NrAuditEvent event data and query examples

To view changes made to your account's users, use New Relic Insights to query NrAuditEvent events. This document includes descriptions and examples of how you can use NrAuditEvent attributes in your NRQL query to view additional details.

Use the New Relic event data dictionary to view the attributes for the default NrAuditEvent by selecting the event name:

Event Description
NrAuditEvent

An NrAuditEvent is created by New Relic services to record configuration changes made in New Relic products. The data gathered for this event includes the type of account change, actor (user or API key) that made the change, a human-readable description of the action taken, and a timestamp for the change.

Example NRQL queries for accounts

These examples show some of the ways you can use standard NRQL syntax (COUNT, SINCE, FACET, etc.) with NrAuditEvent attributes in NRQL queries.

What changes have been made to the New Relic account?

To view all changes to your New Relic account users for a specific time frame, run this basic NRQL query:

SELECT * from NrAuditEvent SINCE 1 day ago
What type of account change was made the most?

To query what type of change to the account users was made the most frequently during a specific time frame, include the actionIdentifier attribute in your query. For example:

SELECT count(*) AS Actions FROM NrAuditEvent 
FACET actionIdentifier SINCE 1 week ago
What trends appear in account changes?

When you include TIMESERIES in the NRQL query, Insights automatically shows the results as a line graph. For example:

SELECT count(*) from NrAuditEvent TIMESERIES facet actionIdentifier since 1 week ago
What roles have been updated for users?

To query what roles have been added, changed, or removed for users in the account during a specific time frame, include the actionIdentifier attribute in the NRQL query. For example:

SELECT * FROM NrAuditEvent WHERE actionIdentifier = 'user.add_roles' 
SINCE '2018-06-19' UNTIL 30 minutes ago
Synthetics: What changes have been made to a monitor?

To query Synthetics monitor updates during a specific time frame, include the actionIdentifier attribute in your query. For example:

SELECT count(*) FROM NrAuditEvent 
WHERE actionIdentifier = 'synthetics_monitor.update_script' 
FACET actionIdentifier, description, actorEmail 
SINCE 1 week ago LIMIT 1000

For more information about this Synthetics feature, see Synthetics audit log.

What account changes have been made by any user?

To see detailed information about any user who made changes to the account during a specific time frame, include actorType = 'user' in the query. For example:

SELECT actionIdentifier, description, actorEmail, actorId, targetType, targetId 
FROM NrAuditEvent WHERE actorType = 'user' 
SINCE 1 week ago
What account changes have been made by a specific user?

To query account activities made by a specific person during the selected time frame, you must know their actorId. For example:

SELECT actionIdentifier FROM NrAuditEvent 
WHERE actorId = 829034 SINCE 1 week ago
Who made the most changes to the account?

To identify who (actorType) has made the most changes to the account, include the actorEmail attribute in your query. For example:

SELECT count(*) as Users FROM NrAuditEvent 
WHERE actorType = 'user' 
FACET actorEmail SINCE 1 week ago
Synthetics: What monitors were created by a specific user?

To query Synthetics monitor updates made by a specific user, include the actionIdentifier and actorEmail attribute in your query. For example:

SELECT count(*) FROM NrAuditEvent 
WHERE actionIdentifier = 'synthetics_monitor.update_script' 
FACET actorEmail, actionIdentifier, description 
SINCE 1 week ago LIMIT 1000
What account changes have been made using an API key?

To see detailed information about changes to the account that were made using an API key during a specific time frame, include actorType = 'api_key' in the query. For example:

SELECT actionIdentifier, description, targetType, targetId, actorAPIKey, actorId, actorEmail 
FROM NrAuditEvent WHERE actorType = 'api_key' SINCE 1 week ago

For more help

Recommendations for learning more: