System event models
System events are used to store details about executed queries, auditing events, billing events and more. In order to query system events, you need the storage:system:read permission.
fetch dt.system.events
Anomaly Detector Status Event
The anomaly detector status events are used for Davis anomaly detection. They track errors and warnings during the execution of an anomaly detector. Examples:
- Query runs into a timeout
- Query fails as unauthorized
- Query result is truncated as the scanned bytes limit was reached
- …
Anomaly detectors status events can be analyzed with the following DQL query:
fetch dt.system.events| filter event.kind == "ANOMALY_DETECTOR_STATUS_EVENT"
Attribute
Type
Description
Examples
client.application_contextstring
stable
A Dynatrace app id
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbonclient.internal_service_contextstring
experimental
A string that identifies the Dynatrace service that triggered the query.
A string that identifies the Dynatrace service that triggered the query.
dt.davis.datadriverdavis.anomaly_detector.messagestring
experimental
Additional details about the anomaly detector status
Additional details about the anomaly detector status
Maximum number of concurrent queries per tenant reached.davis.anomaly_detector.statusstring
experimental
Severity of an anomaly detector status
Severity of an anomaly detector status
ERROR; WARNINGdt.settings.object_idstring
experimental
The object ID of a settings value. This corresponds to the 'objectId' field/parameter in the Settings API.
The object ID of a settings value. This corresponds to the 'objectId' field/parameter in the Settings API.
vu9U3hXa3q0AAAABACFidWlsdGluOnJ1bS51c2VyLWV4cGVyaWVuY2Utc2NvcmUABnRlbmFudAAGdGVuYW50ACRhMzZmYmYwMy00NDY1LTNlNTYtOTZiOS1kOWMzOGQ3MzU1NmO-71TeFdrerQevent.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionANOMALY_DETECTOR_STATUS_EVENTtimestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123Audit Event
For every API access, Dynatrace stores an audit event in the dt.system.events table.
Additionally the Audit Event allows to attach an arbitrary key/value map with string keys and string values to the event. Keys are prefixed with "details." during serialization.
You can analyze audit events with the following DQL query:
fetch dt.system.events| filter event.kind == "AUDIT_EVENT"
Attribute
Type
Description
Examples
app.idstring
stable
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
dynatrace.notebooks; my.awesome.appauthentication.client.idstring
experimental
The OAuth2 client id if of type 'CLIENT_CREDENTIALS'.
The OAuth2 client id if of type 'CLIENT_CREDENTIALS'.
dt0s02.UZCK6ENL.2YQ2A3DZUEISRJSUU5544J3SC3TMPXSEEMNA5HK7RW54SJ6XKLYGMWJNKL7B2DNHauthentication.grant.typestring
experimental
The grant type used during OAuth2 authentication.
The grant type used during OAuth2 authentication.
AUTHORIZATION_CODE; CLIENT_CREDENTIALSauthentication.tokenstring
experimental
The public token identifier of authentication.type 'TOKEN'.
The public token identifier of authentication.type 'TOKEN'.
dt0c01.AM4SEYKIBROBEJ2N3HAXZ4IXauthentication.typestring
experimental
The method of authentication.
The method of authentication.
OAUTH2dt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permission event.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionAUDIT_EVENTevent.outcomestring
stable
Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (e.g. an HTTP response code).
Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (e.g. an HTTP response code).
200; success; failureevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionAPI_GATEWAYevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionPOST; PUT; GETevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0.0origin.addressstring
experimental
Source IP address of the request associated with this event if not of 'LOCAL' type.
Source IP address of the request associated with this event if not of 'LOCAL' type.
10.11.12.13origin.sessionstring
experimental
The id of the browser session (if present) associated with the event.
The id of the browser session (if present) associated with the event.
node0hfzncorigin.typestring
experimental
Origin type of the request associated with this event.
Origin type of the request associated with this event.
