ECS Categorization Field: event.outcome
editECS Categorization Field: event.outcome
editThis is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
event.outcome
simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with event.type:info
.
After the beta period for categorization, only the allowed categorization values listed in the ECS repository and official ECS documentation should be considered official. Use of any other values may result in incompatible implementations that will require subsequent breaking changes.
Allowed Values
failure
editIndicates that this event describes a failed result. A common example is event.category:file AND event.type:access AND event.outcome:failure
to indicate that a file access was attempted, but was not successful.
success
editIndicates that this event describes a successful result. A common example is event.category:file AND event.type:create AND event.outcome:success
to indicate that a file was successfully created.
unknown
editIndicates that this event describes only an attempt for which the result is unknown. For example, if the event contains information only about a request in an entity transaction that usually results in a response, populating event.outcome:unknown
is appropriate.