Search System Logs
Search for log events from your organization's system log in Okta.
Options
Field | Definition | Type | Required |
---|---|---|---|
Search By |
Choose one of the following options to implement the search:
|
Dropdown | TRUE |
Result Set |
Choose a method to filter search results:
|
Dropdown | TRUE |

To learn how to return a large number of records, see Set up the stream matching option with a helper flow.
Input
Field | Definition | Type | Required |
---|---|---|---|
Search By |
Use the eq operator to concatenate each key and value, then combine different keys with and operator. Use the Custom Filter field to build your own expression. Those pre-defined fields and Custom Filter field are concatenated using and .
See System Log. Appears when |
||
Event Type |
Type of event that was published.
Appears when |
String | FALSE |
UUID |
Universal unique identifier of the Webhook event.
Appears when |
String | FALSE |
Display Message |
Display message for an event.
Appears when |
String | FALSE |
Actor ID |
Identifier of the actor.
Appears when |
String | FALSE |
Actor Display Name |
Display name of a actor.
Appears when |
String | FALSE |
Actor Type |
Type of actor.
Appears when |
String | FALSE |
Target ID |
Unique identifier of a target.
Appears when |
String | FALSE |
Target Display Name |
Display name of a target.
Appears when |
String | FALSE |
Target Type |
Type of a target.
Appears when |
String | FALSE |
Severity |
Indicates how severe the event is:
Appears when |
Dropdown | FALSE |
Custom Filter |
Build your own SCIM filter expression to search log events.
For example: To search for Failed sign-in events, use See . Appears when |
String | FALSE |
Keyword |
Filters the log events results by one or more exact keywords.
For example:
Appears when |
String | FALSE |
Date | |||
Since |
Filters the lower time bound of the log events If you enter a future timestamp, you will get an error. If you leave this field unspecified, the default value will be 7 days prior to Until. |
Date and Time | FALSE |
Until |
Filters the upper time bound of the log events published property.
If you enter a future timestamp or leave this field unspecified, the current timestamp will be considered as the until value. |
Date and Time | FALSE |
Sort | |||
Order |
Order of the returned events that are sorted by published property. Choose from:
|
Dropdown | FALSE |
Search Criteria | |||
Record Limit |
Specify the number of records to stream.
Appears when Stream Matching Records is selected from the Result Set option. |
Number | TRUE |
Streaming | |||
Flow |
Click Choose Flow to browse and select a helper flow to which the search results will be streamed, then click Choose to confirm.
Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow. Appears when |
Flow | TRUE |
Output
Fields appear when First Matching Record
or First 200 Matching Records
are selected from the Result Set option except where indicated.
Field | Definition | Type |
---|---|---|
Result | ||
UUID | Unique identifier for an individual event. | String |
Published | Timestamp when the event is published. | Date and Time |
Event Type | Type of event that is published. | String |
Severity |
Indicates the severity of the event:
|
String |
Display Message | Display message for an event. | String |
Actor | Describes the entity that performs an action | Object |
ID | Identifier of the Okta actor who granted the user privilege. | String |
Type | Type of Okta actor. | String |
Alternate ID | Email address of the Okta actor. | String |
Display Name | Display name of the Okta actor. | String |
Target | Zero or more targets of an action. | List of Objects |
Client | Client that requests an action. | Object |
ID |
Unique identifier for the client.
|
String |
User Agent | User agent that is used by an actor to perform an action. | Object |
Geographical Context | Physical location from where the client is making its request. | Object |
Zone |
Name of the zone to which that client's location is mapped.
See Zones. |
String |
IP Address | IP address from which the client is making its request. | String |
Device |
Type of device from which the client operates.
For example: Computer |
String |
Request | Request that initiates an action. | Object |
IP Chain | If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format: clientIp, proxy1, proxy2. This field is useful when working with trusted proxies. | List of Objects |
Raw Output | Raw Output returned by the Okta API. | Object |
Stream Matching Records | ||
Records Streamed |
Number of records streamed in a streaming flow.
Appears when Stream Matching Records is selected from the Result Set option. |
Number |