System events are used to store details about executed queries, auditing events, billing events and more. In order to query system events, you need the storage:system:read permission.
Query
Query system events.
Anomaly Detector Status Event
The anomaly detector status events are used for Davis anomaly detection.
They track errors and warnings during the execution of an anomaly detector. Examples:
- Query runs into a timeout
- Query fails as unauthorized
- Query result is truncated as the scanned bytes limit was reached
- …
Query
Analyze anomaly detectors status events.
fetch dt.system.events
| filter event.kind == "ANOMALY_DETECTOR_STATUS_EVENT"
client.application_context
local-dev-mode; dynatrace.notebooks; my.biz.carbon
client.internal_service_context
experimental
A string that identifies the Dynatrace service that triggered the query.
davis.anomaly_detector.message
experimental
Additional details about the anomaly detector status
Maximum number of concurrent queries per tenant reached.
davis.anomaly_detector.status
experimental
Severity of an anomaly detector status
experimental
The object ID of a settings value. This corresponds to the 'objectId' field/parameter in the Settings API.
vu9U3hXa3q0AAAABACFidWlsdGluOnJ1bS51c2VyLWV4cGVyaWVuY2Utc2NvcmUABnRlbmFudAAGdGVuYW50ACRhMzZmYmYwMy00NDY1LTNlNTYtOTZiOS1kOWMzOGQ3MzU1NmO-71TeFdrerQ
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
ANOMALY_DETECTOR_STATUS_EVENT
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
AppEngine Functions - Small billing usage
Model describing a billing usage event of function invocations. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "AppEngine Functions - Small"
stable
Number of billed invocations. Unit is 1/4 GiB * min
deprecated
The identifier defining the billing type.
stable
The entity/app invoking the function or not set when not invoked by an app.
experimental
The service invoking the function or not set when not invoked by a service.
experimental
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
dynatrace.notebooks; my.awesome.app
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
AppEngine Functions - Small
stable
Describes the version of the event.
stable
Duration of the function call in seconds. Measures not the actual execution time but the duration in the function proxy including network roundtrip to the Runtime. If the duration is bigger than the maximum allowed duration (which may happen due to technical reasons) the reported value is set to the maximum allowed duration.
stable
If the execution of a resumable function last for more than 2 minutes, there will be multiple BILLING_USAGE_EVENTs created for that execution, which will have the same value in this field. It can therefore be used to join BILLING_USAGE_EVENTs for long running function invocations.
1bfa32fa-679e-4ac9-b683-2d2cdd4b6314
stable
The unique identifier of a function containing the app id and function id in the form of {app.id}.{function.id}. Missing for adhoc executions.
myapp.test/path/myfunction
stable
Runtime memory in MiB. Some of the memory is not available to the javascript code, because it is needed by the runtime itself.
stable
The identifier defining the function type.
deprecated
The identifier defining the invocation type.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
E-mail of the user.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
AppEngine Functions - Small
AppEngine Functions - Small
dt.security_context MUST be one of the following:
function.type MUST be one of the following:
App function execution, but function is defined as an Action in the app manifest
invocation.type MUST be one of the following:
App or Adhoc function is executed synchronously, meaning it is not triggered by an automation.
App or Adhoc function is executed asynchronously, meaning it is triggered by an automation.
Audit Event
For every API access, Dynatrace stores an audit event in the dt.system.events table.
Additionally the Audit Event allows to attach an arbitrary key/value map with string keys and string values to the event. Keys are prefixed with "details." during serialization.
Query
Analyze audit events.
fetch dt.system.events
| filter event.kind == "AUDIT_EVENT"
deprecated
Deprecated
Deprecated. Use dt.app.id instead.
experimental
The OAuth2 client id if of type 'CLIENT_CREDENTIALS'.
dt0s02.UZCK6ENL.2YQ2A3DZUEISRJSUU5544J3SC3TMPXSEEMNA5HK7RW54SJ6XKLYGMWJNKL7B2DNH
authentication.grant.type
experimental
The grant type used during OAuth2 authentication.
