Audit logs are ordered newest first. Time windows use an inclusive
start and exclusive end: [start, end). A search or export can cover up to 30 days. Split longer periods into multiple time windows.
Both workflows are also available from the CLI. For the underlying HTTP API, see search and export in the API reference.
Filter audit logs
The API and SDKs use the same filters for search and export:auth_strategyfilters by authentication method, such asapi_key,dashboard, oroauth.servicefilters by the service that emitted the audit event.methodreturns only requests that use the specified HTTP method.exclude_methodomits requests that use any of the specified HTTP methods.searchmatches path, user ID, email, client IP, and status.search_user_idmatches requests from the specified user IDs in addition to any free-text matches.
The API and SDKs include all methods unless you filter. Only the CLI excludes
GET by default to reduce noise. Pass --include-get to remove that default exclusion, or pass --method GET to return only GET requests.Search audit logs
Each API page contains up to 100 events. The SDK pagination helpers request older pages as you iterate.Export audit logs
The export API returns one chunk per request. Export paging uses a cursor rather than the page token used by search; both are opaque values you pass back unchanged. Repeat requests untilX-Has-More is false, passing X-Next-Cursor back as cursor. With the jsonl.gz format, each chunk is an independent gzip member, and appending the members produces a valid gzip file. With jsonl, each chunk contains raw JSON Lines that you can also append.
The following minimal examples write all chunks to one file. For a hardened export with checksum verification and retries, use the CLI.
event_id, which provides a stable tie-breaker when multiple events share a timestamp.
See the API reference for the full request and response schema.