REST; LOCALorigin.x_forwarded_forstring
experimental
The verbatim value of the X-Forwarded-For HTTP request header (if present) of the request associated with the event.
The verbatim value of the X-Forwarded-For HTTP request header (if present) of the request associated with the event.
1.2.3.4resourcestring
stable
Generic reference to a resource like a REST resource URL or a settings id
Generic reference to a resource like a REST resource URL or a settings id
/service/resource; 1234567890timestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123user.idstring
stable
Unique identifer of a user.
Unique identifer of a user.
35ba9499-f87c-4047-962c-14dc32e255e5user.namestring
experimental
Full name of the user.
Full name of the user.
Wolfgang Amadeus Mozartuser.organizationstring
experimental
Organization the user belongs to.
Organization the user belongs to.
DYNATRACE; CUSTOMER; PARTNERAutomation Workflow billing usage
Model describing a billing usage event of automation workflows. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Automation Workflow"
Attribute
Type
Description
Examples
billing_typestring
stable
The identifier defining the billing type.
The identifier defining the billing type.
BILLABLEdt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permissionBILLING_USAGE_EVENTevent.endstring
stable
The event end timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
The event end timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
16481073970000event.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionBILLING_USAGE_EVENTevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionLIMA_USAGE_STREAMevent.startstring
stable
The event start timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
The event start timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
16481073970000event.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionAutomation Workflowevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0.0timestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123workflow.actorstring
stable
The entity executing the workflow as UUID.
The entity executing the workflow as UUID.
b22a50a0-2540-4f29-9452-bc330322fb1eworkflow.created_attimestamp
stable
The time when the workflow was created.
The time when the workflow was created.
1649822520123123123workflow.descriptionstring
stable
The description of the workflow.
The description of the workflow.
This is a test workflowworkflow.idstring
stable
The unique identifier of a workflow as UUID.
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141workflow.is_privatestring
stable
The boolean identifier denoting the visibility of the workflow.
The boolean identifier denoting the visibility of the workflow.
true; falseworkflow.ownerstring
stable
The entity owning the workflow as UUID.
The entity owning the workflow as UUID.
f1358516-8136-4634-9012-d2e3dfee38dcworkflow.titlestring
stable
The title of the workflow.
The title of the workflow.
Test Workflowworkflow.trigger_typestring
stable
The identifier describing the trigger of the workflow.
The identifier describing the trigger of the workflow.
schedule; manualworkflow.updated_bystring
stable
The entity updating the workflow last.
The entity updating the workflow last.
f1358516-8136-4634-9012-d2e3dfee38dcValues
event.kind MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
event.provider MUST be one of the following:
Value
Description
LIMA_USAGE_STREAMLIMA Usage Stream Service
event.type MUST be one of the following:
Value
Description
Automation WorkflowAutomation Workflow
dt.security_context MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
Data Deletion Events
Dynatrace stores a data deletion event for each segment that got rewritten in the dt.system.events table. You can analyze data deletion events with the following DQL query:
fetch dt.system.events| filter event.kind == "DATA_DELETION_EVENT"
Attribute
Type
Description
Examples
bucketstring
experimental
A Dynatrace Grail bucket name
A Dynatrace Grail bucket name
default_logs; default_eventsclient.api_versionstring
stable
The REST API version used by the client to perform the request
The REST API version used by the client to perform the request
1deletion_endlong
experimental
End of a particular deletion
End of a particular deletion
1649822520123123123deletion_idstring
experimental
The UUID identifying a particular deletion
The UUID identifying a particular deletion
c454347c-0ba9-4bd3-870e-d06dc1657f71deletion_startlong
experimental
Start of a particular deletion
Start of a particular deletion
1649822520123123123dt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permission environmentstring
experimental
A Dyntrace environment/tenant ID
A Dyntrace environment/tenant ID
umsaywsjuoevent.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionINFRASTRUCTURE_EVENT; DAVIS_EVENT; BIZ_EVENT; RUM_EVENT; AUDIT_EVENT; BILLING_USAGE_EVENTfailure_reasonstring
experimental
Additional information if query execution has 'FAILED'.
