Event logs search query limitations

nicolasbouchard · June 27, 2022, 8:07pm

Hi,

We’re trying to read the logs generated from the management API using a Lucene query to filter the result as documented here:

The problem is when we use some fields present in the JSON representation of the log, we receive 0 results while others are working as expected. I’m aware there’s a list of searchable fields, but we we’re able to filter on fields that are undocumented so…

For example, I get results when filtering the field details.request.method:“post”, but no result when filtering details.request.query.user_id:“[REDACTED]”. It’s not throwing an error, we just have no result.

Here’s the simplified log (JSON representation)

{ "date": "2022-06-27T19:13:54.992Z", "type": "sapi", "description": "Assign one or more roles to a given user that will be applied in the context of the provided organization", "client_id": "REDACTED", "client_name": "", "ip": "REDACTED", "user_agent": "CREDACTED", "details": { "request": { "method": "post", "path": "[REDACTED]", "query": { "user_id": "[REDACTED]" }, "userAgent": "REDACTED", ...REDACTED }, "user_id": "REDACTED", "log_id": "REDACTED", "_id": "REDACTED", "isMobile": false, "id": "REDACTED" }

We would like to use the lucene query to avoid re-filtering the logs in our backend. Is this a limitation or maybe we’re not using the query correctly? Either way I think it should be documented because it’s confusing.

Thanks

lihua.zhang · June 28, 2022, 7:25pm

Hi @nicolasbouchard ,

Welcome to the Auth0 Community!

I noticed that the details.request.query.user_id:“[REDACTED]” contains the square brackets. As per the doc, the square brackets are used to specify the range of search query. I suspect that caused no results returned.

If you could save the details.request.query.user_id without the bracket, it should work. Do you mind giving it a try?

Hope this helps!

nicolasbouchard · June 28, 2022, 7:49pm

Hi Lihua,

Thanks for your response! The square bracket were added to demonstrate a redacted value. In fact, we use a real user_id value in this field, more like:
details.request.query.user_id:“auth0|redacted”.

Thanks!

lihua.zhang · June 28, 2022, 9:01pm

Hi @nicolasbouchard ,

Thank you for providing additional context.

user_id is a searchable field. I tried using user_id only and it works.

Please let us know how it goes on your end.

Thanks!

nicolasbouchard · June 29, 2022, 12:05pm

Hi Lihua,

Yes, but I can’t use the user_id because the API Operations are done with an Access Token obtained by a Machine-to-machine Application. In this case I don’t even have a user_id property in the JSON representation of the log.

What were trying to do is to identify the user who made the operation, so we had to append the “Logged In” user_id in the query string of each POST/PUT/DELETE request. We though we could then use the JSON node details.request.query.user_id to filter our logs.

If you know another way of achieving this, please let us know!

Thanks

Nicolas