AUTHORIZATION_CODE; CLIENT_CREDENTIALS
experimental
The public token identifier of authentication.type 'TOKEN'.
dt0c01.AM4SEYKIBROBEJ2N3HAXZ4IX
experimental
The method of authentication.
experimental
The unique application identifier. Dynatrace apps are prefixed with 'dynatrace.', custom apps are prefixed with 'my.'
dynatrace.notebooks; my.awesome.app
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Denotes whether the event represents a success or a failure from the perspective of the entity that produced the event (e.g. an HTTP response code).
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
Describes why a certain event.outcome was set, typically this is some form of error description in case if a failure
user is missing permission "logs.read"
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
experimental
Source IP address of the request associated with this event if not of 'LOCAL' type.
experimental
The id of the browser session (if present) associated with the event.
experimental
Origin type of the request associated with this event.
experimental
The verbatim value of the X-Forwarded-For HTTP request header (if present) of the request associated with the event.
stable
Generic reference to a resource like a REST resource URL or a settings id
/service/resource; 1234567890
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
experimental
Full name of the user. If the system itself has to be represented, the constant 'System' is used.
Wolfgang Amadeus Mozart; System
experimental
Organization the user belongs to.
DYNATRACE; CUSTOMER; PARTNER
Automation Workflow billing usage
Model describing a billing usage event of automation workflows. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events for AutomationEngine workflows.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Automation Workflow"
deprecated
The identifier defining the billing type.
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
The event end timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The event start timestamp in UTC (given in Grail preferred Linux timestamp nano precision format).
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
The entity executing the workflow as UUID.
b22a50a0-2540-4f29-9452-bc330322fb1e
stable
The time when the workflow was created.
stable
The description of the workflow.
stable
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
stable
The boolean identifier denoting the visibility of the workflow.
stable
The entity owning the workflow as UUID.
f1358516-8136-4634-9012-d2e3dfee38dc
stable
The title of the workflow.
stable
The identifier describing the trigger of the workflow.
stable
The entity updating the workflow last.
f1358516-8136-4634-9012-d2e3dfee38dc
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
AutomationEngine action execution event
Model describing an AutomationEngine action execution event. Action execution events are stored in the dt.system.events table.
Query
AutomationEngine action execution state change.
fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="ACTION_EXECUTION"
dt.automation_engine.action.app
experimental
The app id of the app containing the executed action.
dt.automation_engine.action.function
experimental
Name of the function implementing the action.
dt.automation_engine.action_execution.id
experimental
The unique identifier of a action execution as UUID.
23e7b55a-884f-4497-8ad6-8d49d52b4348
dt.automation_engine.action_execution.loop.index
experimental
Loop index of the action execution.
dt.automation_engine.action_execution.retry.count
experimental
Retry count of the action execution.
dt.automation_engine.state
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
dt.automation_engine.state.is_final
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
dt.automation_engine.state_info
experimental
Additional info about current state of execution. Typically holds error details.
dt.automation_engine.task.name
experimental
The identifier of a task within a workflow.
dt.automation_engine.task_execution.id
experimental
The unique identifier of a task execution as UUID.
6580d4af-6b1f-4e54-92fa-f47e94507acd
dt.automation_engine.workflow.id
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
experimental
The title of the workflow.
dt.automation_engine.workflow_execution.id
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.openpipeline.pipelines
experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
stable
The difference of start_time and end_time in nanoseconds.
stable
End time of a data point. Value is an UNIX Epoch time in nanoseconds and greater or equal the start_time.
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Start time of a data point. Value is an UNIX Epoch time in nanoseconds and less or equal the end_time.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
Values
event.kind MUST be one of the following:
Event in context of a workflow
event.provider MUST be one of the following:
Event produced by AutomationEngine
event.type MUST be one of the following:
Task execution state change event
dt.automation_engine.state MUST be one of the following:
Action execution started.
