System Log filters and search

You can filter events by various parameters and operators in the System Log. By default, the filters display all events for the last seven days.

Filters

Filter System Log events by:

  • Date Range
    Specify a start and end time range to filter the events displayed.

    Note

    Events are retained by Okta for 90 days. Specifying a longer range will result in an error.

  • Time Zone

    Use the drop-down box to select a time zone in which the system log events are displayed.

  • IP address
    While viewing System Log events, super admins or org admins may want to view all events by a specific IP address.

    1. In the Events table, click the right arrow for the event to view the actor, client, event, request, and target info about that event.

    2. Expand one of the following:

      • Client

      • Request > IPChain

    3. Hover over the IP address to display the Filter icon.

    4. Click the Filter icon to sort the event list.

To clear any custom filters and return to the default filters, click Reset Filters.

System Log filters

Search for events

You can do a basic or advanced search for events using the supported operators. You can also save your searches to retrieve event information quickly.

Basic search

  1. Specify a time range using the From, To, and Time Zone fields.

  2. Enter a string to search all events.

  3. Press the Enter key or click the Search icon.

The following table lists some commonly used custom queries:

Use case Query
Password resets for users eventType eq "user.account.reset_password"
Find Rate Limit errors displayMessage eq "Rate limit violation"
Application Assignment application.user_membership.add
Application Access eventType eq "user.authentication.sso"
User Creation user.lifecycle.create
User Locked Out user.account.lock
Self Service Unlock self_service.account_unlock

Sign-in Success

user.authentication.sso

Suspicious Activity

outcome.reason eq "Authentication failed: bad username or password"

Advanced search

  1. Click Advanced Filters.

  2. Enter your selection criteria

  3. Click Apply Filter.

Operators for Advanced filters

Currently, the System Log supports the following operators:

  • equals

  • contains

  • starts with

  • ends with

  • not equal

  • is present

  • greater than

  • greater than or equal to

  • less than

  • less than or equal to

Note

The Contains operator doesn’t support the following fields:

  • debugContext.debugData.url

  • debugContext.debugData.requestUri

See Operators for more details about the operators.

Save your searches

You can save and reuse searches. With Saved Searches, you can reuse them, modify them, or delete them.

  1. After performing a System Log search, click Save.

  2. Enter a name for your customized search.

  3. Click Save as new. Your customized search appears on the Reports page.