--- title: Events description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > DDSQL Reference > Data Directory > Events --- # Events This dataset provides unified access to activity and change events collected across your Datadog environment. It enables analyzing and correlating operational changes, alerts, and workflow executions from multiple sources—including Kubernetes, monitors, and CI systems. By exposing the same data used in the Events Explorer, this dataset lets you investigate infrastructure changes, troubleshoot incidents, and build custom analytics or dashboards that connect events to performance, reliability, or cost data. ``` dd.events ``` Event Management Public Documentation {% icon name="icon-external-link" /%} Event Management API Public Documentation {% icon name="icon-external-link" /%} Events Usage Public Management {% icon name="icon-external-link" /%} ## Query Parameters This dataset uses a **polymorphic table function**. You must specify parameters when querying. | Parameter | Type | Required | Description | | ---------------- | --------------- | -------- | ------------------------------------------------------------------------------------------------------------------------ | | `columns` | `array` | Yes | List of field paths to return for each event (EVP syntax). (e.g., 'timestamp', 'message', '@evt.type', '@evt.category'). | | `filter` | `string` | No | Optional EVP search string. For example: filter => '@evt.category:change AND @evt.type:aws_security_group'. | | `from_timestamp` | `string` | No | Lower time bound for the query; defaults to query context if omitted. | | `to_timestamp` | `string` | No | Upper time bound for the query; defaults to query context if omitted. | ## Example Queries ```sql -- Fetch events in the month of October 2025 SELECT * FROM dd.events( columns => ARRAY[ 'timestamp', '@evt.type', '@evt.category', '@evt.source_id', 'message', '@title', 'status' ], filter => '@evt.category:change AND @evt.type:aws_security_group', from_timestamp => timestamp '2025-10-01 00:00:00.000+00:00', to_timestamp => timestamp '2025-10-31 00:00:00.000+00:00' ) AS ( ts TIMESTAMP, evt_type VARCHAR, evt_category VARCHAR, source_id VARCHAR, message VARCHAR, title VARCHAR, status VARCHAR ); ``` ## Fields | Title | ID | Type | Data Type | Description | | ------------------- | -------------------- | --------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------ | | Timestamp | timestamp | core | timestamp | Time the event was recorded (e.g., 1758787144000). | | Message | message | core | string | Free-text message/title describing the event (e.g., 'aws security group deleted'). | | Status | status | core | string | Event status/level (e.g., info, warn). | | Source | source | core | string | High-level producer/source label (e.g., change_tracking, kubernetes). | | Service | service | core | string | Associated service, if provided (e.g., 'undefined'). | | Title | @title | event_attribute | string | Event display title (e.g., 'dbm-agent-integration-sqlserver-access aws security group delete'). | | Priority | @priority | event_attribute | string | Relative importance level (e.g., normal). | | Host | host | core | string | Origin host (e.g., i-069bb479095ca6bdf). | | Sub-Category | @sub_category | event_attribute | string | Producer-defined sub-category (e.g., kubernetes). | | State | @state | event_attribute | string | Producer-defined state of the entity/process (e.g., crash_loop_backoff). | | Aggregation Key | @aggregation_key | event_attribute | string | Key used to group related events for rollups. | | Event Source ID | @evt.source_id | event_attribute | int64 | Producer/subject identifier (e.g., 374). | | Integration ID | @evt.integration_id | event_attribute | string | Integration identifier emitting the event (e.g., 'kubernetes', 'circleci'). | | Producer Event ID | @evt.id | event_attribute | string | Event ID in the producer domain (e.g., 8306943339063535962). | | Event Category | @evt.category | event_attribute | string | High-level category (e.g., 'workflow', 'case', 'deployment', 'change'). | | Event Type | @evt.type | event_attribute | string | Concrete event subtype (path '@evt.type'; e.g., aws_security_group, kubernetes_apiserver). | | Team | team | core | string | Team ownership (e.g.,'workflow-automation') | | Event ID | id | core | string | A unique identifier for the event. | | Discovery Timestamp | discovery_timestamp | core | int64 | The time when Datadog first received the event (milliseconds since Unix epoch). May differ from timestamp if there was an ingestion delay. | | Tiebreaker | tiebreaker | core | int64 | A value used to establish deterministic ordering among events that share the same timestamp. | | Ingest Size | ingest_size_in_bytes | core | int64 | The size of the event payload in bytes at the time of ingestion, before any processing. | | Random Draw | random_draw | core | float64 | A random value between 0.0 and 1.0 assigned at ingestion, useful for consistent sampling across queries. |