Use filters to query audit logs and locate specific events.
The available filters differ when viewing audit logs for the entire realm, and viewing those for a specific app:
| Filter name | Input | Location |
| Start and end date | Enter a date range from one to seven days, inclusive | Realm and App |
| Table | Enter a table name, or leave blank to search all tables | App only |
| App name |
Enter an app name, or leave blank to search all apps Deleted apps cannot be queried |
Realm only |
| User email | Enter a user email, or leave blank to search logs for all users | Realm and App |
| Actions | Enter one or more actions separated by commas, or leave blank to search all actions | Realm and App |
| Resource type | Select a resource type: record, report, field, form | App only |
| Resource ID |
Enter the ID of a resource You must also select the resource type |
App only |
| Log ID | Enter a log ID to search all audit logs within the retention period purchased | Realm and App |
Query audit logs
To query audit logs using a filter:
- Access audit logs.
- Select a filter at the top of the page. Depending on which filter you choose, enter the appropriate information. You can use either the Log ID as a single filter, or any combination of the other available filters.
Note: If you don't specify any filters, all activity within the specified date range displays. -
Click Display logs to apply the chosen filter(s). You can repeat the steps to change and/or combine filters to alter your results.
- It may take up to 5 minutes to see a new audit log event appear.
- Audit metadata, such as usernames and emails, is updated once per day. As a result, there may be up to a 24-hour gap before new events reflect updated metadata, including for new users. However, when exporting events from the admin console, the user ID is included, allowing you to associate events with specific users, even before the metadata is updated.
Information included in audit logs
Audit logs display the following information:
| Item | Description |
|---|---|
| Log ID | Auto-generated identifier of the audit log. |
| First Name | User’s first name. |
| Last Name | User’s last name. |
| Email Address | User’s email address. |
| Action | What action was taken, such as log in, create app, report access, or table search. |
| Browser time | Exact time the action was taken, including date, and time with hour, minutes and seconds. Time zone is the browser time zone. |
| IP | The IP address the action was taken from. |
| User Agent | The browser and OS the action was taken from. |
| Session Information |
The Session ID associated with a user’s browsing session on a particular device (which resets when the session expires), or a short snippet of the User Token, which is used for compatible API calls. You can use this information to trace back the user who performed a particular action when using a service account or through an API. For example, an audit log for an action performed by a service account will only contain the service account used in the description. You can trace the Session ID back to the user session associated with the service account by locating the |
| Application | UI for user interface or API for an API call. |
| Description |
A description of the action that occurred. Some audit logs contain links to the resource that was accessed or changed, or links to view additional details.
View examples of descriptions in the Audit Log Library. |
Learn more
Tracking data changes in a specific field