System event models
System events are used to store details about executed queries, auditing events, billing events and more. In order to query system events, you need the storage:system:read permission.
fetch dt.system.events
Anomaly Detector Status Event
The anomaly detector status events are used for Davis anomaly detection. They track errors and warnings during the execution of an anomaly detector. Examples:
- Query runs into a timeout
- Query fails as unauthorized
- Query result is truncated as the scanned bytes limit was reached
- …
Anomaly detectors status events can be analyzed with the following DQL query:
fetch dt.system.events| filter event.kind == "ANOMALY_DETECTOR_STATUS_EVENT"
| Attribute | Type | Description | Examples |
|---|---|---|---|
client.application_context | string | stable A Dynatrace app id | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.internal_service_context | string | experimental A string that identifies the Dynatrace service that triggered the query. | dt.davis.datadriver |
davis.anomaly_detector.message | string | experimental Additional details about the anomaly detector status | Maximum number of concurrent queries per tenant reached. |
davis.anomaly_detector.status | string | experimental Severity of an anomaly detector status | ERROR; WARNING |
dt.settings.object_id | string | experimental The object ID of a settings value. This corresponds to the 'objectId' field/parameter in the Settings API. | vu9U3hXa3q0AAAABACFidWlsdGluOnJ1bS51c2VyLWV4cGVyaWVuY2Utc2NvcmUABnRlbmFudAAGdGVuYW50ACRhMzZmYmYwMy00NDY1LTNlNTYtOTZiOS1kOWMzOGQ3MzU1NmO-71TeFdrerQ |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | ANOMALY_DETECTOR_STATUS_EVENT |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
Audit Event
For every API access, Dynatrace stores an audit event in the dt.system.events table.
Additionally the Audit Event allows to attach an arbitrary key/value map with string keys and string values to the event. Keys are prefixed with "details." during serialization.
You can analyze audit events with the following DQL query:
fetch dt.system.events| filter event.kind == "AUDIT_EVENT"
| Attribute | Type | Description | Examples |
|---|---|---|---|
app.id | string | stable The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.' | dynatrace.notebooks; my.awesome.app |
authentication.client.id | string | experimental The OAuth2 client id if of type 'CLIENT_CREDENTIALS'. | dt0s02.UZCK6ENL.2YQ2A3DZUEISRJSUU5544J3SC3TMPXSEEMNA5HK7RW54SJ6XKLYGMWJNKL7B2DNH |
authentication.grant.type | string | experimental The grant type used during OAuth2 authentication. | AUTHORIZATION_CODE; CLIENT_CREDENTIALS |
authentication.token | string | experimental The public token identifier of authentication.type 'TOKEN'. | dt0c01.AM4SEYKIBROBEJ2N3HAXZ4IX |
authentication.type | string | experimental The method of authentication. | OAUTH2 |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | AUDIT_EVENT |
event.outcome | string | stable Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (e.g. an HTTP response code). | 200; success; failure |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | API_GATEWAY |
event.type | string | stable The unique type identifier of a given event. Tags: permission | POST; PUT; GET |
event.version | string | stable Describes the version of the event. | 1.0.0 |
origin.address | string | experimental Source IP address of the request associated with this event if not of 'LOCAL' type. | 10.11.12.13 |
origin.session | string | experimental The id of the browser session (if present) associated with the event. | node0hfznc |
origin.type | string | experimental Origin type of the request associated with this event. | REST; LOCAL |
origin.x_forwarded_for | string | experimental The verbatim value of the X-Forwarded-For HTTP request header (if present) of the request associated with the event. | 1.2.3.4 |
resource | string | stable Generic reference to a resource like a REST resource URL or a settings id | /service/resource; 1234567890 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.id | string | stable Unique identifer of a user. | 35ba9499-f87c-4047-962c-14dc32e255e5 |
user.name | string | experimental Full name of the user. | Wolfgang Amadeus Mozart |
user.organization | string | experimental Organization the user belongs to. | DYNATRACE; CUSTOMER; PARTNER |
Automation Workflow billing usage
Model describing a billing usage event of automation workflows. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Automation Workflow"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billing_type | string | stable The identifier defining the billing type. | BILLABLE |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | BILLING_USAGE_EVENT |
event.end | string | stable The event end timestamp in UTC (given in Grail preferred Linux timestamp nano precision format). | 16481073970000 |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.start | string | stable The event start timestamp in UTC (given in Grail preferred Linux timestamp nano precision format). | 16481073970000 |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Automation Workflow |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