Action execution finished successfully.
AutomationEngine task execution event
Model describing an AutomationEngine task execution event. Task execution events are stored in the dt.system.events table.
Query
AutomationEngine task execution state change.
fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="TASK_EXECUTION"
dt.automation_engine.state
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
dt.automation_engine.state.is_final
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
dt.automation_engine.state_info
experimental
Additional info about current state of execution. Typically holds error details.
dt.automation_engine.task.name
experimental
The identifier of a task within a workflow.
dt.automation_engine.task_execution.id
experimental
The unique identifier of a task execution as UUID.
6580d4af-6b1f-4e54-92fa-f47e94507acd
dt.automation_engine.workflow.id
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
experimental
The title of the workflow.
dt.automation_engine.workflow_execution.id
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.openpipeline.pipelines
experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
stable
The difference of start_time and end_time in nanoseconds.
stable
End time of a data point. Value is an UNIX Epoch time in nanoseconds and greater or equal the start_time.
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Start time of a data point. Value is an UNIX Epoch time in nanoseconds and less or equal the end_time.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
Values
event.kind MUST be one of the following:
Event in context of a workflow
event.provider MUST be one of the following:
Event produced by AutomationEngine
event.type MUST be one of the following:
Task execution state change event
dt.automation_engine.state MUST be one of the following:
Task skipped due to task conditions evaluation or task is disabled.
Task discarded due to predecessor task conditions evaluation.
Task waiting due to e.g. task option configuration.
Task execution has running action execution.
Task execution finished successfully.
Task execution cancelled manually/by API request.
Task execution finished due to at least one failed action execution and no retries configured/left to process.
AutomationEngine workflow execution event
Model describing an AutomationEngine workflow execution event. Workflow execution events are stored in the dt.system.events table.
Query
AutomationEngine workflow execution state change.
fetch dt.system.events
| filter event.kind == "WORKFLOW_EVENT" and event.provider == "AUTOMATION_ENGINE" and event.type =="WORKFLOW_EXECUTION"
dt.automation_engine.state
experimental
The state of an execution. Values depend on type of execution (workflow-, task-, or action execution).
dt.automation_engine.state.is_final
experimental
Indicates if dt.automation_engine.state is a final and immutable state or if further processing will happen.
dt.automation_engine.workflow.id
experimental
The unique identifier of a workflow as UUID.
26c0334e-a3e1-4585-8cd8-2d72742fe141
dt.automation_engine.workflow.title
experimental
The title of the workflow.
dt.automation_engine.workflow.type
experimental
Workflow type, either SIMPLE or STANDARD, where SIMPLE comes with restrictions.
dt.automation_engine.workflow_execution.id
experimental
The unique identifier of a workflow execution as UUID.
737a248b-d1cb-49a4-bf08-7d4c37dbfb1e
dt.automation_engine.workflow_execution.trigger.type
experimental
The identifier describing the trigger of the workflow.
dt.automation_engine.workflow_execution.trigger.user.id
experimental
The unique identifier of the user who triggered the workflow execution manually/via API.
dad18fa7-3c11-40a1-b760-1d8281bb5dcc
dt.openpipeline.pipelines
experimental
Collects the identifiers of all pipelines through which a record has passed during the ingestion process in OpenPipeline, providing a complete trace of its journey.
[[logs:default], [logs:pipeline_haproxy_2656, bizevents:default]]
experimental
Identifies the source (such as API endpoints or OneAgent) used for ingesting the record into OpenPipeline.
/platform/ingest/v1/events; oneagent
stable
The difference of start_time and end_time in nanoseconds.
stable
End time of a data point. Value is an UNIX Epoch time in nanoseconds and greater or equal the start_time.
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Start time of a data point. Value is an UNIX Epoch time in nanoseconds and less or equal the end_time.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
Values
event.kind MUST be one of the following:
Event in context of a workflow
event.provider MUST be one of the following:
Event produced by AutomationEngine
event.type MUST be one of the following:
Workflow execution state change event
dt.automation_engine.state MUST be one of the following:
Workflow execution started.
