- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Destination Fields
- DLL Fields
- DNS Fields
- ECS Fields
- Error Fields
- Event Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
ECS Categorization Field: event.outcome
editECS Categorization Field: event.outcome
editThis is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
event.outcome
simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome
, according to their perspective.
Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info
, or any events for which an outcome does not make logical sense.
After the beta period for categorization, only the allowed categorization values listed in the ECS repository and official ECS documentation should be considered official. Use of any other values may result in incompatible implementations that will require subsequent breaking changes.
Allowed Values
failure
editIndicates that this event describes a failed result. A common example is event.category:file AND event.type:access AND event.outcome:failure
to indicate that a file access was attempted, but was not successful.
success
editIndicates that this event describes a successful result. A common example is event.category:file AND event.type:create AND event.outcome:success
to indicate that a file was successfully created.
unknown
editIndicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating event.outcome:unknown
in the request event is appropriate. The unknown value should not be used when an outcome doesn’t make logical sense for the event. In such cases event.outcome
should not be populated.
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now