Process"
| Attribute | Type | Description | Examples |
|---|---|---|---|
data_points | long | stable The number of billable metrics data points. | 1500 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Metrics - Ingest & Process |
event.version | string | stable Describes the version of the event. | 1.0.0 |
metric.type | string | stable Identifies the type of metric and therefore the timeseries rollup functions it supports. | summary_stats |
monitoring_source | string | stable Monitoring source that originally reported the data. See 'dt.system.monitoring_source'. | fullstack_host |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.bucket | string | stable A Dynatrace Grail usage metrics bucket name. | default_metrics |
usage.end | timestamp | experimental End time of the usage timeframe (exclusive). | 2023-05-22T11:30:00.000000Z |
usage.start | timestamp | experimental Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Metrics - Ingest & Process | Metrics - Ingest & Process |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing the billing usage event for retention of metrics per Grail bucket. Billing usage events are stored in the dt.system.events table.
Fetch Metrics Retain billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Retain"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Metrics - Retain |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.bucket | string | stable A Dynatrace Grail usage metric bucket name. | default_metrics |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Metrics - Retain | Metrics Retain |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Dynatrace stores a query execution event for each query that got executed in the dt.system.events table.
Analyze query execution events.
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"
The amount of succeeded queries.
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"| filter status == "SUCCEEDED"| summarize countDistinct(query_id)
The amount of failed queries.
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"| summarize sum(failed_count)
| Attribute | Type | Description | Examples |
|---|---|---|---|
analysis_timeframe.end | timestamp | experimental End time of query analysis timeframe. | 2023-05-22T13:15:57.416654000 |
analysis_timeframe.start | timestamp | experimental Start time of query analysis timeframe. | 2023-05-22T11:15:57.416654000 |
bucket | string | experimental A Dynatrace Grail bucket name. | default_logs; default_events |
client.api_version | string | stable The REST API version used by the client to perform the request. | 1 |
client.application_context | string | stable A Dynatrace app ID. | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.function_context | string | stable Name of the function that executed the query. | api/execute-dql-query; my/function |
client.internal_service_context | string | experimental A string that identifies the Dynatrace service that triggered the query. | dt.davis.datadriver |
client.source | string | stable Dynatrace application that executed the query. | https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09 |
delivered_records | long | experimental The number of records returned by the query. Might differ from actual number of records delivered to the client due to the additional response size limits (max result bytes, max result records, etc.). | 1000 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | |
environment | string | experimental A Dynatrace environment/tenant ID. | umsaywsjuo |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | QUERY_EXECUTION_EVENT |
execution_duration_ms | long | deprecated The duration of the query in milliseconds. | 123 |
failed_count | long | experimental Number of failed queries represented by the record. failed_count > 1 represents cases like 'failure_reason=THROTTLED' with individual queries aggregated into a single record. | 1; 321 |
failure_reason | string | experimental Additional information if query execution has 'FAILED'. | QUEUE_TIMEOUT; THROTTLED |
query_end | long | stable Query end time. For aggregated events the query end time may be zero and not reflect the exact end time. | 1683012271413 |
query_id | string | stable The UUID identifying a particular query. For aggregated events this field is null. | e68e5cc8-c31e-4e57-90d7-c6dde20b19d5 |
query_pool | string | experimental The resource pool of the query. | DASHBOARDS |
query_queue_time_ms | long | deprecated The time query spent in queued state (in milliseconds). | 456 |
query_start | long | stable Query start time. For failed queries the start time may be aggregated and not reflect the exact start time but rather the aggregation time. | 1683012271413 |
query_string | string | experimental The query string. For aggregated events this field is null. | fetch bizevents, from:-30m | limit 1 |
sampling_ratio | long | experimental The sampling ratio of the executed query. | 1 |
scanned_bytes | long | experimental The number of scanned bytes. | 1113359256 |
scanned_data_points | long | experimental Number of scanned data points for metric queries. | 20 |
scanned_records | long | experimental The number of scanned records. | 9209037 |
status | string | experimental The outcome of the query. | SUCCEEDED |
table | string | experimental A Dynatrace Grail table name. | logs; metrics |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user | string | experimental The user ID that triggered the query. For aggregated events this field is null. | b5998ff1-26fd-4aec-80c4-6c59633b5d66 |
user.email | string | stable The user email that triggered the query. For aggregated events this field is null. | john.doe@dynatrace.com |
user.id | string | stable The user UUID that triggered the query. For aggregated events this field is null. | b5998ff1-26fd-4aec-80c4-6c59633b5d66 |
version | string | resource deprecated Used in Extension Framework 2.0 The record version | 1 |
failure_reason MUST be one of the following:
| Value | Description |
|---|---|
QUEUE_TIMEOUT | Query timed out before execution due to resource or tenant quota limit. |
THROTTLED | Query was rejected due to too many queries waiting in the queue. Reported either as records with full details or as aggregated batches with limited metadata. |
INVALID_QUERY | Query cannot be parsed due to a syntax error. |
PARSING_LIMIT | Query cannot be parsed because it exceeds the complexity limit of the parser. |
PARSING_FAILED | Query cannot be parsed due to an internal error. |
EXECUTION_FAILED | Execution of the submitted query failed because of internal an error. |
INSUFFICIENT_PERMISSIONS | Query cannot be executed because the requester doesn't have permissions to a queried table. |
EXECUTION_TIMEOUT | Query execution was canceled because it exceeded the allowed running time. |
MEMORY_LIMIT | Query execution was canceled because memory usage limit is exceeded. |
FUNCTION_LIMIT | Query execution was canceled because of user-defined functions limit is exceeded. |
RECORD_SIZE_LIMIT | Query execution was canceled because record size limit is exceeded. |
TABLE_SIZE_LIMIT | Query execution was canceled because table size limit is exceeded. |
FAILIF_CONDITION | Query execution was canceled because the condition of a failIf command was met. |
Model describing a billing usage event for the Runtime Application Protection DPS capability.
