queryLogs
Retrieve and filter PingOne Advanced Identity Cloud logs by time, source, transaction ID, or payload content to analyze authentication events and system activities.
Instructions
Query PingOne AIC logs with flexible filtering by time range, source, transaction ID, and payload content
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| sources | Yes | Log sources to query (e.g., ['am-authentication', 'idm-activity']). IMPORTANT: use the getLogSources tool to determine available sources. | |
| beginTime | No | Start time in ISO 8601 format without milliseconds (e.g., '2025-01-11T10:00:00Z'). Filters logs after this time. Defaults to 24 hours before endTime if omitted. Must be within 24 hours of endTime. | |
| endTime | No | End time in ISO 8601 format without milliseconds (e.g., '2025-01-11T12:00:00Z'). Filters logs before this time. Defaults to current time if omitted. Must be within 24 hours of beginTime. | |
| transactionId | No | Filter by specific transaction ID to trace a request across the system. | |
| queryFilter | No | CRITICAL: All field paths MUST start with / (e.g., /payload/level, /payload/principal). Missing the leading slash causes 500 Internal Server Error. Operators: eq, co, sw, lt, le, gt, ge, pr (present), ! (NOT). Boolean: and, or. Quote string values. Time filtering: Use beginTime/endTime parameters for time ranges. Use /payload/timestamp only for exact timestamp matches. Examples: /payload/level eq "ERROR" /payload/principal co "admin" /payload/eventName eq "AM-LOGIN-COMPLETED" (/payload/level eq "ERROR") and (/payload/http/request/path co "openidm") /payload/response.statusCode ge 400 Troubleshooting: If you receive a 500 error, verify all field paths begin with / | |
| pagedResultsCookie | No | Opaque pagination cookie from a previous response. Use this to retrieve the next page of results. | |
| pageSize | No | Maximum logs to return (default 100). |