---
title: "Events"
---

When viewing ((system events)) under ((alerts)), you can use the keywords in this section to search and filter.

Note that event records are retained for one year.

## Action {#events-action}

Use the syntax `action:<text>` to search by the action which caused the event.
```plaintext
action:agent-reconnected
```

## Created timestamp {#events-timestamps}

The timestamp fields `created_at` can be searched using the syntax `created_at:<term>`. The term supports the standard runZero [time comparison syntax][time].

```plaintext
created_at:>2weeks
```
```plaintext
created_at:<30minutes
```
```plaintext
updated_at:>1month
```
```plaintext
updated_at:2hours
```

## Details {#events-details}

The details in the event record can be searched using the syntax `details:<text>`. This can be useful for searching for IP addresses.
```plaintext
details:192.168.0.1
```

## Source and target name {#events-names}

The source (src) column can be searched using the syntax `src:<text>` or `source:<text>`. The target (tgt) column can be searched using `tgt:<text>` `target:<text>`.
```plaintext
src:crowdstrike
```
```plaintext
target:primary
```

## Source and target type {#events-types}

The source type (shown at the start of the src column) can be searched using the syntax `src_type:<text>` or `source_type:<text>`.

Similarly, the target type can be searched using `tgt_type:<text>` or `target_type:<text>`.

```plaintext
src_type:task
```
```plaintext
target_type:site
```

## Organization, site, source and target IDs {#events-IDs}

The IDs of organizations, sites, sources and targets mentioned in event details can be searched using the following search terms:

- `organization_id:<uuid>`
- `site_id:<uuid>`
- `source_id:<uuid>` or `src_id:<uuid>`
- `target_id:<uuid>` or `tgt_id:<uuid>`

The IDs are unique and are written as UUIDs.
```plaintext
organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a
```

[time]: search-query-syntax.md#time-and-date-values