workflow.actor | string | stable The entity executing the workflow as UUID. | b22a50a0-2540-4f29-9452-bc330322fb1e |
workflow.created_at | timestamp | stable The time when the workflow was created. | 1649822520123123123 |
workflow.description | string | stable The description of the workflow. | This is a test workflow |
workflow.id | string | stable The unique identifier of a workflow as UUID. | 26c0334e-a3e1-4585-8cd8-2d72742fe141 |
workflow.is_private | string | stable The boolean identifier denoting the visibility of the workflow. | true; false |
workflow.owner | string | stable The entity owning the workflow as UUID. | f1358516-8136-4634-9012-d2e3dfee38dc |
workflow.title | string | stable The title of the workflow. | Test Workflow |
workflow.trigger_type | string | stable The identifier describing the trigger of the workflow. | schedule; manual |
workflow.updated_by | string | stable The entity updating the workflow last. | f1358516-8136-4634-9012-d2e3dfee38dc |
Values
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Automation Workflow | Automation Workflow |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Data Deletion Events
Dynatrace stores a data deletion event for each segment that got rewritten in the dt.system.events table. You can analyze data deletion events with the following DQL query:
fetch dt.system.events| filter event.kind == "DATA_DELETION_EVENT"
| Attribute | Type | Description | Examples |
|---|---|---|---|
bucket | string | experimental A Dynatrace Grail bucket name | default_logs; default_events |
client.api_version | string | stable The REST API version used by the client to perform the request | 1 |
deletion_end | long | experimental End of a particular deletion | 1649822520123123123 |
deletion_id | string | experimental The UUID identifying a particular deletion | c454347c-0ba9-4bd3-870e-d06dc1657f71 |
deletion_start | long | experimental Start of a particular deletion | 1649822520123123123 |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | |
environment | string | experimental A Dyntrace environment/tenant ID | umsaywsjuo |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | INFRASTRUCTURE_EVENT; DAVIS_EVENT; BIZ_EVENT; RUM_EVENT; AUDIT_EVENT; BILLING_USAGE_EVENT |
failure_reason | string | experimental Additional information if query execution has 'FAILED'. | QUEUE_TIMEOUT; THROTTLED |
query_string | string | experimental The query string | fetch bizevents, from:-30m | limit 1 |
rewritten_bytes | long | experimental The number of rewritten bytes in the context of record deletion | 1113359256 |
status | string | experimental The outcome of the query | SUCCEEDED |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.email | string | stable E-mail of the user. | user@mail.com |
user.id | string | stable Unique identifer of a user. | 35ba9499-f87c-4047-962c-14dc32e255e5 |
version | string | deprecated Used in Extension Framework 2.0 The SNMP version. | SNMPv3 |
AppEngine Functions - Small billing usage
Model describing a billing usage event of function invocations. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "AppEngine Functions - Small"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_invocations | long | stable Number of billed invocations. Unit is 1/4 GiB * min | 8 |
billing_type | string | stable The identifier defining the billing type. | BILLABLE |
caller.app.id | string | stable The entity/app invoking the function or not set when not invoked by an app. | dynatrace.hub |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | AppEngine Functions - Small |
event.version | string | stable Describes the version of the event. | 1.0.0 |
function.duration_sec | long | stable Duration of the function call in seconds. Measures not the actual execution time but the duration in the function proxy including network roundtrip to the Runtime. If the duration is bigger than the maximum allowed duration (which may happen due to technical reasons) the reported value is set to the maximum allowed duration. | 60 |
function.execution_id | string | stable If the execution of a resumable function last for more than 2 minutes, there will be multiple BILLING_USAGE_EVENTs created for that execution, which will have the same value in this field. It can therefore be used to join BILLING_USAGE_EVENTs for long running function invocations. | 1bfa32fa-679e-4ac9-b683-2d2cdd4b6314 |
function.id | string | stable The unique identifier of a function containing the app id and function id in the form of {app.id}.{function.id}. Missing for adhoc executions. | myapp.test/path/myfunction |
function.memory_mib | long | stable Runtime memory in MiB. Some of the memory is not available to the javascript code, because it is needed by the runtime itself. | 128 |
function.type | string | stable The identifier defining the function type. | STANDARD; ACTION; AD_HOC |
invocation.type | string | stable The identifier defining the invocation type. | API; SCHEDULE; EVENT |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.email | string | stable E-mail of the user. | user@mail.com |
