Search System Logs

Search for log events from your organization's system log in Okta.

Scopes

See Action cards for the list of required OAuth scopes for this card.

Options

Field Definition Type Required

Search By

Choose one of the following options to implement the search:

  • Expression: use System for Cross-domain Identity Management (SCIM) filter expressions to specify a subset of objects to return. An expression filter is useful for performing structured queries where constraints on log event attribute values can be explicitly targeted. Consider the following factors for expression filtering:

    • Use when searching large collection of objects, such as users.
    • No values are returned when keyword matching is performed against attributes with null values.

    See Filtering.

  • Keyword: use exact keyword matching. The query parameter q is used to perform keyword matching against a Log Events object's attribute values. Consider the following factors for keyword matching:

    • All entered keywords must be matched exactly.
    • Matching is case-insensitive.
    • Log Events object's attributes can be used as keyword matching.
    • No values are returned when keyword matching is performed against attributes with null values.

    See Keyword.

Dropdown

TRUE

Result Set

Choose a method to filter search results:

  • First Matching Record: Returns the first record that matches.

  • First 200 Matching Records: Returns the first 200 matching records.

  • Stream Matching Records: Passes all matching records from your parent flow to a helper flow.

    Selecting this option adds a Streaming input section to the card where you can select a helper flow for streaming and add custom extensible fields.

Dropdown

TRUE

To learn how to return a large number of records, see Stream matching records with a helper flow.

Input

Field Definition Type Required

Search By

Use the eq operator to concatenate each key and value, then combine different keys with and operator. Use the Custom Filter field to build your own expression. Those pre-defined fields and Custom Filter field are concatenated using and.

See System Log.

Appears when Expression is selected from the Search Type option.

Event Type

Type of event that was published.

Appears when Expression is selected from the Search Type option.

Text

FALSE

UUID

Universal unique identifier of the Webhook event.

Appears when Expression is selected from the Search Type option.

Text

FALSE

Display Message

Display message for an event.

Appears when Expression is selected from the Search Type option.

Text

FALSE

Actor ID

Identifier of the actor.

Appears when Expression is selected from the Search Type option.

Text

FALSE

Actor Display Name

Display name of a actor.

Appears when Expression is selected from the Search Type option.

Text

FALSE

Actor Type

Type of actor.

Appears when Expression is selected from the Search Type option.

Text

FALSE

Target ID

Unique identifier of a target.

Appears when Expression is selected from the Search Type option.

Text

FALSE

Target Display Name

Display name of a target.

Appears when Expression is selected from the Search Type option.

Text

FALSE

Target Type

Type of a target.

Appears when Expression is selected from the Search Type option.

Text

FALSE

Severity

Indicates how severe the event is:

  • DEBUG

  • INFO

  • WARN

  • ERROR

Appears when Expression is selected from the Search Type option.

Dropdown

FALSE

Custom Filter

Build your own SCIM filter expression to search log events.

For example:

To search for Failed sign-in events, use eventType eq "user.session.start" and outcome.result eq "FAILURE"

See .

Appears when Expression is selected from the Search Type option.

Text

FALSE

Keyword

Filters the log events results by one or more exact keywords.

For example:

  • To search for a specific city, enter the city name: San Francisco.

  • To search for a specific person, enter the whole name: firstName lastName.

  • See .

Appears when Keyword is selected from the Search Type option.

Text

FALSE

Date

Since

Filters the lower time bound of the log events published property.

If you enter a future time stamp, you will get an error. If you leave this field unspecified, the default value will be 7 days prior to Until.

Date & Time

FALSE

Until

Filters the upper time bound of the log events published property.

If you enter a future time stamp or leave this field unspecified, the current time stamp will be considered as the until value.

Date & Time

FALSE

Sort

Order

Order of the returned events that are sorted by published property. Choose from:

  • Ascending

  • Descending

Dropdown

FALSE

Streaming

Flow

Click Choose Flow to browse and select a helper flow to which the search results will be streamed, and then click Choose to confirm.

Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow.

Appears when Stream Matching Records is selected from the Result Set option.

Flow

TRUE

Search Criteria

Record Limit

Specify the number of records to stream.

  • When the field is set to less than 0, the card returns an error.

  • When the field is set to either 0 or a value greater than 0, the stream returns up to the maximum number specified.

  • When the field is empty, null, or not selected, the stream returns all records.

  • The default value is 1000000 (1 million).

  • The valid range is from 0 to 1000000.

This field appears when you select Stream Matching Records from the Result Set option.

Number

FALSE

Output

Fields appear when First Matching Record or First 200 Matching Records are selected from the Result Set option except where indicated.

Field Definition Type

Result

UUID

Unique identifier for an individual event.

Text

Published

Time stamp when the event is published.

Date & Time

Event Type

Type of event that is published.

Text

Severity

Indicates the severity of the event:

  • DEBUG

  • INFO

  • WARN

  • ERROR

Text

Display Message

Display message for an event.

Text

Actor

Describes the entity that performs an action

Object

ID

Identifier of the Okta actor who granted the user privilege.

Text

Type

Type of Okta actor.

Text

Alternate ID

Username of the Okta actor.

Text

Display Name

Display name of the Okta actor.

Text

Target

Zero or more targets of an action.

List of Objects

Client

Client that requests an action.

Object

ID

Unique identifier for the client.

  • For OAuth requests, this is the ID of the OAuth client making the request. See Roles.

  • For SSWS token requests, this is the ID of the agent making the request.

Text

User Agent

User agent that is used by an actor to perform an action.

Object

Geographical Context

Physical location from where the client is making its request.

Object

Zone

Name of the zone to which that client's location is mapped.

See Zones.

Text

IP Address

IP address from which the client is making its request.

Text

Device

Type of device from which the client operates.

For example: Computer

Text

Request

Request that initiates an action.

Object

IP Chain

If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format: clientIp, proxy1, proxy2. This field is useful when working with trusted proxies.

List of Objects

Raw Output

Raw Output returned by the Okta API.

Object

Stream Matching Records

Records Streamed

Number of records streamed in a streaming flow.

This field appears when you select Stream Matching Records from the Result Set option.

Number

Related topics

Okta connector

Workflow elements

Guidance for Okta connector

Okta API documentation