Additional information if query execution has 'FAILED'.
QUEUE_TIMEOUT; THROTTLEDquery_stringstring
experimental
The query string
The query string
fetch bizevents, from:-30m | limit 1rewritten_byteslong
experimental
The number of rewritten bytes in the context of record deletion
The number of rewritten bytes in the context of record deletion
1113359256statusstring
experimental
The outcome of the query
The outcome of the query
SUCCEEDEDtimestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123user.emailstring
stable
E-mail of the user.
E-mail of the user.
user@mail.comuser.idstring
stable
Unique identifer of a user.
Unique identifer of a user.
35ba9499-f87c-4047-962c-14dc32e255e5versionstring
deprecated
Used in Extension Framework 2.0
The SNMP version.
Used in Extension Framework 2.0
The SNMP version.
SNMPv3AppEngine Functions - Small billing usage
Model describing a billing usage event of function invocations. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "AppEngine Functions - Small"
Attribute
Type
Description
Examples
billed_invocationslong
stable
Number of billed invocations. Unit is 1/4 GiB * min
Number of billed invocations. Unit is 1/4 GiB * min
8billing_typestring
stable
The identifier defining the billing type.
The identifier defining the billing type.
BILLABLEcaller.app.idstring
stable
The entity/app invoking the function or not set when not invoked by an app.
The entity/app invoking the function or not set when not invoked by an app.
dynatrace.hubdt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permissionBILLING_USAGE_EVENTevent.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionBILLING_USAGE_EVENTevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionLIMA_USAGE_STREAMevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionAppEngine Functions - Smallevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0.0function.duration_seclong
stable
Duration of the function call in seconds. Measures not the actual execution time but the duration in the function proxy including network roundtrip to the Runtime. If the duration is bigger than the maximum allowed duration (which may happen due to technical reasons) the reported value is set to the maximum allowed duration.
Duration of the function call in seconds. Measures not the actual execution time but the duration in the function proxy including network roundtrip to the Runtime. If the duration is bigger than the maximum allowed duration (which may happen due to technical reasons) the reported value is set to the maximum allowed duration.
60function.execution_idstring
stable
If the execution of a resumable function last for more than 2 minutes, there will be multiple
If the execution of a resumable function last for more than 2 minutes, there will be multiple
BILLING_USAGE_EVENTs created for that execution, which will have the same value in this field. It can therefore be used to join BILLING_USAGE_EVENTs for long running function invocations.1bfa32fa-679e-4ac9-b683-2d2cdd4b6314function.idstring
stable
The unique identifier of a function containing the app id and function id in the form of {app.id}.{function.id}. Missing for adhoc executions.
The unique identifier of a function containing the app id and function id in the form of {app.id}.{function.id}. Missing for adhoc executions.
myapp.test/path/myfunctionfunction.memory_miblong
stable
Runtime memory in MiB. Some of the memory is not available to the javascript code, because it is needed by the runtime itself.
Runtime memory in MiB. Some of the memory is not available to the javascript code, because it is needed by the runtime itself.
128function.typestring
stable
The identifier defining the function type.
The identifier defining the function type.
STANDARD; ACTION; AD_HOCinvocation.typestring
stable
The identifier defining the invocation type.
The identifier defining the invocation type.
API; SCHEDULE; EVENTtimestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123user.emailstring
stable
E-mail of the user.
E-mail of the user.
user@mail.comuser.idstring
stable
Unique identifer of a user.
Unique identifer of a user.