user.id | string | stable Unique identifer of a user. | 35ba9499-f87c-4047-962c-14dc32e255e5 |
Values
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
AppEngine Functions - Small | AppEngine Functions - Small |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
function.type MUST be one of the following:
| Value | Description |
|---|---|
AD_HOC | Adhoc function execution |
STANDARD | App function execution |
ACTION | App function execution, but function is defined as an Action in the app manifest |
invocation.type MUST be one of the following:
| Value | Description |
|---|---|
API | App or Adhoc function is executed synchronously, meaning it is not triggered by an automation. |
<unspecified> | App or Adhoc function is executed asynchronously, meaning it is triggered by an automation. |
Events - Ingest & Process billing usage
Model describing a billing usage event of ingest for events. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Ingest & Process"| dedup event.id
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | BILLING_USAGE_EVENT |
event.billing.category | string | stable Display name for usage details | Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | LIMA_CLIENT |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Events - Ingest & Process |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable Start time of the usage timeframe (inclusive) | 2023-05-22T11:15:00.000000Z |
usage.end | timestamp | stable End time of the usage timeframe (exclusive) | 2023-05-22T11:30:00.000000Z |
usage.event_bucket | string | stable A Dynatrace Grail usage event bucket name | default_davis_custom_events |
usage.start | timestamp | stable Start time of the usage timeframe (inclusive) | 2023-05-22T11:15:00.000000Z |
Values
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_CLIENT | LIMA Client Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Events - Ingest & Process | Events - Ingest & Process |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Metrics - Ingest & Process billing usage
Model describing a billing usage event of ingest & process for metrics. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Ingest & Process"
| Attribute | Type | Description | Examples |
|---|---|---|---|
data_points | long | stable The number of billable metrics data points. | 1500 |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Metrics - Ingest & Process |
event.version | string | stable Describes the version of the event. | 1.0.0 |
metric.type | string | stable Identifies the type of metric and therefore the timeseries rollup functions it supports. | summary_stats |
monitoring_source | string | stable Monitoring source that originally reported the data. See 'dt.system.monitoring_source'. | fullstack_host |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.end | timestamp | stable End time of the usage timeframe (exclusive) | 2023-05-22T11:30:00.000000Z |
usage.event_bucket | string | stable A Dynatrace Grail usage event bucket name | default_logs |
usage.start | timestamp | stable Start time of the usage timeframe (inclusive) | 2023-05-22T11:15:00.000000Z |
Values
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Metrics - Ingest & Process | Metrics - Ingest & Process |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Query Execution Events
Dynatrace stores a query execution event for each query that got executed in the dt.system.events table. You can analyze query execution events with the following DQL query:
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"
DQL query to find the number of succeeded queries:
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"| filter status == "SUCCEEDED"| summarize countDistinct(query_id)
DQL query to find aggregated number of failed queries:
fetch dt.system.events| filter event.kind == "QUERY_EXECUTION_EVENT"| summarize sum(failed_count)
| Attribute | Type | Description | Examples |
|---|---|---|---|
analysis_timeframe.end | timestamp | experimental End time of query analysis timeframe | 2023-05-22T13:15:57.416654000 |
analysis_timeframe.start | timestamp | experimental Start time of query analysis timeframe | 2023-05-22T11:15:57.416654000 |
bucket | string | experimental A Dynatrace Grail bucket name | default_logs; default_events |
client.api_version | string | stable The REST API version used by the client to perform the request | 1 |
client.application_context | string | stable A Dynatrace app id | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.function_context | string | stable Name of the function that executed the query | api/execute-dql-query; my/function |
client.internal_service_context | string | experimental A string that identifies the Dynatrace service that triggered the query. | dt.davis.datadriver |
client.source | string | stable The client source URL | https://twqaxovyotonguh5hupot6aqztyf5quf-umsaywsjuo.dev5.dev.apps.dynatracelabs.com/ui/notebook/ec9f1b89-a8a3-4e1e-bf22-193089ecc470 |
delivered_records | long | experimental The number of records returned by the query | 1000 |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | |
