Search System Logs

Search for log events from your organization's system log in Okta.

Scopes

See Action cards for the list of required OAuth scopes for this card.

Options

Field	Definition	Type	Required
Search By	Choose one of the following options to implement the search: `Expression`: use System for Cross-domain Identity Management (SCIM) filter expressions to specify a subset of objects to return. An expression filter is useful for performing structured queries where constraints on log event attribute values can be explicitly targeted. Consider the following factors for expression filtering: Use when searching large collection of objects, such as users. No values are returned when keyword matching is performed against attributes with null values. See Filtering. `Keyword`: use exact keyword matching. The query parameter `q` is used to perform keyword matching against a Log Events object's attribute values. Consider the following factors for keyword matching: All entered keywords must be matched exactly. Matching is case-insensitive. Log Events object's attributes can be used as keyword matching. No values are returned when keyword matching is performed against attributes with null values. See Keyword.	Dropdown	TRUE
Result Set	Choose a method to filter search results: `First Matching Record`: Returns the first record that matches. `First 200 Matching Records`: Returns the first 200 matching records. `Stream Matching Records`: Passes all matching records from your parent flow to a helper flow. Selecting this option adds a Streaming input section to the card where you can select a helper flow for streaming and add custom extensible fields.	Dropdown	TRUE

Note:

To learn how to return a large number of records, see Set up the stream matching option with a helper flow.

Input

Field	Definition	Type	Required
Search By	Use the `eq` operator to concatenate each key and value, then combine different keys with `and` operator. Use the Custom Filter field to build your own expression. Those pre-defined fields and Custom Filter field are concatenated using `and`. See System Log. Appears when `Expression` is selected from the Search Type option.
Event Type	Type of event that was published. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
UUID	Universal unique identifier of the Webhook event. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Display Message	Display message for an event. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Actor ID	Identifier of the actor. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Actor Display Name	Display name of a actor. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Actor Type	Type of actor. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Target ID	Unique identifier of a target. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Target Display Name	Display name of a target. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Target Type	Type of a target. Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Severity	Indicates how severe the event is: `DEBUG` `INFO` `WARN` `ERROR` Appears when `Expression` is selected from the Search Type option.	Dropdown	FALSE
Custom Filter	Build your own SCIM filter expression to search log events. For example: To search for Failed sign-in events, use `eventType eq "user.session.start"` and `outcome.result eq "FAILURE"` See . Appears when `Expression` is selected from the Search Type option.	Text	FALSE
Keyword	Filters the log events results by one or more exact keywords. For example: To search for a specific city, enter the city name: `San Francisco`. To search for a specific person, enter the whole name: `firstName lastName`. See . Appears when `Keyword` is selected from the Search Type option.	Text	FALSE
Date
Since	Filters the lower time bound of the log events `published` property. If you enter a future time stamp, you will get an error. If you leave this field unspecified, the default value will be 7 days prior to `Until`.	Date & Time	FALSE
Until	Filters the upper time bound of the log events `published` property. If you enter a future time stamp or leave this field unspecified, the current time stamp will be considered as the until value.	Date & Time	FALSE
Sort
Order	Order of the returned events that are sorted by `published` property. Choose from: `Ascending` `Descending`	Dropdown	FALSE
Streaming
Flow	Click Choose Flow to browse and select a helper flow to which the search results will be streamed, and then click Choose to confirm. Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow. Appears when `Stream Matching Records` is selected from the Result Set option.	Flow	TRUE
Search Criteria
Record Limit	Specify the number of records to stream. When the field is set to less than `0`, the card returns an error. When the field is set to either `0` or a value greater than `0`, the stream returns up to the maximum number specified. When the field is empty, null, or not selected, the stream returns all records. The default value is `1000000` (1 million). The valid range is from `0` to `1000000`. This field appears when you select `Stream Matching Records` from the Result Set option.	Number	FALSE

Output

Fields appear when First Matching Record or First 200 Matching Records are selected from the Result Set option except where indicated.

Field	Definition	Type
Result
UUID	Unique identifier for an individual event.	Text
Published	Time stamp when the event is published.	Date & Time
Event Type	Type of event that is published.	Text
Severity	Indicates the severity of the event: `DEBUG` `INFO` `WARN` `ERROR`	Text
Display Message	Display message for an event.	Text
Actor	Describes the entity that performs an action	Object
ID	Identifier of the Okta actor who granted the user privilege.	Text
Type	Type of Okta actor.	Text
Alternate ID	Username of the Okta actor.	Text
Display Name	Display name of the Okta actor.	Text
Target	Zero or more targets of an action.	List of Objects
Client	Client that requests an action.	Object
ID	Unique identifier for the client. For OAuth requests, this is the ID of the OAuth client making the request. See Roles. For SSWS token requests, this is the ID of the agent making the request.	Text
User Agent	User agent that is used by an actor to perform an action.	Object
Geographical Context	Physical location from where the client is making its request.	Object
Zone	Name of the zone to which that client's location is mapped. See Zones.	Text
IP Address	IP address from which the client is making its request.	Text
Device	Type of device from which the client operates. For example: Computer	Text
Request	Request that initiates an action.	Object
IP Chain	If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format: clientIp, proxy1, proxy2. This field is useful when working with trusted proxies.	List of Objects
Raw Output	Raw Output returned by the Okta API.	Object
Stream Matching Records
Records Streamed	Number of records streamed in a streaming flow. This field appears when you select `Stream Matching Records` from the Result Set option.	Number