Workflow execution finished successfully.
Workflow execution failed due to at least one branch with a failed task without an on error successor.
Workflow execution cancelled manually/by API request.
Data Deletion Events
Dynatrace stores a data deletion event for each segment that got rewritten in the dt.system.events table.
Query
Analyze data deletion events.
fetch dt.system.events
| filter event.kind == "DATA_DELETION_EVENT"
experimental
A Dynatrace Grail bucket name
default_logs; default_events
stable
The REST API version used by the client to perform the request
experimental
End of a particular deletion
experimental
Internal deletion request UUID
c454347c-0ba9-4bd3-870e-d06dc1657f71
experimental
Start of a particular deletion
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission experimental
A Dynatrace environment/tenant ID
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
experimental
Additional information if query execution has 'FAILED'.
experimental
The query string
fetch bizevents, from:-30m | limit 1
experimental
The number of rewritten bytes in the context of record deletion
experimental
The outcome of the query
experimental
Deletion task UUID returned by API
03962cb6-aefc-4ca0-bad9-326099a977fe
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
E-mail of the user.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
deprecated
Used in Extension Framework 2.0
The SNMP version.
Dynatrace Self-monitoring Event
Events that are generated by Dynatrace components with self-monitoring information (health, status, unexpected situations)
Fields
experimental
Unstructured content of the record. It should contain human readable message. Often it is raw version of record read from a source.
No keepalive from datasource statsd. Restarting
dt.active_gate.group.name
experimental
The name of group ActiveGate instance belongs to
stable
An entity ID of an entity of type HOST.
Tags: entity-id
experimental
Preregistered event key for sfm events whitelisting
extension.status; extension.engine.eec_status
experimental
Extension's monitoring configuration identifier.
vu9U3hXa3q0AAAABAAtleHQ6ZXh0LTA0MAAIYWdfZ3JvdXAAA0FHMQAkMjY2YTIyM2YtZDgxYi0zNTNjLThlYzctYzk2YzliZjg4OGQ3vu9U3hXa3q0
experimental
Name of the data source.
experimental
Name of the extension.
experimental
The status of the component reporting SFM event
stableThe ID of the entity considered the source of the measurement. The string needs to be in the format of any MONITORED_ENTITY type.
1Tags:
entity-id HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F
stableHuman readable attribute which allows to identify log stream.
2Tags:
permission stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
1Value of this attribute will be based on one of dt.entity.<type> attributes value. That means that both attributes dt.source_entity and corresponding dt.entity.<type> will be set to the same ID.
2Can contain e.g. a file path, standard output, an URI etc., depending on log stream type. The value should be stable for one logical source, so e.g. not affected by log file rotation digits.
Events - Ingest & Process billing usage
Model describing a billing usage event of ingest for events. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events for the "Events - Ingest & Process" capability.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Ingest & Process"
| dedup event.id
stable
The number of bytes that will be billed.
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Events - Ingest & Process
stable
Describes the version of the event.
stable
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z
experimental
End time of the usage timeframe (exclusive)
2023-05-22T11:30:00.000000Z
stable
A Dynatrace Grail usage event bucket name
default_davis_custom_events
experimental
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
Events - Ingest & Process
Events - Ingest & Process
dt.security_context MUST be one of the following:
Events - Query billing usage
Model describing a billing usage event of a events query execution. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Query"
stable
Indicates if the query was executed to fetch records or to delete them
stable
The number of bytes that will be billed.
deprecated
The identifier defining the billing type.
client.application_context
local-dev-mode; dynatrace.notebooks; my.biz.carbon
stable
Name of the function that executed the query
api/execute-dql-query; my/function
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The UUID identifying a particular query
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
A Dynatrace Grail usage event bucket name
default_bizevents; default_davis_custom_events
stable
E-mail of the user.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Events - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Events - Retain"
stable
The number of bytes that will be billed.
