ECS Categorization Field: event.outcome

edit

This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.

event.outcome simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with event.type:info.

After the beta period for categorization, only the allowed categorization values listed in the ECS repository and official ECS documentation should be considered official. Use of any other values may result in incompatible implementations that will require subsequent breaking changes.

Allowed Values

failure

edit

Indicates that this event describes a failed result. A common example is event.category:file AND event.type:access AND event.outcome:failure to indicate that a file access was attempted, but was not successful.

success

edit

Indicates that this event describes a successful result. A common example is event.category:file AND event.type:create AND event.outcome:success to indicate that a file was successfully created.

unknown

edit

Indicates that this event describes only an attempt for which the result is unknown. For example, if the event contains information only about a request in an entity transaction that usually results in a response, populating event.outcome:unknown is appropriate.