35ba9499-f87c-4047-962c-14dc32e255e5Values
event.kind MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
event.provider MUST be one of the following:
Value
Description
LIMA_USAGE_STREAMLIMA Usage Stream Service
event.type MUST be one of the following:
Value
Description
AppEngine Functions - SmallAppEngine Functions - Small
dt.security_context MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
function.type MUST be one of the following:
Value
Description
AD_HOCAdhoc function execution
STANDARDApp function execution
ACTIONApp function execution, but function is defined as an Action in the app manifest
invocation.type MUST be one of the following:
Value
Description
APIApp or Adhoc function is executed synchronously, meaning it is not triggered by an automation.
<unspecified>App or Adhoc function is executed asynchronously, meaning it is triggered by an automation.
Events - Ingest & Process billing usage
Model describing a billing usage event of ingest for events. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Ingest & Process"| dedup event.id
Attribute
Type
Description
Examples
billed_byteslong
stable
The number of bytes that will be billed.
The number of bytes that will be billed.
1113359256dt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permissionBILLING_USAGE_EVENTevent.billing.categorystring
stable
Display name for usage details
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security eventsevent.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionBILLING_USAGE_EVENTevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionLIMA_CLIENTevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionEvents - Ingest & Processevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0.0timestamptimestamp
stable
Start time of the usage timeframe (inclusive)
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Zusage.endtimestamp
stable
End time of the usage timeframe (exclusive)
End time of the usage timeframe (exclusive)
2023-05-22T11:30:00.000000Zusage.event_bucketstring
stable
A Dynatrace Grail usage event bucket name
A Dynatrace Grail usage event bucket name
default_davis_custom_eventsusage.starttimestamp
stable
Start time of the usage timeframe (inclusive)
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000ZValues
event.kind MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
event.provider MUST be one of the following:
Value
Description
LIMA_CLIENTLIMA Client Service
event.type MUST be one of the following:
Value
Description
Events - Ingest & ProcessEvents - Ingest & Process
dt.security_context MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
Metrics - Ingest & Process billing usage
Model describing a billing usage event of ingest & process for metrics. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Ingest & Process"
Attribute
Type
Description
Examples
data_pointslong
stable
The number of billable metrics data points.
The number of billable metrics data points.
1500dt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permissionBILLING_USAGE_EVENTevent.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionBILLING_USAGE_EVENTevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionLIMA_USAGE_STREAMevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionMetrics - Ingest & Processevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0.0metric.typestring
stable
Identifies the type of metric and therefore the timeseries rollup functions it supports.
Identifies the type of metric and therefore the timeseries rollup functions it supports.
summary_statsmonitoring_sourcestring
stable
Monitoring source that originally reported the data. See 'dt.system.monitoring_source'.
Monitoring source that originally reported the data. See 'dt.system.monitoring_source'.
fullstack_hosttimestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123usage.endtimestamp
stable
End time of the usage timeframe (exclusive)
End time of the usage timeframe (exclusive)
2023-05-22T11:30:00.000000Zusage.event_bucketstring
stable
A Dynatrace Grail usage event bucket name
A Dynatrace Grail usage event bucket name
default_logsusage.starttimestamp
stable
Start time of the usage timeframe (inclusive)
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000ZValues
event.kind MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
event.provider MUST be one of the following:
Value
Description
LIMA_USAGE_STREAMLIMA Usage Stream Service
event.type MUST be one of the following:
Value
Description
Metrics - Ingest & ProcessMetrics - Ingest & Process
dt.security_context MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
Query Execution Events
Dynatrace stores a query execution event for each query that got executed in the dt.system.events table. You can analyze query execution events with the following DQL query:
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"
DQL query to find the number of succeeded queries:
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"| filter status == "SUCCEEDED"| summarize countDistinct(query_id)
DQL query to find aggregated number of failed queries:
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"| summarize sum(failed_count)
Attribute
Type
Description
Examples
analysis_timeframe.endtimestamp
experimental
End time of query analysis timeframe
End time of query analysis timeframe
2023-05-22T13:15:57.416654000analysis_timeframe.starttimestamp
experimental
Start time of query analysis timeframe
Start time of query analysis timeframe
2023-05-22T11:15:57.416654000bucketstring
experimental
A Dynatrace Grail bucket name
A Dynatrace Grail bucket name
default_logs; default_eventsclient.api_versionstring
stable
The REST API version used by the client to perform the request
The REST API version used by the client to perform the request
1client.application_contextstring
stable
A Dynatrace app id
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbonclient.function_contextstring
stable
Name of the function that executed the query
Name of the function that executed the query
api/execute-dql-query; my/functionclient.internal_service_contextstring
experimental
A string that identifies the Dynatrace service that triggered the query.
