If you want to query events based on custom filter conditions and SQL statements or query events that occurred in multiple regions more than 90 days ago, you can perform custom event queries in the ActionTrail console.
Prerequisites
Scenarios
You can perform custom event queries in standard mode or simple mode. In standard mode, you can query events in a visualized manner. In simple mode, you can query events by defining SQL conditions.
Mode | Query method | Description | Example |
---|---|---|---|
Common mode | Single-condition query | You can filter events by service name, event name, resource name, resource type, read/write type, username, AccessKey ID, source IP address, account ID, account type, region, event source, or event ID. | To query all events related to Key Management Service (KMS) that are generated in a specified time range, select Key Management Service(Kms) from the Service Name drop-down list. |
Multi-condition query | You can specify one or more services and one or more regions to query events. | To query KMS-related events that are generated in the China (Hangzhou) and China (Shanghai) regions, select Key Management Service(Kms) from the Service Name drop-down list, and China (Hangzhou) and China (Shanghai) from the Region drop-down list. | |
Simple mode | Keyword-based query | You can enter a keyword in the search box based on your business requirements. | To query all write events, enter * AND event.eventRW: Write .
|
Single-condition query | You can specify a filter condition in the Who, What, Which, Where, or Other category to query events. | To query all KMS-related events that are generated in a specific time range, enter
* AND event.serviceName: Kms .
|
|
Multi-condition query | You can specify multiple filter conditions in the Who, What, Which, Where, and Other categories to query events. | To query events generated for operations performed by the user Alex in ActionTrail,
enter * AND event.serviceName: Actiontrail AND event.userIdentity.userName: Alex .
|
|
NOT operator-based query | You can specify multiple filter conditions and change the operator in front of a filter condition that you want to negate to NOT. | To query events generated for operations performed by users except for Alex in ActionTrail,
enter * AND event.serviceName: Actiontrail AND event.userIdentity.userName: Alex .
|