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Display name for usage details
Business events; Custom Davis & Kubernetes events; Kubernetes warning events; Davis AI problems; Security events
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
A Dynatrace Grail usage event bucket name
default_bizevents; default_davis_custom_events
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Log Management & Analytics - Query billing usage
Model describing a billing usage event of a logs query execution. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Query"
stable
Indicates if the query was executed to fetch records or to delete them
stable
The number of bytes that will be billed.
deprecated
The identifier defining the billing type.
client.application_context
local-dev-mode; dynatrace.notebooks; my.biz.carbon
stable
Name of the function that executed the query
api/execute-dql-query; my/function
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Log Management & Analytics - Query
stable
Describes the version of the event.
stable
The UUID identifying a particular query
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
E-mail of the user.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Log Management & Analytics - Query
dt.security_context MUST be one of the following:
Log Management & Analytics - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Log Management & Analytics - Retain"
stable
The number of bytes that will be billed.
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Log Management & Analytics - Retain
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
A Dynatrace Grail usage event bucket name
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Log Management & Analytics - Retain
dt.security_context MUST be one of the following:
Metrics - Ingest & Process billing usage
Model describing a billing usage event of ingest & process for metrics. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Metrics - Ingest & Process"
stable
The number of billable metrics data points.
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Metrics - Ingest & Process
stable
Describes the version of the event.
stable
Identifies the type of metric and therefore the timeseries rollup functions it supports.
stable
Monitoring source that originally reported the data. See 'dt.system.monitoring_source'.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
End time of the usage timeframe (exclusive)
2023-05-22T11:30:00.000000Z
stable
A Dynatrace Grail usage event bucket name
experimental
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Metrics - Ingest & Process
Metrics - Ingest & Process
dt.security_context MUST be one of the following:
Query Execution Events
Dynatrace stores a query execution event for each query that got executed in the dt.system.events table.
Query
Analyze query execution events.
fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"
The amount of succeeded queries.
fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"
| filter status == "SUCCEEDED"
| summarize countDistinct(query_id)
The amount of failed queries.
fetch dt.system.events
| filter event.kind == "QUERY_EXECUTION_EVENT"
| summarize sum(failed_count)
experimental
End time of query analysis timeframe
2023-05-22T13:15:57.416654000
experimental
Start time of query analysis timeframe
2023-05-22T11:15:57.416654000
experimental
A Dynatrace Grail bucket name
default_logs; default_events
stable
The REST API version used by the client to perform the request
client.application_context
local-dev-mode; dynatrace.notebooks; my.biz.carbon
stable
Name of the function that executed the query
api/execute-dql-query; my/function
client.internal_service_context
experimental
A string that identifies the Dynatrace service that triggered the query.
stable
The client source URL
https://twqaxovyotonguh5hupot6aqztyf5quf-umsaywsjuo.dev5.dev.apps.dynatracelabs.com/ui/notebook/ec9f1b89-a8a3-4e1e-bf22-193089ecc470
experimental
The number of records returned by the query
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission experimental
A Dynatrace environment/tenant ID
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
deprecated
The duration of the query in milliseconds.
experimental
Number of failed queries represented by the record. failed_count > 1 represents cases like 'failure_reason=THROTTLED' with individual queries aggregated into a single record.
experimental
Additional information if query execution has 'FAILED'.
stable
Query end time. For aggregated events the query end time may be zero and not reflect the exact end time.
stable
The UUID identifying a particular query. For aggregated events this field is null.
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
experimental
The resource pool of the query
deprecated
The time query spent in queued state (in milliseconds).
stable
Query start time. For failed queries the start time may be aggregated and not reflect the exact start time but rather the aggregation time.
experimental
The query string. For aggregated events this field is null.
fetch bizevents, from:-30m | limit 1
experimental
The sampling ration of the executed query
experimental
The number of scanned bytes
experimental
Number of scanned data points for metric queries
experimental
The number of scanned records
experimental
The outcome of the query
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
experimental
The user ID that triggered the query. For aggregated events this field is null.
stable
The user email that triggered the query. For aggregated events this field is null.
stable
The user UUID that triggered the query. For aggregated events this field is null.
03962cb6-aefc-4ca0-bad9-326099a977fe
deprecated
Used in Extension Framework 2.0
The record version
Values
failure_reason MUST be one of the following:
Query timed out before execution due to resource or tenant quota limit
Query was rejected due to too many queries waiting in the queue. Reported either as records with full details or as aggregated batches with limited metadata.
Security Posture Management Billing Usage
Model describing a billing usage event for Security Posture Management. Billing usage events are stored in the dt.system.events table.
Query
Analyze usage events for the "Security Posture Management" capability.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Security Posture Management"
| dedup event.id
dt.entity.kubernetes_cluster
stable
An entity ID of an entity of type KUBERNETES_CLUSTER.
Tags: entity-id
KUBERNETES_CLUSTER-E0D8F94D9065F24F
dt.entity.kubernetes_node
stable
An entity ID of an entity of type KUBERNETES_NODE.
Tags: entity-id
KUBERNETES_NODE-874C66B68CE15070
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Security Posture Management
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
Security Posture Management
Security Posture Management
dt.security_context MUST be one of the following:
Traces - Ingest & Process billing usage
Model describing a billing usage event for ingest and process of traces. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events for the "Traces - Ingest & Process" capability.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Ingest & Process"
| dedup event.id
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
Traces - Ingest & Process
stable
Describes the version of the event.
experimental
The size in bytes of ingested spans.
experimental
The number of ingested spans.
experimental
The origin/type of the ingested spans.
stable
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z
experimental
End time of the usage timeframe (exclusive)
2023-05-22T11:30:00.000000Z
experimental
Start time of the usage timeframe (inclusive)
2023-05-22T11:15:00.000000Z
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
event.type MUST be one of the following:
Traces - Ingest & Process
Traces - Ingest & Process
dt.security_context MUST be one of the following:
licensing_type MUST be one of the following:
The ingested_bytes origins from an ATM aware fullstack source.
The ingested_bytes origins from an ATM unaware fullstack source.
The ingested_bytes origins from the "OTLP Trace Ingest API".
The ingested_bytes origins from a serverless source.
Traces - Query billing usage
Model describing a billing usage event of a traces query execution. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Query"
stable
Indicates if the query was executed to fetch records or to delete them
stable
The number of bytes that will be billed.
deprecated
The identifier defining the billing type.
client.application_context
local-dev-mode; dynatrace.notebooks; my.biz.carbon
stable
Name of the function that executed the query
api/execute-dql-query; my/function
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The UUID identifying a particular query
e68e5cc8-c31e-4e57-90d7-c6dde20b19d5
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
E-mail of the user.
stable
Unique UUID of a human user. If the system itself has to be represented, the constant 'system' is used.
35ba9499-f87c-4047-962c-14dc32e255e5; system
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following:
Traces - Retain billing usage
Model describing the billing usage event for retention of events per Grail bucket. Billing usage events are stored in the dt.system.events table.
Query
Analyze billing usage events.
fetch dt.system.events
| filter event.kind == "BILLING_USAGE_EVENT" and event.type == "Traces - Retain"
stable
The number of bytes that will be billed.
stableThe security context is used in access permissions to limit the visibility. Learn more about the
Dynatrace permission modelTags:
permission stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
stable
The unique type identifier of a given event.
Tags: permission
stable
Describes the version of the event.
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when the source created it. If no original timestamp is available, it will be populated at ingest time and required for all events. In the case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created.
stable
A Dynatrace Grail usage event bucket name
Values
event.kind MUST be one of the following:
event.provider MUST be one of the following:
LIMA Usage Stream Service
event.type MUST be one of the following:
dt.security_context MUST be one of the following: