What is advanced search in audit log?
The advanced search lets you build structured queries using the Audit Log Query Language (ALQL) to search for activities. You can specify criteria that you can't define in basic search. For example, you can use the actor clause in ALQL when you’re searching for actors.
Who can do this? |
Audit log query language (ALQL) is not a database query language, even though it uses SQL-like syntax. For ease of use, ALQL is similar to Jira Query Language (JQL). What is advanced search in Jira Cloud?
ALQL extends the audit log’s basic search. Using the ALQL advanced search, you can use queries to find activities. Queries are a series of elements or parts, like fields, operators, and values, that are strung together to form a structure.
To access ALQL, select for the ALQL button next to your audit log search bar.
Advanced searching with ALQL queries
You can toggle between the basic search and the advanced ALQL search at any time using the Basic and ALQL buttons. Recent activities may take a few minutes to appear in the audit log before they can become searchable.
In an advanced search, the audit log will offer a list of autocomplete suggestions, based on the context of your query. Autocomplete suggestions are displayed alphabetically, so you may need to enter more character if you can't find a match. Your search results will be displayed based on the criteria in your ALQL query.
When running an ALQL query, note that:
the
createdfield is mandatorythe default
createddate is set to within the last seven daysyou can change the
createddate range in each query
Construct ALQL queries
A simple query in ALQL (also known as a 'clause') consists of a field, followed by an operator, followed by one or more values. You may also use keywords.
For example:
actor = "Fran Perez" AND created = "2025-12-07"The following table describes the parts of a query.
|
|
|---|---|
Field | A word that represents existing filters. For example, |
Operator | One or more symbols or words that compare the value of a field on its left with one or more values (or functions) on its right, such that only true results are retrieved by the clause. Some operators can be modified by the For example, equals |
Value | A variable that ALQL will search for. For example, a user name, or a date range. Values with spaces in them are enclosed in single or double quotation marks. Using more variables will refine and reduce the search results. For example, and actor’s name, like |
Keyword | A word or phrase that does (or is) any of the following:
For example, |
Using the example again:
actor = "Fran Perez" AND created = "2025-12-07"This query will find all audit log events associated with the actor Fran Perez. It uses a field (actor) , an operator (equals = ), and a value (Fran Perez). As you enter a name, autocomplete will offer suggestions. You must select an actor name from the list for this query to work (along with the mandatory created field).
A more complex query might look like this:
actor = "Fran Perez" AND activity = "export_audit_log" AND created = "2025-12-07"This query will find all audit log events associated with the actor Fran Perez taking the action of exporting an audit log. It uses the actor field, the equals = operator, the value Fran Perez, the AND keyword, the activity field, the equals = operator, and the value logged_in_as_user.
Set the precedence of ALQL queries
Operator precedence hierarchy
1. Parentheses (highest priority)
Expressions inside parentheses are evaluated first.
Nested parentheses are evaluated from inner-most to outer-most.
2. NOT operator
Applied after parentheses are resolved.
Negates the expression immediately following it.
3. AND operator
Evaluated before OR operations.
4. OR operator
Evaluated after AND and NOT operations.
5. Field comparisons (such as =, !=, IN)
Left to right within the same precedence level.
6. Order By (lowest priority)
The last evaluation within a query.
Examples of setting precedence
You can use parentheses in complex ALQL statements to enforce the precedence of operators.
For example, if you want to find all user lost access events in an organization, you can use parentheses to enforce the precedence of the boolean operators in your query.
Boolean operators without parentheses example
Without parentheses, the following statement is evaluated left to right.
action = "removed_user_from_organization" OR action="removed_user_from_site" AND actor = "Fran Perez" AND created = "2025-12-07"In this example, ALQL would return:
all
removed_user_from_organizationthe events triggered by any user, on any dateall
removed_user_from_siteevents triggered by Fran Perez, on December 7, 2025
Boolean operators with parentheses example
With parentheses added, the statement below is now evaluated by everything in the parentheses first.
(action = "removed_user_from_organization" OR action="removed_user_from_site") AND actor = "Fran Perez" AND created = "2025-12-07"In this example, ALQL would return:
all
removed_user_from_organizationevents triggered by Fran Perez, on December 7, 2025all
removed_user_from_siteevents triggered by Fran Perez, on December 7, 2025
NOT operator without parentheses example
Without parentheses, the following statement is evaluated left to right.
For example:
created = "2025-12-07" AND NOT city = "Melbourne" AND actor = "Fran Perez"In this example, ALQL would return:
all events on December 7, 2025 except those with a city of Melbourne
all events on any date triggered by Fran Perez
NOT operator with parentheses example
You can also use parentheses to group clauses, so that you can apply the NOT operator to the group.
created = "2025-12-07" AND NOT (city = "Melbourne" AND actor = "Fran Perez")created = "2025-12-07" AND (city != "Melbourne" OR actor != "Fran Perez")In both these examples, ALQL would return:
all events on December 7, 2025, except those triggered by Fran Perez, or with a city of Melbourne.
Restricted words and characters
Special characters
In general, non-alphanumeric characters, such as + . , * / % ^ $ # @ [ ], aren't indexed for search and are ignored in queries. Exceptions include email addresses and URLs.
When building queries, make sure to surround phrases with special characters or spaces with single ' or double " quotation marks, for example: email = "email@atlassian.com". Additionally, some characters may need to be preceded by two backslashes \\; for example, field ~ "\\(text".
Reserved words
ALQL has a list of reserved words. These words need to be surrounded by quotation marks (single or double) if you wish to use them in queries:
Letter | Reserved words |
|
|---|---|---|
A |
|
|
B |
|
|
C |
|
|
D |
|
|
E |
|
|
F |
|
|
G |
|
|
H |
|
|
I |
|
|
J |
|
|
L |
|
|
M |
|
|
N |
|
|
O |
|
|
P |
|
|
R |
|
|
S |
|
|
T |
|
|
U |
|
|
V |
|
|
W |
|
|
Types of ALQL queries
Bounded
A bounded ALQL query requires a search restriction. The ALQL must have at least one condition with field on the left side followed by an operator and then by one or more values. ALQL must always be bound by a date range.
For example:
actor = "Fran Perez" and created = 2025-12-07T02:10:00.358ZUnbounded
An unbounded ALQL query doesn't have any search restrictions. It can be an empty query or one that solely lists ORDER BY clauses. It always requires the created field and a value.
For example:
created > 2025-12-07 ORDER BY created DESCTroubleshooting in advanced search
Why can't I see autocomplete suggestions?
Autocomplete suggestions are not offered for all fields. Check ALQL fields to see which fields support autocomplete.
Where can I see the error in my ALQL query?
While typing, you can hover over the invalid text of your query to know more about the ALQL error. Alternatively, if your ALQL query has an error, you can hit search and it will display the specifics of the error below the ALQL editor, along with the line and character number of the invalid text in the query.
Was this helpful?