environment | string | experimental A Dyntrace environment/tenant ID | umsaywsjuo |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | QUERY_EXECUTION_EVENT |
execution_duration_ms | long | experimental The duration of the query in milliseconds. | 123 |
failed_count | long | experimental Number of failed queries represented by the record. failed_count > 1 represents cases like 'failure_reason=THROTTLED' with individual queries aggregated into a single record. | 1; 321 |
failure_reason | string | experimental Additional information if query execution has 'FAILED'. | QUEUE_TIMEOUT; THROTTLED |
query_id | string | stable The UUID identifying a particular query. For aggregated events this field is null. | e68e5cc8-c31e-4e57-90d7-c6dde20b19d5 |
query_pool | string | experimental The resource pool of the query | DASHBOARDS |
query_queue_time_ms | long | experimental The time query spent in queued state (in milliseconds). | 456 |
query_start | long | stable Query start time. For failed queries the start time may be aggregated and not reflect the exact start time but rather the aggregation time. | 1683012271413 |
query_string | string | experimental The query string. For aggregated events this field is null. | fetch bizevents, from:-30m | limit 1 |
sampling_ratio | long | experimental The sampling ration of the executed query | 1 |
scanned_bytes | long | experimental The number of scanned bytes | 1113359256 |
scanned_data_points | long | experimental Number of scanned data points for metric queries | 20 |
scanned_records | long | experimental The number of scanned records | 9209037 |
status | string | experimental The outcome of the query | SUCCEEDED |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user | string | experimental The user ID that triggered the query. For aggregated events this field is null. | john.doe@dynatrace.com |
user.email | string | stable The user email that triggered the query. For aggregated events this field is null. | john.doe@dynatrace.com |
user.id | string | stable The user UUID that triggered the query. For aggregated events this field is null. | 03962cb6-aefc-4ca0-bad9-326099a977fe |
version | string | deprecated Used in Extension Framework 2.0 The record version | 1 |
Values
failure_reason MUST be one of the following:
| Value | Description |
|---|---|
QUEUE_TIMEOUT | Query timed out before execution due to resource or tenant quota limit |
THROTTLED | Query was rejected due to too many queries waiting in the queue. Reported either as records with full details or as aggregated batches with limited metadata. |
Events - Query billing usage
Model describing a billing usage event of a events query execution. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Query"
| Attribute | Type | Description | Examples |
|---|---|---|---|
action_type | string | stable Indicates if the query was executed to fetch records or to delete them | QUERY; DELETION |
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
billing_type | string | stable The identifier defining the billing type. | BILLABLE |
client.application_context | string | stable A Dynatrace app id | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.function_context | string | stable Name of the function that executed the query | api/execute-dql-query; my/function |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | BILLING_USAGE_EVENT |
event.billing.category | string | stable Display name for usage details | Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Events - Query |
event.version | string | stable Describes the version of the event. | 1.0; 2.0 |
query_id | string | stable The UUID identifying a particular query | e68e5cc8-c31e-4e57-90d7-c6dde20b19d5 |
query_start | long | stable Query start time | 1683012271413 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.event_bucket | string | stable A Dynatrace Grail usage event bucket name | default_bizevents; default_davis_custom_events |
user.email | string | stable E-mail of the user. | user@mail.com |
user.id | string | stable Unique identifer of a user. | 35ba9499-f87c-4047-962c-14dc32e255e5 |
Values
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Events - Query | Events Query Execution |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Log Management & Analytics - Query billing usage
Model describing a billing usage event of a logs query execution. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Query"
| Attribute | Type | Description | Examples |
|---|---|---|---|
action_type | string | stable Indicates if the query was executed to fetch records or to delete them | QUERY; DELETION |
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
billing_type | string | stable The identifier defining the billing type. | BILLABLE |
client.application_context | string | stable A Dynatrace app id | local-dev-mode; dynatrace.notebooks; my.biz.carbon |
client.function_context | string | stable Name of the function that executed the query | api/execute-dql-query; my/function |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Log Management & Analytics - Query |
