• Documentation

ALQL keywords

This page describes information about keywords that you can use for advanced searching in the audit log. A keyword in Audit Log Query Language (ALQL) is a word or phrase that:

  • joins two or more clauses together to form a complex ALQL query

  • alters the logic of one or more clauses

  • alters the logic of operators

  • has an explicit definition in an ALQL query

  • performs a specific function that alters the results of an ALQL query

The following examples illustrate each keyword only. We’ve excluded the mandatory created field to keep examples clear. Remember to include it with your own queries.

AND

The AND operator combines multiple clauses, allowing you to refine your search.

You can use parentheses to control the order in which clauses are executed.

Example

Find events for the activity “Revoked site access from user”, where the country is India:

activity = "user_disabled_site_access" AND country = "India"

OR

The OR operatore combines multiple clauses, allowing you to expand your search.

You can use parentheses to control the order in which clauses are executed.

Also see IN, which can be a more convenient way to search for multiple values of a field.

Example

Find all events triggered by Fran Perez and all events triggered from the specified IP address:

actor = "Fran Perez" OR "ip address" = "123.456.789.10"

NOT

The NOT operator negates individual clauses or a complex ALQL query (a query made up of more than one clause) using parentheses, allowing you to refine your search.

Also see NOT EQUALS (!=), DOES NOT CONTAIN (!~), NOT IN and IS NOT.

Examples

Find all activities that are assigned to any user except Fran Perez:

NOT (activity = "user_disabled_site_access")

Find all activities that were not created or initiated by Fran Perez or Jie Song:

NOT (actor = "Fran Perez" OR actor = "Jie Song")

EMPTY

The EMPTY operatore searches for events where a given field does not have a value.

Note that the keyword EMPTY can only be used with fields that support the operators IS and IS NOT. If you see EMPTY as an autofill option for operators that don’t support it, avoid using it in your query because it will stop your query from returning search results. To see a field's supported operators, check the individual field reference.

Examples

Find all events without a city:

city IS EMPTY

or

city = EMPTY

ORDER BY

The ORDER BY operator sorts fields by the field you specify.

You can override a field’s default sort order by adding ascending order (asc) or descending order (desc). This must be placed at the end of the ALQL query to avoid invalidating the query.

Examples

Find all events associated with Fran Perez, sorted by date created (default asc: oldest first):

actor = "Fran Perez" ORDER BY created

Find all events associated with Fran Perez, sorted by date created desc (newest first):

actor = "Fran Perez" ORDER BY created desc

Find all events associated with Fran Perez, sorted by date created asc (oldest first):

actor = "Fran Perez" ORDER BY created asc

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageANDORNOTEMPTYORDER BY
CommunityQuestions, discussions, and articles