<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Refine a System Log Search Based on an Existing Event
Dec 2, 2025
Administration
Okta Classic Engine
Okta Identity Engine
Overview
This article explains how to refine a System Log search using existing event logs to populate the search filter. The steps below will explain how to use the Actor, Event Info, and Targets columns and various values that can be found when expanding each log.
Applies To
  • System Logs
Solution

Parameters that can be used in System logs search queries:

  • eq > equals
  • ne > Not Equals
  • and > obviously and
  • co > Contains
  • gt > Greater than …
  • Ge > Greater than or equal…
  • Lt > less than….
  • Le > less than or equal…
  • sw > Starts with ….
  • ew > Ends with …
  • pr > is present


NOTE: All the parameters must be lowercase.

 

When clicking on the Show event trends by categories, all the events that match the System logs search query will be sorted as follows:

  • Count of events per target
  • Count of events per actor
  • Count of events per event type

System log

Hovering the mouse pointer over a chart column displays the events and their corresponding counts, which are triggered and refer to the search query (for example, IP address eq <value>).

When clicking on the map pin, the events are displayed on a map, making it easier to track whether a specific event occurred from a blocklisted geographical location or not.

map

The Okta System Logs default limit is 20 Events. To display more than 20 events and to avoid repeatedly clicking Show more > navigate to the URL, and after the timezone, the “limit=20” appears. This number can be increased up to 1000.

Example: Change the limit from 20 to 100, and 100 events will be seen (based on the system logs search query) every time clicking on Show more.

URL

 

Follow the video or the steps below:

  1. Log in to the Admin Console.
  2. Navigate to Reports > System Logs.
  3. Find the System Logs event to base the search on.
  4. Click the ActorTarget, or Event to populate the search filter based on that information. For example, the "Test User" Actor can be clicked, as seen in the screenshot below.

System log

  • When clicked, the search bar will automatically be populated with the filter for that specific Actor.
    specific Actor  

  • The previous steps can then be repeated to populate the search bar with a specific Target or Event Information, including expanded event information from the specific log. The filters can then be combined to create a more specific filter, as shown in the screenshot below.

specific Target or Event Information

 

Related References

Recommended content

Still looking for help?
Loading
How to Refine a System Log Search Based on an Existing Event