Search System Logs

Search for log events from your organization's system log in Okta.

Options

Field Definition Type Required
Search By Choose one of the following options to implement the search:

  • Expression: use System for Cross-domain Identity Management (SCIM) filter expressions to specify a subset of objects to return. An expression filter is useful for performing structured queries where constraints on log event attribute values can be explicitly targeted. Consider the following factors for expression filtering:

    • Use when searching large collection of objects such as Users.

    • No values are returned when keyword matching is performed against attributes with null values.

    See Filtering.

  • Keyword: use exact keyword matching. The query parameter q is used to perform keyword matching against a Log Events object's attribute values. Consider the following factors for keyword matching:

    • All entered keywords must be matched exactly
    • Matching is case-insensitive
    • Log Events object’s attributes can be used as keyword matching
    • No values are returned when keyword matching is performed against attributes with null values.

    See Keyword.

 Dropdown TRUE
Result Set

Choose a method to filter search results:

  • First Matching Record: returns the first record that matches.
  • First 200 Matching Records: returns the first 200 matching records.
  • Stream Matching Records: passes all matching records from your parent flow to a helper flow. A Streaming input section is added to the card from which you can select a helper flow for streaming and adding custom extensible fields.
 Dropdown TRUE
Tip

To learn how to return a large number of records, see Set up the stream matching option with a helper flow.

Input

Field Definition Type Required
Search By Use the eq operator to concatenate each key and value, then combine different keys with and operator. Use the Custom Filter field to build your own expression. Those pre-defined fields and Custom Filter field are concatenated using and.

See System Log.

Appears when Expression is selected from the Search Type option.
Event Type Type of event that was published.

Appears when Expression is selected from the Search Type option.

 String FALSE
UUID Universal unique identifier of the Webhook event.

Appears when Expression is selected from the Search Type option.

 String FALSE
Display Message Display message for an event.

Appears when Expression is selected from the Search Type option.

 String FALSE
Actor ID Identifier of the actor.

Appears when Expression is selected from the Search Type option.

 String FALSE
Actor Display Name Display name of a actor.

Appears when Expression is selected from the Search Type option.

 String FALSE
Actor Type Type of actor.

Appears when Expression is selected from the Search Type option.

 String FALSE
Target ID Unique identifier of a target.

Appears when Expression is selected from the Search Type option.

 String FALSE
Target Display Name Display name of a target.

Appears when Expression is selected from the Search Type option.

 String FALSE
Target Type Type of a target.

Appears when Expression is selected from the Search Type option.

 String FALSE
Severity Indicates how severe the event is:

  • DEBUG

  • INFO

  • WARN

  • ERROR

Appears when Expression is selected from the Search Type option.

 Dropdown FALSE
Custom Filter Build your own SCIM filter expression to search log events.

For example:

To search for Failed sign-in events, use eventType eq "user.session.start" and outcome.result eq "FAILURE"

See .

Appears when Expression is selected from the Search Type option.

 String FALSE
Keyword Filters the log events results by one or more exact keywords.

For example:

  • To search for a specific city, enter the city name: San Francisco.

  • To search for a specific person, enter the whole name: firstName lastName.

  • See .

Appears when Keyword is selected from the Search Type option.

 String FALSE
Date
Since

Filters the lower time bound of the log events published property.

If you enter a future timestamp, you will get an error. If you leave this field unspecified, the default value will be 7 days prior to Until.

Date and Time FALSE
Until Filters the upper time bound of the log events published property.

If you enter a future timestamp or leave this field unspecified, the current timestamp will be considered as the until value.

 Date and Time FALSE
Sort
Order Order of the returned events that are sorted by published property. Choose from:

  • Ascending

  • Descending

 Dropdown FALSE
Search Criteria
Record Limit

Specify the number of records to stream.

  • When the Limit field is set to 0, no records are returned.

  • When the Limit field is set to greater than 0, records greater than 0 and up the maximum number of records specified are returned.

  • When the Limit field is empty or not selected, all records are streamed.

  • Default value is 10 million.

  • Valid range is 0 to 10 million.

Appears when Stream Matching Records is selected from the Result Set option.

 Number TRUE
Streaming
Flow Click Choose Flow to browse and select a helper flow to which the search results will be streamed, then click Choose to confirm.

Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow.

Appears when Stream Matching Records is selected from the Result Set option.

 Flow TRUE

Output

Fields appear when First Matching Record or First 200 Matching Records are selected from the Result Set option except where indicated.

Field Definition Type
Result
UUID Unique identifier for an individual event. String
Published Timestamp when the event is published. Date and Time
Event Type Type of event that is published. String
Severity Indicates the severity of the event:

  • DEBUG

  • INFO

  • WARN

  • ERROR

 String
Display Message Display message for an event. String
Actor Describes the entity that performs an action Object
ID Identifier of the Okta actor who granted the user privilege. String
Type Type of Okta actor. String
Alternate ID Email address of the Okta actor. String
Display Name Display name of the Okta actor. String
Target Zero or more targets of an action. List of Objects
Client Client that requests an action. Object
ID Unique identifier for the client.

  • For OAuth requests, this is the ID of the OAuth client making the request. See Roles.

  • For SSWS token requests, this is the ID of the agent making the request.

 String
User Agent User agent that is used by an actor to perform an action. Object
Geographical Context Physical location from where the client is making its request. Object
Zone Name of the zone to which that client's location is mapped.

See Zones.

 String
IP Address IP address from which the client is making its request. String
Device Type of device from which the client operates.

For example: Computer

 String
Request Request that initiates an action. Object
IP Chain If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format: clientIp, proxy1, proxy2. This field is useful when working with trusted proxies. List of Objects
Raw Output Raw Output returned by the Okta API. Object
Stream Matching Records
Records Streamed Number of records streamed in a streaming flow.

Appears when Stream Matching Records is selected from the Result Set option.

 Number

Related topics

Okta connector

Workflow elements

Guidance for Okta connector

Okta API documentation