# Search Audit Logs
{% hint style="warning" %}
This endpoint has been deprecated and replaced by [Export UAM records](/2024.3/detect-your-activity/audit/how-to-guides/enable-uam.md).
{% endhint %}
This page describes the `audit` endpoint API. The audit API allows users to programmatically search for audit records in Immuta.
{% hint style="info" %}
Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.
{% endhint %}
## Workflow
1. [Search all audit records](#search-for-audit-records).
2. [Retrieve a specific audit record](#retrieve-a-specific-audit-record).
3. [Search for recent activities using the API key](#query-for-activity-by-api-key).
4. [Search for queries for a specific data source](#search-for-query-list-by-data-source).
## Search for audit records
`GET` `/audit`
Search for audit records.
#### Query parameters
| Attribute | Description | Required |
| ------------ | --------------------------------------------------------------------------------------------------------------------------------- | -------- |
| dataSourceId | `array[integer]` The data source ID. | No |
| projectId | `array[integer]` The project ID. | No |
| profileId | `array[integer]` The user profile ID. | No |
| recordType | `array[integer]` The type of audit event being captured. This also corresponds to the additional information in the record field. | No |
| outcome | `Array[integer]` | No |
| minDate | `timestamp` The minimum date. | No |
| maxDate | `timestamp` The maximum date. | No |
| blobId | `string` The blob ID. | No |
| offset | `integer` Used in combination with `size` to fetch pages. | No |
| size | `integer` Pages results by default; `size` is the number of results to return per page. **Default `50`** | No |
| sortField | `string` Sorts results by field. **Default `dateTime`** | No |
| sortOrder | `string` Sorts results by order, which must be `asc` or `desc`. **Default `desc`** | No |
#### Response parameters
| Attribute | Description |
| --------- | --------------------------------------------------------- |
| hits | `metadata` Details regarding the returned list of audits. |
### Request example
The following request searches for all audit records.
```shell
curl \
--request GET \
--header "Content-Type: application/json" \
--header "Authorization: Bearer dea464c07bd07300095caa8" \
https://your-immuta-url.com/audit?size=2&sortField=dateTime&sortOrder=desc
```
### Response example
```json
{
"hits": [
{
"dateTime": "1632756753272",
"dataSourceName": null,
"projectName": null,
"recordType": "auditQuery",
"blobId": null,
"userId": "first.last@immuta.com",
"profileId": 2,
"purposeIds": null,
"success": true,
"failureReason": null,
"id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
"fingerprintVersionName": null,
"email": "first.last@immuta.com"
},
{
"dateTime": "1632755783628",
"dataSourceName": null,
"projectName": null,
"recordType": "authenticate",
"blobId": null,
"userId": "first.last@immuta.com",
"profileId": 2,
"purposeIds": null,
"success": true,
"failureReason": null,
"id": "d143719b-6af9-4af3-aa99-8055be40e877",
"fingerprintVersionName": null,
"email": "first.last@immuta.com"
}
],
}
```
## Retrieve a specific audit record
`GET` `/audit/{recordId}`
Retrieve a specific audit record.
#### Query parameters
| Attribute | Description | Required |
| --------- | ----------------------------- | -------- |
| recordId | `string` The audit record ID. | **Yes** |
#### Response parameters
| Attribute | Description |
| --------- | ------------------------------------------------------- |
| hits | `metadata` Details regarding the returned audit record. |
### Request example
The following request retrieves a specific audit record.
```shell
curl \
--request GET \
--header "Content-Type: application/json" \
--header "Authorization: Bearer dea464c07bd07300095caa8" \
https://your-immuta-url.com/audit/480d9d3f-4128-445d-8eec-3cccb34f9935
```
### Response Example
```json
{
"id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
"dateTime": "1632756753272",
"month": 1460,
"profileId": 2,
"userId": "first.last@immuta.com",
"dataSourceId": null,
"dataSourceName": null,
"projectId": null,
"projectName": null,
"purposeIds": null,
"policyId": null,
"policyName": null,
"fingerprintVersionId": null,
"fingerprintVersionName": null,
"count": 1,
"recordType": "auditQuery",
"success": true,
"failureReason": null,
"failureDetails": null,
"subscriptionState": null,
"accessedId": null,
"accessedIdType": null,
"accessedIamId": null,
"accessedUserId": null,
"groupAccessType": null,
"groupIamId": null,
"accessedGroupId": null,
"component": "audit",
"accessType": null,
"blobId": null,
"queryId": null,
"extra": {
"params": {
"size": 50,
"sortField": "dateTime",
"sortOrder": "desc",
"offset": 0
}
},
"dataSourceSchemaName": null,
"dataSourceTableName": null,
"featureKey": null,
"sqlUser": null,
"action": null,
"blobSize": null,
"hardDelete": null,
"keyAction": null,
"keyId": null,
"keyIamId": null,
"keyUserId": null,
"createdAt": "2021-09-27T15:32:33.274Z",
"updatedAt": "2021-09-27T15:32:33.274Z"
}
```
## Query for activity by API key
`GET` `/audit/apikey/activity`
Queries for the recent activity using the API key.
