Search System Logs
Search for log events from your organization's system log in Okta.
Scopes
See Action cards for the list of required OAuth scopes for this card.
Options
Field | Definition | Type | Required |
---|---|---|---|
Search By |
Choose one of the following options to implement the search:
|
Dropdown |
TRUE |
Result Set |
Choose a method to filter search results:
|
Dropdown |
TRUE |
To learn how to return a large number of records, see Stream matching records with a helper flow.
Input
Field | Definition | Type | Required |
---|---|---|---|
Search By |
Use the eq operator to concatenate each key and value, then combine different keys with and operator. Use the Custom Filter field to build your own expression. Those pre-defined fields and Custom Filter field are concatenated using and.
See System Log. Appears when Expression is selected from the Search Type option. |
||
Event Type |
Type of event that was published.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
UUID |
Universal unique identifier of the Webhook event.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Display Message |
Display message for an event.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Actor ID |
Identifier of the actor.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Actor Display Name |
Display name of a actor.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Actor Type |
Type of actor.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Target ID |
Unique identifier of a target.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Target Display Name |
Display name of a target.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Target Type |
Type of a target.
Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Severity |
Indicates how severe the event is:
Appears when Expression is selected from the Search Type option. |
Dropdown |
FALSE |
Custom Filter |
Build your own SCIM filter expression to search log events.
For example: To search for Failed sign-in events, use eventType eq "user.session.start" and outcome.result eq "FAILURE" See . Appears when Expression is selected from the Search Type option. |
Text |
FALSE |
Keyword |
Filters the log events results by one or more exact keywords.
For example:
Appears when Keyword is selected from the Search Type option. |
Text |
FALSE |
Date |
|||
Since |
Filters the lower time bound of the log events published property. If you enter a future time stamp, you will get an error. If you leave this field unspecified, the default value will be 7 days prior to Until |
Date & Time |
FALSE |
Until |
Filters the upper time bound of the log events published property.
If you enter a future time stamp or leave this field unspecified, the current time stamp will be considered as the until value. |
Date & Time |
FALSE |
Sort |
|||
Order |
Order of the returned events that are sorted by published property. Choose from:
|
Dropdown |
FALSE |
Streaming |
|||
Flow |
Click Choose Flow to browse and select a helper flow to which the search results will be streamed, and then click Choose to confirm.
Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow. Appears when |
Flow |
TRUE |
Search Criteria |
|||
Record Limit |
Specify the number of records to stream.
This field appears when you select Stream Matching Records from the Result Set option. |
Number |
FALSE |
Output
Fields appear when First Matching Record or First 200 Matching Records are selected from the Result Set option except where indicated.
Field | Definition | Type |
---|---|---|
Result |
||
UUID |
Unique identifier for an individual event. |
Text |
Published |
Time stamp when the event is published. |
Date & Time |
Event Type |
Type of event that is published. |
Text |
Severity |
Indicates the severity of the event:
|
Text |
Display Message |
Display message for an event. |
Text |
Actor |
Describes the entity that performs an action |
Object |
ID |
Identifier of the Okta actor who granted the user privilege. |
Text |
Type | Type of Okta actor. |
Text |
Alternate ID | Username of the Okta actor. |
Text |
Display Name | Display name of the Okta actor. |
Text |
Target |
Zero or more targets of an action. |
List of Objects |
Client |
Client that requests an action. |
Object |
ID |
Unique identifier for the client.
|
Text |
User Agent |
User agent that is used by an actor to perform an action. |
Object |
Geographical Context |
Physical location from where the client is making its request. |
Object |
Zone |
Name of the zone to which that client's location is mapped.
See Zones. |
Text |
IP Address |
IP address from which the client is making its request. |
Text |
Device |
Type of device from which the client operates.
For example: Computer |
Text |
Request |
Request that initiates an action. |
Object |
IP Chain |
If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format: clientIp, proxy1, proxy2. This field is useful when working with trusted proxies. |
List of Objects |
Raw Output |
Raw Output returned by the Okta API. |
Object |
Stream Matching Records |
||
Records Streamed |
Number of records streamed in a streaming flow. This field appears when you select Stream Matching Records from the Result Set option. |
Number |