Skip to main content

List Activity Logs

Provides the list of records from the activity logs.

External Documentation

To learn more, visit the Azure documentation.

Parameters

ParameterDescription
FilterReduces the set of data collected.This argument is required and it also requires at least the start date/time.The $filter argument is very restricted and allows only the following patterns.
  • List events for a resource group: $filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and resourceGroupName eq 'resourceGroupName'.
  • List events for resource: $filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and resourceUri eq 'resourceURI'.
  • List events for a subscription in a time range: $filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z'.
  • List events for a resource provider: $filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and resourceProvider eq 'resourceProviderName'.
  • List events for a correlation Id: $filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and correlationId eq 'correlationID'.
NOTE: No other syntax is allowed.
Subscription IDThe Azure subscription Id.

Example Output

{
    "nextLink": "Provides the link to retrieve the next set of events.",
    "value": [
        {
            "authorization": {
                "action": "the permissible actions. For instance: microsoft.support/supporttickets/write",
                "role": "the role of the user. For instance: Subscription Admin",
                "scope": "the scope."
            },
            "caller": "the email address of the user who has performed the operation, the UPN claim or SPN claim based on availability.",
            "category": {
                "localizedValue": "the locale specific value.",
                "value": "the invariant value."
            },
            "claims": {},
            "correlationId": "the correlation Id, usually a GUID in the string format. The correlation Id is shared among the events that belong to the same uber operation.",
            "description": "the description of the event.",
            "eventDataId": "the event data Id. This is a unique identifier for an event.",
            "eventName": {
                "localizedValue": "the locale specific value.",
                "value": "the invariant value."
            },
            "eventTimestamp": "the timestamp of when the event was generated by the Azure service processing the request corresponding the event. It in ISO 8601 format.",
            "httpRequest": {
                "clientIpAddress": "the client Ip Address",
                "clientRequestId": "the client request id.",
                "method": "the Http request method.",
                "uri": "the Uri."
            },
            "id": "the Id of this event as required by ARM for RBAC. It contains the EventDataID and a timestamp information.",
            "level": "the event level",
            "operationId": "It is usually a GUID shared among the events corresponding to single operation. This value should not be confused with EventName.",
            "operationName": {
                "localizedValue": "the locale specific value.",
                "value": "the invariant value."
            },
            "properties": {},
            "resourceGroupName": "the resource group name of the impacted resource.",
            "resourceId": "the resource uri that uniquely identifies the resource that caused this event.",
            "resourceProviderName": {
                "localizedValue": "the locale specific value.",
                "value": "the invariant value."
            },
            "resourceType": {
                "localizedValue": "the locale specific value.",
                "value": "the invariant value."
            },
            "status": {
                "localizedValue": "the locale specific value.",
                "value": "the invariant value."
            },
            "subStatus": {
                "localizedValue": "the locale specific value.",
                "value": "the invariant value."
            },
            "submissionTimestamp": "the timestamp of when the event became available for querying via this API. It is in ISO 8601 format. This value should not be confused eventTimestamp. As there might be a delay between the occurrence time of the event, and the time that the event is submitted to the Azure logging infrastructure.",
            "subscriptionId": "the Azure subscription Id usually a GUID.",
            "tenantId": "the Azure tenant Id"
        }
    ]
}

Workflow Library Example

List Activity Logs with Azure and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop