Search System Logs

Search for log events from your organization's system log in Okta.

Options

Field Definition Type Required

Search By

Field	Definition	Type	Required
Search By	Choose one of the following options to implement the search: `Expression`: use System for Cross-domain Identity Management (SCIM) filter expressions to specify a subset of objects to return. An expression filter is useful for performing structured queries where constraints on log event attribute values can be explicitly targeted. Consider the following factors for expression filtering: Use when searching large collection of objects such as Users. No values are returned when keyword matching is performed against attributes with null values. See Filtering. `Keyword`: use exact keyword matching. The query parameter `q` is used to perform keyword matching against a Log Events object's attribute values. Consider the following factors for keyword matching: All entered keywords must be matched exactly Matching is case-insensitive Log Events object’s attributes can be used as keyword matching No values are returned when keyword matching is performed against attributes with null values. See Keyword.	Dropdown	TRUE
Result Set	Choose a method to filter search results: First Matching Record: returns the first record that matches. First 200 Matching Records: returns the first 200 matching records. Stream Matching Records: passes all matching records from your parent flow to a helper flow. A Streaming input section is added to the card from which you can select a helper flow for streaming and adding custom extensible fields.	Dropdown	TRUE

Choose one of the following options to implement the search:

Expression: use System for Cross-domain Identity Management (SCIM) filter expressions to specify a subset of objects to return. An expression filter is useful for performing structured queries where constraints on log event attribute values can be explicitly targeted. Consider the following factors for expression filtering:
- Use when searching large collection of objects such as Users.
- No values are returned when keyword matching is performed against attributes with null values.
See Filtering.

Keyword: use exact keyword matching. The query parameter q is used to perform keyword matching against a Log Events object's attribute values. Consider the following factors for keyword matching:
- All entered keywords must be matched exactly
- Matching is case-insensitive
- Log Events object’s attributes can be used as keyword matching
- No values are returned when keyword matching is performed against attributes with null values.
See Keyword.

Dropdown

TRUE

Result Set

Choose a method to filter search results:

First Matching Record: returns the first record that matches.
First 200 Matching Records: returns the first 200 matching records.
Stream Matching Records: passes all matching records from your parent flow to a helper flow. A Streaming input section is added to the card from which you can select a helper flow for streaming and adding custom extensible fields.

Dropdown

TRUE

To learn how to return a large number of records, see Set up the stream matching option with a helper flow.

Input

Field	Definition	Type	Required
Search By	Use the `eq` operator to concatenate each key and value, then combine different keys with `and` operator. Use the Custom Filter field to build your own expression. Those pre-defined fields and Custom Filter field are concatenated using `and`. See System Log. Appears when `Expression` is selected from the Search Type option.
Event Type	Type of event that was published. Appears when `Expression` is selected from the Search Type option.	String	FALSE
UUID	Universal unique identifier of the Webhook event. Appears when `Expression` is selected from the Search Type option.	String	FALSE
Display Message	Display message for an event. Appears when `Expression` is selected from the Search Type option.	String	FALSE
Actor ID	Identifier of the actor. Appears when `Expression` is selected from the Search Type option.	String	FALSE
Actor Display Name	Display name of a actor. Appears when `Expression` is selected from the Search Type option.	String	FALSE
Actor Type	Type of actor. Appears when `Expression` is selected from the Search Type option.	String	FALSE
Target ID	Unique identifier of a target. Appears when `Expression` is selected from the Search Type option.	String	FALSE
Target Display Name	Display name of a target. Appears when `Expression` is selected from the Search Type option.	String	FALSE
Target Type	Type of a target. Appears when `Expression` is selected from the Search Type option.	String	FALSE
Severity	Indicates how severe the event is: `DEBUG` `INFO` `WARN` `ERROR` Appears when `Expression` is selected from the Search Type option.	Dropdown	FALSE
Custom Filter	Build your own SCIM filter expression to search log events. For example: To search for Failed sign-in events, use `eventType eq "user.session.start"` and `outcome.result eq "FAILURE"` See . Appears when `Expression` is selected from the Search Type option.	String	FALSE
Keyword	Filters the log events results by one or more exact keywords. For example: To search for a specific city, enter the city name: `San Francisco`. To search for a specific person, enter the whole name: `firstName lastName`. See . Appears when `Keyword` is selected from the Search Type option.	String	FALSE
Date
Since	Filters the lower time bound of the log events `published` property. If you enter a future timestamp, you will get an error. If you leave this field unspecified, the default value will be 7 days prior to Until.	Date and Time	FALSE
Until	Filters the upper time bound of the log events `published` property. If you enter a future timestamp or leave this field unspecified, the current timestamp will be considered as the until value.	Date and Time	FALSE
Sort
Order	Order of the returned events that are sorted by `published` property. Choose from: `Ascending` `Descending`	Dropdown	FALSE
Search Criteria
Record Limit	Specify the number of records to stream. When the Limit field is set to 0, no records are returned. When the Limit field is set to greater than 0, records greater than 0 and up the maximum number of records specified are returned. When the Limit field is empty or not selected, all records are streamed. Default value is 10 million. Valid range is 0 to 10 million. Appears when Stream Matching Records is selected from the Result Set option.	Number	TRUE
Streaming
Flow	Click Choose Flow to browse and select a helper flow to which the search results will be streamed, then click Choose to confirm. Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow. Appears when `Stream Matching Records` is selected from the Result Set option.	Flow	TRUE

Output

Fields appear when First Matching Record or First 200 Matching Records are selected from the Result Set option except where indicated.

Field	Definition	Type
Result
UUID	Unique identifier for an individual event.	String
Published	Timestamp when the event is published.	Date and Time
Event Type	Type of event that is published.	String
Severity	Indicates the severity of the event: `DEBUG` `INFO` `WARN` `ERROR`	String
Display Message	Display message for an event.	String
Actor	Describes the entity that performs an action	Object
ID	Identifier of the Okta actor who granted the user privilege.	String
Type	Type of Okta actor.	String
Alternate ID	Email address of the Okta actor.	String
Display Name	Display name of the Okta actor.	String
Target	Zero or more targets of an action.	List of Objects
Client	Client that requests an action.	Object
ID	Unique identifier for the client. For OAuth requests, this is the ID of the OAuth client making the request. See Roles. For SSWS token requests, this is the ID of the agent making the request.	String
User Agent	User agent that is used by an actor to perform an action.	Object
Geographical Context	Physical location from where the client is making its request.	Object
Zone	Name of the zone to which that client's location is mapped. See Zones.	String
IP Address	IP address from which the client is making its request.	String
Device	Type of device from which the client operates. For example: Computer	String
Request	Request that initiates an action.	Object
IP Chain	If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format: clientIp, proxy1, proxy2. This field is useful when working with trusted proxies.	List of Objects
Raw Output	Raw Output returned by the Okta API.	Object
Stream Matching Records
Records Streamed	Number of records streamed in a streaming flow. Appears when Stream Matching Records is selected from the Result Set option.	Number

Search System Logs

Options

Input

Output

Related topics