NrAuditEvent event data and query examples

To view changes made in your New Relic account, you can query NrAuditEvent events.

Available events and attributes

The NrAuditEvent is created to record configuration changes made in our products. The data gathered for this event includes the type of account change, actor (user or API key) that made the change, a human-readable description of the action taken, and a timestamp for the change.

To see all the attributes attached to this event, see NrAuditEvent.

Example queries

These examples show some of the ways you can run NRQL queries of the NrAuditEvent event.

What changes have been made to the New Relic account?

To view all changes to your New Relic account for a specific time frame, run this basic NRQL query:

SELECT * from NrAuditEvent SINCE 1 day ago
What type of account change was made the most?

To query what type of change to the account users was made the most frequently during a specific time frame, include the actionIdentifier attribute in your query. For example:

SELECT count(*) AS Actions FROM NrAuditEvent 
FACET actionIdentifier SINCE 1 week ago
What trends appear in account changes?

When you include TIMESERIES in a NRQL query, the results are shown as a line graph. For example:

SELECT count(*) from NrAuditEvent TIMESERIES facet actionIdentifier since 1 week ago
What user management changes have been done?

Note that your users' user model will impact these queries. If your users are on our original user model, you can only query per account. If your users are on the New Relic One user model, you should query the top-level account in your New Relic organization.

To see all the changes made to users, you could use:

SELECT * FROM NrAuditEvent WHERE targetType = 'user' 
  SINCE this month

If you wanted to narrow that down to see changes to user type (full user vs basic user), you could use:

SELECT * FROM NrAuditEvent WHERE targetType = 'user' 
  AND actionIdentifier IN ('user.self_upgrade', 'user.change_type') 
  SINCE this month
Synthetics: What changes have been made to a monitor?

To query Synthetics monitor updates during a specific time frame, include the actionIdentifier attribute in your query. For example:

SELECT count(*) FROM NrAuditEvent 
WHERE actionIdentifier = 'synthetics_monitor.update_script' 
FACET actionIdentifier, description, actorEmail 
SINCE 1 week ago LIMIT 1000

For more information about this Synthetics feature, see Synthetics audit log.

Workloads: What changes were made to any workload configuration?

To query what configuration changes were made to any workload, use the query below. The targetId attribute contains the GUID of the workload that was modified, which you can use for searches. Since changes on workloads are often automated, you might want to include the actorType attribute to know if the change was done directly by a user through the UI or through the API.

SELECT timestamp, actorEmail, actorType, description, targetId 
FROM NrAuditEvent WHERE targetType = 'workload' 
SINCE 1 week ago LIMIT MAX
What account changes have been made by any user?

To see detailed information about any user who made changes to the account during a specific time frame, include actorType = 'user' in the query. For example:

SELECT actionIdentifier, description, actorEmail, actorId, targetType, targetId 
FROM NrAuditEvent WHERE actorType = 'user' 
SINCE 1 week ago
What account changes have been made by a specific user?

To query account activities made by a specific person during the selected time frame, you must know their actorId. For example:

SELECT actionIdentifier FROM NrAuditEvent 
WHERE actorId = 829034 SINCE 1 week ago
Who made the most changes to the account?

To identify who (actorType) has made the most changes to the account, include the actorEmail attribute in your query. For example:

SELECT count(*) as Users FROM NrAuditEvent 
WHERE actorType = 'user' 
FACET actorEmail SINCE 1 week ago
Synthetics: What monitors were created by a specific user?

To query Synthetics monitor updates made by a specific user, include the actionIdentifier and actorEmail attribute in your query. For example:

SELECT count(*) FROM NrAuditEvent 
WHERE actionIdentifier = 'synthetics_monitor.update_script' 
FACET actorEmail, actionIdentifier, description 
SINCE 1 week ago LIMIT 1000
What account changes have been made using an API key?

To see detailed information about changes to the account that were made using an API key during a specific time frame, include actorType = 'api_key' in the query. For example:

SELECT actionIdentifier, description, targetType, targetId, actorAPIKey, actorId, actorEmail 
FROM NrAuditEvent WHERE actorType = 'api_key' SINCE 1 week ago

For more help

If you need more help, check out these support and learning resources: