The Humio Repository Action sends events from a trigger to a Humio repository. This can be used to summarize all such events, or to aggregate information from multiple triggers.
Parameter | Description |
---|---|
Ingest token | An ingest token for the repository receiving the events. |
The events from the trigger are parsed and ingested using the ingest token. If the ingest token has an associated parser, it is used, otherwise, the built-in parser json-for-action is used.
The events sent to the parser contain the following fields:
Field | Value |
---|---|
@trigger.id |
The id of the trigger. |
@trigger.name |
The user-made name of the trigger. |
@trigger.description |
The user-made description of the trigger. |
@trigger.type |
The type of the trigger. Either “alert” or “scheduled-search”. |
@trigger.query.start |
The query start time (e.g. 10m). |
@trigger.query.end |
The query end time (e.g. now). |
@trigger.invocation.triggeredAt |
The time at which the trigger was triggered, formatted as ISO 8601. |
@trigger.invocation.uuid |
A unique id for an invocation of the trigger. Can be used to identify events from the same invocation of the trigger. |
@trigger.invocation.start |
The actual query start time as Unix Time in milliseconds. |
@trigger.invocation.end |
The actual query end time as Unix Time in milliseconds. |
@trigger.repository.name |
The name of the repository in which the trigger is defined. |
@rawstring |
The original event from the trigger, encoded as JSON. A prefix “#” character in a field name is replaced by “@tag.", so that e.g. #source becomes @tag.source . |
The default parser json-for-action will extract the original event from the @rawstring
field, so that the parsed event contains all the original fields together with all the @trigger.XXX
fields. It will not parse any timestamps, so if the original event does not contain a @timestamp
field, the event will get “now” as timestamp.
The events you send through this Action count towards the daily ingest limit.