Search System Logs

Search for log events from your organization's system log in Okta.

Options

Field Definition Type Required
Search By Choose one of the following options to implement the search:

  • Expression: use System for Cross-domain Identity Management (SCIM) filter expressions to specify a subset of objects to return. An expression filter is useful for performing structured queries where constraints on log event attribute values can be explicitly targeted. Consider the following factors for expression filtering:

    • Use when searching large collection of objects such as Users.

    • No values are returned when keyword matching is performed against attributes with null values.

    See Filtering.

  • Keyword: use exact keyword matching. The query parameter q is used to perform keyword matching against a Log Events object's attribute values. Consider the following factors for keyword matching:

    • All entered keywords must be matched exactly
    • Matching is case-insensitive
    • Log Events object's attributes can be used as keyword matching
    • No values are returned when keyword matching is performed against attributes with null values.

    See Keyword.

Dropdown

TRUE
Result Set

Choose a method to filter search results:

  • First Matching Record: Returns the first record that matches.

  • First 200 Matching Records: Returns the first 200 matching records.

  • Stream Matching Records: Passes all matching records from your parent flow to a helper flow.

    Selecting this option adds a Streaming input section to the card where you can select a helper flow for streaming and add custom extensible fields.

Dropdown

TRUE

To learn how to return a large number of records, see Stream matching records with a helper flow.

Input

Field Definition Type Required
Search By Use the eq operator to concatenate each key and value, then combine different keys with and operator. Use the Custom Filter field to build your own expression. Those pre-defined fields and Custom Filter field are concatenated using and.

See System Log.

Appears when Expression is selected from the Search Type option.
Event Type Type of event that was published.

Appears when Expression is selected from the Search Type option.

Text

FALSE
UUID Universal unique identifier of the Webhook event.

Appears when Expression is selected from the Search Type option.

Text

FALSE
Display Message Display message for an event.

Appears when Expression is selected from the Search Type option.

Text

FALSE
Actor ID Identifier of the actor.

Appears when Expression is selected from the Search Type option.

Text

FALSE
Actor Display Name Display name of a actor.

Appears when Expression is selected from the Search Type option.

Text

FALSE
Actor Type Type of actor.

Appears when Expression is selected from the Search Type option.

Text

FALSE
Target ID Unique identifier of a target.

Appears when Expression is selected from the Search Type option.

Text

FALSE
Target Display Name Display name of a target.

Appears when Expression is selected from the Search Type option.

Text

FALSE
Target Type Type of a target.

Appears when Expression is selected from the Search Type option.

Text

FALSE
Severity Indicates how severe the event is:

  • DEBUG

  • INFO

  • WARN

  • ERROR

Appears when Expression is selected from the Search Type option.

Dropdown

FALSE
Custom Filter Build your own SCIM filter expression to search log events.

For example:

To search for Failed sign-in events, use eventType eq "user.session.start" and outcome.result eq "FAILURE"

See .

Appears when Expression is selected from the Search Type option.

Text

FALSE
Keyword Filters the log events results by one or more exact keywords.

For example:

  • To search for a specific city, enter the city name: San Francisco.

  • To search for a specific person, enter the whole name: firstName lastName.

  • See .

Appears when Keyword is selected from the Search Type option.

Text

FALSE
Date
Since

Filters the lower time bound of the log events published property.

If you enter a future time stamp, you will get an error. If you leave this field unspecified, the default value will be 7 days prior to Until

Date & Time

FALSE
Until Filters the upper time bound of the log events published property.

If you enter a future time stamp or leave this field unspecified, the current time stamp will be considered as the until value.

Date & Time

FALSE
Sort
Order Order of the returned events that are sorted by published property. Choose from:

  • Ascending

  • Descending

Dropdown

FALSE
Streaming
Flow Click Choose Flow to browse and select a helper flow to which the search results will be streamed, and then click Choose to confirm.

Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow.

Appears when Stream Matching Records is selected from the Result Set option.

Flow

 TRUE

Search Criteria

Record Limit

Specify the number of records to stream.

  • When the field is set to less than 0, the card returns an error.

  • When the field is set to either 0 or a value greater than 0, the stream returns up to the maximum number specified.

  • When the field is empty, null, or not selected, the stream returns all records.

  • The default value is 1000000 (1 million).

  • The valid range is from 0 to 1000000.

This field appears when you select Stream Matching Records from the Result Set option.

Number

FALSE

Output

Fields appear when First Matching Record or First 200 Matching Records are selected from the Result Set option except where indicated.

Field Definition Type

Result

UUID

Unique identifier for an individual event.

Text
Published

Time stamp when the event is published.

Date & Time
Event Type

Type of event that is published.

Text
Severity Indicates the severity of the event:

  • DEBUG

  • INFO

  • WARN

  • ERROR

Text
Display Message

Display message for an event.

Text
Actor

Describes the entity that performs an action

Object
ID

Identifier of the Okta actor who granted the user privilege.

Text
Type Type of Okta actor.

Text
Alternate ID Username of the Okta actor.

Text
Display Name Display name of the Okta actor.

Text
Target

Zero or more targets of an action.

List of Objects
Client

Client that requests an action.

Object
ID Unique identifier for the client.

  • For OAuth requests, this is the ID of the OAuth client making the request. See Roles.

  • For SSWS token requests, this is the ID of the agent making the request.

Text
User Agent

User agent that is used by an actor to perform an action.

Object
Geographical Context

Physical location from where the client is making its request.

Object
Zone Name of the zone to which that client's location is mapped.

See Zones.

Text
IP Address

IP address from which the client is making its request.

Text
Device Type of device from which the client operates.

For example: Computer

Text
Request

Request that initiates an action.

Object
IP Chain

If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format: clientIp, proxy1, proxy2. This field is useful when working with trusted proxies.

List of Objects
Raw Output

Raw Output returned by the Okta API.

Object
Stream Matching Records
Records Streamed

Number of records streamed in a streaming flow.

This field appears when you select Stream Matching Records from the Result Set option.

Number

Related topics

Okta connector

Workflow elements

Guidance for Okta connector

Okta API documentation