A string that identifies the Dynatrace service that triggered the query.
dt.davis.datadriverclient.sourcestring
stable
The client source URL
The client source URL
https://twqaxovyotonguh5hupot6aqztyf5quf-umsaywsjuo.dev5.dev.apps.dynatracelabs.com/ui/notebook/ec9f1b89-a8a3-4e1e-bf22-193089ecc470delivered_recordslong
experimental
The number of records returned by the query
The number of records returned by the query
1000dt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permission environmentstring
experimental
A Dyntrace environment/tenant ID
A Dyntrace environment/tenant ID
umsaywsjuoevent.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionQUERY_EXECUTION_EVENTexecution_duration_mslong
experimental
The duration of the query in milliseconds.
The duration of the query in milliseconds.
123failed_countlong
experimental
Number of failed queries represented by the record.
Number of failed queries represented by the record.
failed_count > 1 represents cases like 'failure_reason=THROTTLED' with individual queries aggregated into a single record.1; 321failure_reasonstring
experimental
Additional information if query execution has 'FAILED'.
Additional information if query execution has 'FAILED'.
QUEUE_TIMEOUT; THROTTLEDquery_idstring
stable
The UUID identifying a particular query. For aggregated events this field is null.
The UUID identifying a particular query. For aggregated events this field is null.
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5query_poolstring
experimental
The resource pool of the query
The resource pool of the query
DASHBOARDSquery_queue_time_mslong
experimental
The time query spent in queued state (in milliseconds).
The time query spent in queued state (in milliseconds).
456query_startlong
stable
Query start time. For failed queries the start time may be aggregated and not reflect the exact start time but rather the aggregation time.
Query start time. For failed queries the start time may be aggregated and not reflect the exact start time but rather the aggregation time.
1683012271413query_stringstring
experimental
The query string. For aggregated events this field is null.
The query string. For aggregated events this field is null.
fetch bizevents, from:-30m | limit 1sampling_ratiolong
experimental
The sampling ration of the executed query
The sampling ration of the executed query
1scanned_byteslong
experimental
The number of scanned bytes
The number of scanned bytes
1113359256scanned_data_pointslong
experimental
Number of scanned data points for metric queries
Number of scanned data points for metric queries
20scanned_recordslong
experimental
The number of scanned records
The number of scanned records
9209037statusstring
experimental
The outcome of the query
The outcome of the query
SUCCEEDEDtimestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123userstring
experimental
The user ID that triggered the query. For aggregated events this field is null.
The user ID that triggered the query. For aggregated events this field is null.
john.doe@dynatrace.comuser.emailstring
stable
The user email that triggered the query. For aggregated events this field is null.
The user email that triggered the query. For aggregated events this field is null.
john.doe@dynatrace.comuser.idstring
stable
The user UUID that triggered the query. For aggregated events this field is null.
The user UUID that triggered the query. For aggregated events this field is null.
03962cb6-aefc-4ca0-bad9-326099a977feversionstring
deprecated
Used in Extension Framework 2.0
The record version
Used in Extension Framework 2.0
The record version
1Values
failure_reason MUST be one of the following:
Value
Description
QUEUE_TIMEOUTQuery timed out before execution due to resource or tenant quota limit
THROTTLEDQuery was rejected due to too many queries waiting in the queue. Reported either as records with full details or as aggregated batches with limited metadata.
