Exporting Audit Log Search Results

Because audit logs are only available for 30 days you might want to periodically export those logs, or at least a selected portion of those logs: that way, you can maintain  a more permanent record of the activities that have taken place in the Console. (And if you have other reasons for wanting to export audit logs? That’s fine: it’s your data, so you can do whatever you want with it.) Fortunately, exporting audit logs is about as easy as anything ever gets: just click the Export Results button:

That’s all you have to do: click the button, and the current audit log search results will automatically be download (as a comma-separated values file) to the Downloads folder on your local computer. That’s all you have to do in part because there’s nothing else you can do: CSV is the only available file format, and the Downloads is the only available download location.

So how hard will it be to find your exported audit logs? Not very hard: the download file will have a name similar to this:


In that file name, knz9cs653cue3ts3hw8vwuh5fz represents your application ID, which can be found on the Console’s Manage Application page:

Note. We should mention that the file name is always the same (e.g., knz9cs653cue3ts3hw8vwuh5fz_audit_data.csv) regardless of whether you export data from the Audit Logs page or from the Manage Agents section.

As alluded to a few minutes ago, the Export Results button automatically downloads the current audit log search results. For example, suppose you run a search and your search results look like this:

If you click Export Results at this point, your exported CSV file will consist of a single record, the one record in your search results:

Keep that in mind before you start exporting audit data.

When you do export your audit logs you’ll get a CSV file that looks similar to the following:

The table below describes what each of these data fields are for, and explains what kind of data you might see in those fields:



Event Type

Indicates the general type of event that occurred. For example, creating, updating, or deleting a user profile on the Full Record page are all actions that fall into the agentDirectRecordAction event (or, if you prefer, the agentDirectRecordAction category).

For example:



Date that the action took place (in UTC datetime format)  For example:


Console User Email

Email address of the Console agent who initiated the action. For example:


Console User IP Address

IP address of the device used by the Console agent when carrying out the action. For example:

Console User UUID

UUID of the agent who initiated the action.  For example:



Task carried out by the Console agent. For example:


Capture Application ID

ID of the Identity Cloud application associated with the action. For example:


Client ID

ID of the property (API client/Capture client) directly associated with the action. If a property was created, updated, or deleted, this will be the ID of that property. If a user profile was created, updated, or deleted (or if a password reset or email verification message was sent), this will be the ID of the property associated with the affected user account.

For example:


Updated Console User Email

Email address of the Console agent affected by an administrative action. For example, if you create a new agent account and send that prospective agent a Console invitation, the newcomer’s email address is recorded in this field.

For example:


Entity Type

Name of the Identity Cloud entity type where the user profile information is stored. For example:


Currently this field is only used for actions that require access to a user profile (viewing a user profile, updating a user profile, creating a user profile, etc.). This profile is also used for actions like sending password reset and email verification messages; that’s because the user’s email address is stored in the user profile.

Flow Name

Name of the flow that was involved in the action (e.g., the flow that was promoted or the flow that was restored). For example:



Activity label that corresponds to the Audit Log action. For example:

Client Settings Updated

New Flow Version

New version number of the flow that was created or updated. Note that, when a flow is updated, a copy is made of the original flow and the updates are made to that copy. The copy is then given a new version number.

For example:


Flow names are actually timestamps that represent the exact date and time that the flow was created or updated. For example, the flow version 20190405195902422227 is broken down as follows:

  • 2019 – Four-digit year.
  • 04 – Two-digit month.
  • 05 – Two-digit day.
  • 19 – Two-digit hour of the day, based on a 24-hour clock and on UTC time. The value 19 equates to 7:00 PM.
  • 59 – Two-digit minute of the hour.
  • 02 – Two-digit second of the minute.
  • 422227 – Six-digit microseconds of the second.

In other words, the flow 20190405195902422227 was created at 7:59:02 PM UTC time on April 5, 2019.

Response Code

HTTP response status code issued in response to the agent action: a response code  of 200 indicates that the operation was successfully completed. Valid response codes include:

  • 200 – Resource successfully found or updated
  • 201 – Resource successfully created
  • 204 – Resource successfully deleted
  • 400 – Invalid submission
  • 403 – Permission denied
  • 404 – Resource not found
  • 409 – Resource locked
  • 500 – Internal server error

For example:


Restored Flow Version

Version number of the flow that was restored. For example:


Roles Assigned

Comma-separated array of the roles assigned to the agent affected by the action (not the agent who initiated the action). For example:

['ccp_agent', 'ccp_agent_manager']

This field is populated whenever an agent account is created, modified, or deleted.

Updated User UUID

UUID of the agent account or the user account affected by the action. If you update an agent account, the UUID of the modified agent account is added to the targetUUID field. If you update a user profile, the UUID of the user is added to the targetUUID field.

For example: