| dedupid | events will deduplicate based on the value of this field. by default: device, component, eventClass, eventKey, severity |
| device | name of device |
| component | name of component (like eth0, httpd, etc) |
| eclass | eventClass (if not specified maybe added by rule process if this fails will be /Unknown) |
| eventKey | if a component needs further deduplication specification this field maybe used |
| summary | message text truncated at 150 characters |
| message | full message text |
| severity | number from 0 to 5 |
| eventState | state of event 0 = new, 1 = acknowledged, 2 = suppressed |
| eventClassKey | key by which rules processing begins. Often equal to component. |
| eventGroup | logical group of event source (syslog, ping, nteventlog etc) |
| stateChange | last time event changed automatically updated |
| firstTime | unix timestamp when event is received. |
| lastTime | last time an event was received |
| count | number of times an event has repeated |
| prodState | prodState of the device context |
| suppid | id of event that suppressed this event |
| manager | fqdn of the collector from which this event came |
| agent | collector name from which event came (zensyslog, zentrap, etc) |
| DeviceClass | device class from device context |
| Location | device location from device context |
| Systems | device systems from device context separated by | |
| DeviceGroups | device systems from device context separated by | |
| ipAddress | ip from which event came |
| facility | syslog facility of this is syslog event |
| priority | syslog priority of this is syslog event |
| ntevid | nt event id if this is nt eventlog event. |