Events - Query billing usage
Model describing a billing usage event of a events query execution. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Query"
Attribute
Type
Description
Examples
action_typestring
stable
Indicates if the query was executed to fetch records or to delete them
Indicates if the query was executed to fetch records or to delete them
QUERY; DELETIONbilled_byteslong
stable
The number of bytes that will be billed.
The number of bytes that will be billed.
1113359256billing_typestring
stable
The identifier defining the billing type.
The identifier defining the billing type.
BILLABLEclient.application_contextstring
stable
A Dynatrace app id
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbonclient.function_contextstring
stable
Name of the function that executed the query
Name of the function that executed the query
api/execute-dql-query; my/functiondt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permissionBILLING_USAGE_EVENTevent.billing.categorystring
stable
Display name for usage details
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security eventsevent.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionBILLING_USAGE_EVENTevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionLIMA_USAGE_STREAMevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionEvents - Queryevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0; 2.0query_idstring
stable
The UUID identifying a particular query
The UUID identifying a particular query
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5query_startlong
stable
Query start time
Query start time
1683012271413timestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123usage.event_bucketstring
stable
A Dynatrace Grail usage event bucket name
A Dynatrace Grail usage event bucket name
default_bizevents; default_davis_custom_eventsuser.emailstring
stable
E-mail of the user.
E-mail of the user.
user@mail.comuser.idstring
stable
Unique identifer of a user.
Unique identifer of a user.
35ba9499-f87c-4047-962c-14dc32e255e5Values
event.kind MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
event.provider MUST be one of the following:
Value
Description
LIMA_USAGE_STREAMLIMA Usage Stream Service
event.type MUST be one of the following:
Value
Description
Events - QueryEvents Query Execution
dt.security_context MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
Log Management & Analytics - Query billing usage
Model describing a billing usage event of a logs query execution. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Query"
Attribute
Type
Description
Examples
action_typestring
stable
Indicates if the query was executed to fetch records or to delete them
Indicates if the query was executed to fetch records or to delete them
QUERY; DELETIONbilled_byteslong
stable
The number of bytes that will be billed.
The number of bytes that will be billed.
1113359256billing_typestring
stable
The identifier defining the billing type.
The identifier defining the billing type.
BILLABLEclient.application_contextstring
stable
A Dynatrace app id
A Dynatrace app id
local-dev-mode; dynatrace.notebooks; my.biz.carbonclient.function_contextstring
stable
Name of the function that executed the query
Name of the function that executed the query
api/execute-dql-query; my/functiondt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permissionBILLING_USAGE_EVENTevent.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionBILLING_USAGE_EVENTevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionLIMA_USAGE_STREAMevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionLog Management & Analytics - Queryevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0query_idstring
stable
The UUID identifying a particular query
The UUID identifying a particular query
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5query_startlong
stable
Query start time
Query start time
1683012271413timestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123user.emailstring
stable
E-mail of the user.
E-mail of the user.
user@mail.comuser.idstring
stable
Unique identifer of a user.
Unique identifer of a user.
35ba9499-f87c-4047-962c-14dc32e255e5Values
event.kind MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
event.provider MUST be one of the following:
Value
Description
LIMA_USAGE_STREAMLIMA Usage Stream Service
event.type MUST be one of the following:
Value
Description
Log Management & Analytics - QueryLogs Query Execution
dt.security_context MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
Events - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Retain"
Attribute
Type
Description
Examples
billed_byteslong
stable
The number of bytes that will be billed.
The number of bytes that will be billed.
1113359256dt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permissionBILLING_USAGE_EVENTevent.billing.categorystring
stable
Display name for usage details
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security eventsevent.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionBILLING_USAGE_EVENTevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionLIMA_USAGE_STREAMevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionEvent - Retainevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0.0timestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123usage.event_bucketstring
stable
A Dynatrace Grail usage event bucket name
A Dynatrace Grail usage event bucket name
default_bizevents; default_davis_custom_eventsValues
event.kind MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
event.provider MUST be one of the following:
Value
Description
LIMA_USAGE_STREAMLIMA Usage Stream Service
event.type MUST be one of the following:
Value
Description
Events - RetainEvents Retain
dt.security_context MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
Log Management & Analytics - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Retain"
Attribute
Type
Description
Examples
billed_byteslong
stable
The number of bytes that will be billed.
The number of bytes that will be billed.
1113359256dt.security_contextstring
experimental
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here
Tags:
permissionBILLING_USAGE_EVENTevent.idstring
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000event.kindstring
stable
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event.
Tags:
permissionBILLING_USAGE_EVENTevent.providerstring
stable
Source of the event, for example the name of the component or system that generated the event.
Tags:
Source of the event, for example the name of the component or system that generated the event.
Tags:
permissionLIMA_USAGE_STREAMevent.typestring
stable
The unique type identifier of a given event.
Tags:
The unique type identifier of a given event.
Tags:
permissionLog Management & Analytics - Retainevent.versionstring
stable
Describes the version of the event.
Describes the version of the event.
1.0.0timestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1649822520123123123usage.event_bucketstring
stable
A Dynatrace Grail usage event bucket name
A Dynatrace Grail usage event bucket name
default_logsValues
event.kind MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
event.provider MUST be one of the following:
Value
Description
LIMA_USAGE_STREAMLIMA Usage Stream Service
event.type MUST be one of the following:
Value
Description
Log Management & Analytics - RetainLogs Retain
dt.security_context MUST be one of the following:
Value
Description
BILLING_USAGE_EVENTBilling usage event
Dynatrace Self-monitoring Event
Events that are generated by Dynatrace components with self-monitoring information (health, status, unexpected situations)
Fields
Attribute
Type
Description
Examples
contentstring
experimental
Unstructured content of the record. It should contain human readable message. Often it is raw version of record read from a source.
Unstructured content of the record. It should contain human readable message. Often it is raw version of record read from a source.
No keepalive from datasource statsd. Restartingdt.active_gate.group.namestring
experimental
The name of group ActiveGate instance belongs to
The name of group ActiveGate instance belongs to
GdanskLabdt.entity.hoststring
stable
An entity ID of an entity of type HOST.
Tags:
An entity ID of an entity of type HOST.
Tags:
entity-idHOST-E0D8F94D9065F24Fdt.event.keystring
experimental
Preregistered event key for sfm events whitelisting
Preregistered event key for sfm events whitelisting
extension.status; extension.engine.eec_statusdt.extension.config.idstring
experimental
Extension's monitoring configuration identifier.
Extension's monitoring configuration identifier.
vu9U3hXa3q0AAAABAAtleHQ6ZXh0LTA0MAAIYWdfZ3JvdXAAA0FHMQAkMjY2YTIyM2YtZDgxYi0zNTNjLThlYzctYzk2YzliZjg4OGQ3vu9U3hXa3q0dt.extension.dsstring
experimental
Name of the data source.
Name of the data source.
SNMPTrapdt.extension.namestring
experimental
Name of the extension.
Name of the extension.
com.snmptrap.genericdt.extension.statusstring
experimental
The status of the component reporting SFM event
The status of the component reporting SFM event
AUTHENTICATION_ERRORdt.source_entitystring
experimental
The ID of the entity considered the source of the measurement. The string needs to be in the format of any MONITORED_ENTITY type. 1
Tags:
The ID of the entity considered the source of the measurement. The string needs to be in the format of any MONITORED_ENTITY type. 1
Tags:
entity-idHOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24Flog.sourcestring
dsfm; isfmtimestamptimestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
16498225201231231231
Value of this attribute will be based on one of dt.entity.<type> attributes value. That means that both attributes dt.source_entity and corresponding dt.entity.<type> will be set to the same ID.
2
Can contain e.g. a file path, standard output, an URI etc., depending on log stream type. The value should be stable for one logical source, so e.g. not affected by log file rotation digits.