event.version | string | stable Describes the version of the event. | 1.0 |
query_id | string | stable The UUID identifying a particular query | e68e5cc8-c31e-4e57-90d7-c6dde20b19d5 |
query_start | long | stable Query start time | 1683012271413 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
user.email | string | stable E-mail of the user. | user@mail.com |
user.id | string | stable Unique identifer of a user. | 35ba9499-f87c-4047-962c-14dc32e255e5 |
Values
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Log Management & Analytics - Query | Logs Query Execution |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Events - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Retain"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | BILLING_USAGE_EVENT |
event.billing.category | string | stable Display name for usage details | Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Event - Retain |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.event_bucket | string | stable A Dynatrace Grail usage event bucket name | default_bizevents; default_davis_custom_events |
Values
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Events - Retain | Events Retain |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Log Management & Analytics - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table. You can analyze billing usage events with the following DQL query:
fetch dt.system.events| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Retain"
| Attribute | Type | Description | Examples |
|---|---|---|---|
billed_bytes | long | stable The number of bytes that will be billed. | 1113359256 |
dt.security_context | string | experimental The security context is used in access permissions to limit the visibility. Learn more about the Dynatrace permission model here: https://docs.dynatrace.com/docs/shortlink/dynatrace-grail Tags: permission | BILLING_USAGE_EVENT |
event.id | string | stable Unique identifier string of an event, is stable across multiple refreshes and updates. | 5547782627070661074_1647601320000 |
event.kind | string | stable Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | BILLING_USAGE_EVENT |
event.provider | string | stable Source of the event, for example the name of the component or system that generated the event. Tags: permission | LIMA_USAGE_STREAM |
event.type | string | stable The unique type identifier of a given event. Tags: permission | Log Management & Analytics - Retain |
event.version | string | stable Describes the version of the event. | 1.0.0 |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
usage.event_bucket | string | stable A Dynatrace Grail usage event bucket name | default_logs |
Values
event.kind MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
event.provider MUST be one of the following:
| Value | Description |
|---|---|
LIMA_USAGE_STREAM | LIMA Usage Stream Service |
event.type MUST be one of the following:
| Value | Description |
|---|---|
Log Management & Analytics - Retain | Logs Retain |
dt.security_context MUST be one of the following:
| Value | Description |
|---|---|
BILLING_USAGE_EVENT | Billing usage event |
Dynatrace Self-monitoring Event
Events that are generated by Dynatrace components with self-monitoring information (health, status, unexpected situations)
Fields
| Attribute | Type | Description | Examples |
|---|---|---|---|
content | string | experimental Unstructured content of the record. It should contain human readable message. Often it is raw version of record read from a source. | No keepalive from datasource statsd. Restarting |
dt.active_gate.group.name | string | experimental The name of group ActiveGate instance belongs to | GdanskLab |
dt.entity.host | string | stable An entity ID of an entity of type HOST. Tags: entity-id | HOST-E0D8F94D9065F24F |
dt.event.key | string | experimental Preregistered event key for sfm events whitelisting | extension.status; extension.engine.eec_status |
dt.extension.config.id | string | experimental Extension's monitoring configuration identifier. | vu9U3hXa3q0AAAABAAtleHQ6ZXh0LTA0MAAIYWdfZ3JvdXAAA0FHMQAkMjY2YTIyM2YtZDgxYi0zNTNjLThlYzctYzk2YzliZjg4OGQ3vu9U3hXa3q0 |
dt.extension.ds | string | experimental Name of the data source. | SNMPTrap |
dt.extension.name | string | experimental Name of the extension. | com.snmptrap.generic |
dt.extension.status | string | experimental The status of the component reporting SFM event | AUTHENTICATION_ERROR |
dt.source_entity | string | experimental The ID of the entity considered the source of the measurement. The string needs to be in the format of any MONITORED_ENTITY type. 1 Tags: entity-id | HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F |
log.source | string | stable Human readable attribute which allows to identify log stream. 2 Tags: permission | dsfm; isfm |
timestamp | timestamp | stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 |
1 Value of this attribute will be based on one of dt.entity. 2 Can contain e.g. a file path, standard output, an URI etc., depending on log stream type. The value should be stable for one logical source, so e.g. not affected by log file rotation digits. |