System Log filters and search
You can filter events by various parameters and operators in the System Log. By default, the filters display all events for the last seven days.
Filter System Log events by:
Specify a start and end time range to filter the events displayed.
Events are retained by Okta for 90 days. Specifying a longer range will result in an error.
Time Zone: Use the drop-down box to select a time zone in which the system log events are displayed.
IP address: While viewing System Log events, super admins or org admins may want to view all events by a specific IP address.
In the Events table, click the right arrow for the event to view the actor, client, event, request, and target info about that event.
Expand one of the following:
Hover over the IP address to display the Filter icon.
Click the Filter icon to sort the event list.
To clear any custom filters and return to the default filters, click Reset Filters.
Search for events
You can do a basic or advanced search for events using the supported operators. You can also save your searches to retrieve event information quickly.
Specify a time range using the From, To, and Time Zone fields.
Enter a string to search all events.
Press the Enter key or click the Search icon.
The following table lists some commonly used custom queries:
|Password resets for users
|eventType eq "user.account.reset_password"
|Find Rate Limit errors
|displayMessage eq "Rate limit violation"
|eventType eq "user.authentication.sso"
|User Locked Out
|Self Service Unlock
outcome.reason eq "Authentication failed: bad username or password"
Click Advanced Filters.
Enter your selection criteria
Click Apply Filter.
Currently, the System Log supports the following operators:
- starts with
- ends with
- not equal
- is present
- greater than
- greater than or equal to
- less than
- less than or equal to
The Contains operator doesn't support the following fields:
See Operators for more details about the operators.
Save your searches
You can save and reuse searches. With saved searches, you can reuse them, modify them, or delete them.
After performing a System Log search, click Save.
Enter a name for your customized search.
Click Save as new. Your customized search appears on the Reports page.