#### Query parameters
| Attribute | Description | Required |
| --------- | ----------------------------- | -------- |
| recordId | `string` The audit record ID. | **Yes** |
#### Response parameters
| Attribute | Description |
| --------- | ----------------------------------------- |
| value | `metadata` regarding the recent activity. |
### Request example
The following request queries for the recent activity using the API key.
```shell
curl \
--request GET \
--header "Content-Type: application/json" \
--header "Authorization: Bearer dea464c07bd07300095caa8" \
https://your-immuta-url.com/audit/apikey/activity?keyid=650&count=1
```
### Response example
```json
{
"id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
"dateTime": "1632756753272",
"month": 1460,
"profileId": 2,
"userId": "first.last@immuta.com",
"dataSourceId": null,
"dataSourceName": null,
"projectId": null,
"projectName": null,
"purposeIds": null,
"policyId": null,
"policyName": null,
"fingerprintVersionId": null,
"fingerprintVersionName": null,
"count": 1,
"recordType": "auditQuery",
"success": true,
"failureReason": null,
"failureDetails": null,
"subscriptionState": null,
"accessedId": null,
"accessedIdType": null,
"accessedIamId": null,
"accessedUserId": null,
"groupAccessType": null,
"groupIamId": null,
"accessedGroupId": null,
"component": "audit",
"accessType": null,
"blobId": null,
"queryId": null,
"extra": {
"params": {
"size": 50,
"sortField": "dateTime",
"sortOrder": "desc",
"offset": 0
}
},
"dataSourceSchemaName": null,
"dataSourceTableName": null,
"featureKey": null,
"sqlUser": null,
"action": null,
"blobSize": null,
"hardDelete": null,
"keyAction": null,
"keyId": null,
"keyIamId": null,
"keyUserId": null,
"createdAt": "2021-09-27T15:32:33.274Z",
"updatedAt": "2021-09-27T15:32:33.274Z"
}
```
## Search for query list by data source
`GET` `/audit/queries/dataSource/{dataSourceId}/mine`
Returns the list of the current user's distinct queries for the specified data source.
#### Query parameters
| Attribute | Description | Required |
| ------------ | -------------------------------------------------------------------------------------------------------- | -------- |
| dataSourceId | `array[integer]` The data source ID. | **Yes** |
| offset | `integer` Used in combination with `size` to fetch pages. | No |
| size | `integer` Pages results by default; `size` is the number of results to return per page. **Default `50`** | No |
| sortField | `string` Sorts results by field. **Default `dateTime`** | No |
| sortOrder | `string` Sorts results by order, which must be `asc` or `desc`. **Default `desc`** | No |
#### Response parameters
| Attribute | Description |
| --------- | ----------------------------------------------------------- |
| auditId | `array[integer]` The audit ID. |
| lastRun | `integer` The date and time the query was last run in Unix. |
| timesRun | `integer` The number of times the audit has been run. |
| name | `string` The name of the query. |
### Request example
The following request returns the list of the current user's distinct queries.
```shell
curl \
--request GET \
--header "Content-Type: application/json" \
--header "Authorization: Bearer dea464c07bd07300095caa8" \
https://your-immuta-url.com/audit/queries/dataSource/23/mine?size=10&sortField=lastrun&sortOrder=desc
```
### Response example
```json
{
"hits": [
{
"auditId": "ff264e8e-2ccc-468f-9129-bb0995c9cdf5",
"lastrun": "1631627763345",
"timesrun": "5",
"name": "Name"
},
{
"auditId": "f722042f-f0f3-4c83-bd33-7672892d918f",
"lastrun": "1631200121550",
"timesrun": "3",
"name": null
}
],
"count": 2
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://documentation.immuta.com/2024.3/developer-guides/api-intro/immuta-v1-api/manage-data-access/audit.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.