Event logs search query limitations

Help
, ,
1

Hi,

We’re trying to read the logs generated from the management API using a Lucene query to filter the result as documented here:

The problem is when we use some fields present in the JSON representation of the log, we receive 0 results while others are working as expected. I’m aware there’s a list of searchable fields, but we we’re able to filter on fields that are undocumented so…

For example, I get results when filtering the field details.request.method:“post”, but no result when filtering details.request.query.user_id:“[REDACTED]”. It’s not throwing an error, we just have no result.

Here’s the simplified log (JSON representation)

{ "date": "2022-06-27T19:13:54.992Z", "type": "sapi", "description": "Assign one or more roles to a given user that will be applied in the context of the provided organization", "client_id": "REDACTED", "client_name": "", "ip": "REDACTED", "user_agent": "CREDACTED", "details": { "request": { "method": "post", "path": "[REDACTED]", "query": { "user_id": "[REDACTED]" }, "userAgent": "REDACTED", ...REDACTED }, "user_id": "REDACTED", "log_id": "REDACTED", "_id": "REDACTED", "isMobile": false, "id": "REDACTED" }

We would like to use the lucene query to avoid re-filtering the logs in our backend. Is this a limitation or maybe we’re not using the query correctly? Either way I think it should be documented because it’s confusing.

Thanks

3

Hi @nicolasbouchard ,

Welcome to the Auth0 Community!

I noticed that the details.request.query.user_id:“[REDACTED]” contains the square brackets. As per the doc, the square brackets are used to specify the range of search query. I suspect that caused no results returned.

If you could save the details.request.query.user_id without the bracket, it should work. Do you mind giving it a try?

Hope this helps!

4

Hi Lihua,

Thanks for your response! The square bracket were added to demonstrate a redacted value. In fact, we use a real user_id value in this field, more like:
details.request.query.user_id:“auth0|redacted”.

Thanks!

5

Hi @nicolasbouchard ,

Thank you for providing additional context.

user_id is a searchable field. I tried using user_id only and it works.

image
image1676×650 92.2 KB

Please let us know how it goes on your end.

Thanks!

6

Hi Lihua,

Yes, but I can’t use the user_id because the API Operations are done with an Access Token obtained by a Machine-to-machine Application. In this case I don’t even have a user_id property in the JSON representation of the log.

image
image983×231 20 KB

What were trying to do is to identify the user who made the operation, so we had to append the “Logged In” user_id in the query string of each POST/PUT/DELETE request. We though we could then use the JSON node details.request.query.user_id to filter our logs.

If you know another way of achieving this, please let us know!

Thanks

Nicolas