Billing usage events are stored in the dt.system.events table.
Analyze billing usage for Runtime Application Protection on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Runtime Application Protection"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_gibibyte_hours | double | stable How many gibibyte hours of the capability has been consumed by the host | 16.02 |
dt.cost.costcenter | string | resource stable Can be used to assign usage to a Cost Center. | Team A |
dt.cost.product | string | resource stable Can be used to assign usage to a Product or Application ID. | Product A |
dt.entity.host | string | resource stable An entity ID of an entity of type HOST. Tags: entity-id | HOST-E0D8F94D9065F24F |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_CLIENT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Runtime Application Protection |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.end | timestamp | experimental End time of the usage timeframe (exclusive). | 2023-05-22T11:30:00.000000Z |
usage.start | timestamp | experimental Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_CLIENT | LIMA Client Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Runtime Application Protection | Runtime Application Protection |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing a billing usage event for the Runtime Vulnerability Analytics DPS capability.
Billing usage events are stored in the dt.system.events table.
Analyze billing usage for Runtime Vulnerability Analytics on 15-minute billing intervals.
Note that complete usage for events is displayed only for Dynatrace versions 1.312+. Earlier versions will display partial usage.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Runtime Vulnerability Analytics"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_gibibyte_hours | double | stable How many gibibyte hours of the capability has been consumed by the host | 16.02 |
dt.cost.costcenter | string | resource stable Can be used to assign usage to a Cost Center. | Team A |
dt.cost.product | string | resource stable Can be used to assign usage to a Product or Application ID. | Product A |
dt.entity.host | string | resource stable An entity ID of an entity of type HOST. Tags: entity-id | HOST-E0D8F94D9065F24F |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_CLIENT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Runtime Vulnerability Analytics |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.end | timestamp | experimental End time of the usage timeframe (exclusive). | 2023-05-22T11:30:00.000000Z |
usage.start | timestamp | experimental Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_CLIENT | LIMA Client Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Runtime Vulnerability Protection | Runtime Vulnerability Protection |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing a billing usage event for Security Posture Management. Billing usage events are stored in the dt.system.events table.
Analyze usage events for the "Security Posture Management" capability.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Security Posture Management"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.entity.kubernetes_cluster | string | resource stable An entity ID of an entity of type KUBERNETES_CLUSTER. Tags: entity-id | KUBERNETES_CLUSTER-E0D8F94D9065F24F |
dt.entity.kubernetes_node | string | resource stable An entity ID of an entity of type KUBERNETES_NODE. Tags: entity-id | KUBERNETES_NODE-874C66B68CE15070 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Security Posture Management |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Security Posture Management | Security Posture Management |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing a billing usage event for ingest and process of traces. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events for the "Traces - Ingest & Process" capability.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Ingest & Process"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_CLIENT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Traces - Ingest & Process |
event.version | string | stable Describes the version of the event. | 1.0.0 |
ingested_bytes | long | experimental The size in bytes of ingested spans. | 1113359256 |
ingested_spans | long | experimental The number of ingested spans. | 1113359256 |
licensing_type | string | experimental The origin/type of the ingested spans. | fullstack-adaptive |
timestamp | timestamp | stable Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
usage.end | timestamp | experimental End time of the usage timeframe (exclusive). | 2023-05-22T11:30:00.000000Z |
usage.start | timestamp | experimental Start time of the usage timeframe (inclusive). | 2023-05-22T11:15:00.000000Z |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_CLIENT | LIMA Client Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Traces - Ingest & Process | Traces - Ingest & Process |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
licensing_type MUST be one of the following:
| Value | Description |
|---|---|
fullstack-adaptive | The ingested_bytes origins from an ATM aware fullstack source. |
fullstack-fixed-rate | The ingested_bytes origins from an ATM unaware fullstack source. |
otlp-trace-ingest | The ingested_bytes origins from the "OTLP Trace Ingest API". |
serverless | The ingested_bytes origins from a serverless source. |
Model describing a billing usage event of a traces query execution. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Query"
| Attribute | Type | Description | Examples |
|---|---|---|---|
action_type | string | stable Indicates if the query was executed to fetch records or to delete them. | QUERY; DELETION |
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
client.application_context | string | stable A Dynatrace app ID. | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.function_context | string | stable Name of the function that executed the query. | api/execute-dql-query; my/function |
client.source | string | stable Dynatrace application that executed the query. | https://tenant.apps.dynatracelabs.com/ui/notebook/a0321331-795c-43e7-87cd-890e4bfa8a09 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Traces - Query |
event.version | string | stable Describes the version of the event. | 1.0 |
query_id | string | stable The UUID identifying a particular query. | e68e5cc8-c31e-4e57-90d7-c6dde20b19d5 |
query_start | long | stable Query start time. | 1683012271413 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.email | string | stable Email of the user. | user@mail.com |
user.id | string | stable Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used. | 35ba9499-f87c-4047-962c-14dc32e255e5; system |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Traces - Query | Traces Query Execution |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Analyze billing usage events.
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Retain"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | resource stable The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event; is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example, the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Traces - Retain |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.bucket | string | stable A Dynatrace Grail usage span bucket name. | default_spans |
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Traces - Retain | Traces Retain |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |