Skip to main content
Skip table of contents

Scroll through the audit logs

In this scenario, we will search the audit logs indicating the login actions of a particular user and we will scroll through the results.

Step 1 - Start scrolling the audit logs

By specifying the property scroll.timeout you initialize searching with a scrolling enabled. The property is a number, that indicates for how many seconds the scroll context should be opened. This value refreshes witch each consecutive search scroll request, so there is usually no need to specify more than a few seconds.

Scrolling enables you to traverse big amount of logs (possibly all of them). You can control the amount of returned audit logs by specifying the logsQuery.size property. Usage of the logsQuery.from property is technically possible (but discouraged) only in this starting request, all consecutive scroll requests must not specify it.

Endpoint

CODE 
POST /logs/search

Request

JSON 
POST /logs/search?token=oDP8X0L6FcF3PFHlsCbVbQ2FIodUM1rb4GgKBKf4t6CDnbTqxcU2HwvUSJOBiFwL

Content-Type: application/json

{
  "logsQuery": {
    "query": {
      "filter": [
        {
          "type": "term",
          "field": "activityType",
          "value": "logged"
        },
        {
          "type": "term",
          "field": "actorId",
          "value": "mary.griffin@circularo.com"
        }
      ]
    },
    "size": 100
  },
  "scroll": {
    "timeout": 10
  }
}

Response

Note following properties in response object:

  • scrollId - In response object at position scrollId.

    • It may have value of zduCi4Waj8XznXRZc6GGm7tlfyXiAmYMMoFUcuGbdVISVc96xnSG1Tw6nxV4AhlJ.

The response contains single "scroll" of the audit logs. To continue with the scrolling, please use the same request and specify the returned scrollId property.

Step 2 - Continue scrolling the audit logs

To continue scrolling, please always use the same query as in the first scroll request with scroll.id value specified. It is also crucial to not specify the logsQuery.from parameter, but you can modify the logsQuery.size to set the amount of returned documents.

Endpoint

CODE 
POST /logs/search

Request

JSON 
POST /logs/search?token=oDP8X0L6FcF3PFHlsCbVbQ2FIodUM1rb4GgKBKf4t6CDnbTqxcU2HwvUSJOBiFwL

Content-Type: application/json

{
  "logsQuery": {
    "query": {
      "filter": [
        {
          "type": "term",
          "field": "activityType",
          "value": "logged"
        },
        {
          "type": "term",
          "field": "actorId",
          "value": "mary.griffin@circularo.com"
        }
      ]
    },
    "size": 100
  },
  "scroll": {
    "id": "zduCi4Waj8XznXRZc6GGm7tlfyXiAmYMMoFUcuGbdVISVc96xnSG1Tw6nxV4AhlJ",
    "timeout": 10
  }
}

Response

Note following properties in response object:

  • scrollId - In response object at position scrollId.

    • It may have value of zduCi4Waj8XznXRZc6GGm7tlfyXiAmYMMoFUcuGbdVISVc96xnSG1Tw6nxV4AhlJ.

You can repeat this request as long as it will yield you the results, or as will be needed. Please, always use the scrollId property from the latest response (it will be usually, but not always, the same through all the requests).

Step 3 - Close scroll context

Once all the audit logs were traversed, or once you no longer need to scroll any more of them, it is advisable to close the scroll context. To do so, please specify the latest scrollId value in the following request.

Endpoint

CODE 
DELETE /logs/scroll

Request

JSON 
DELETE /logs/scroll?token=oDP8X0L6FcF3PFHlsCbVbQ2FIodUM1rb4GgKBKf4t6CDnbTqxcU2HwvUSJOBiFwL

Content-Type: application/json

{
  "scrollId": "zduCi4Waj8XznXRZc6GGm7tlfyXiAmYMMoFUcuGbdVISVc96xnSG1Tw6nxV4AhlJ"
}

The scroll context is now closed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close