Lake queries - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Lake queries

Queries in CloudTrail Lake are authored in SQL. You can build a query on the CloudTrail Lake Editor tab by writing the query in SQL from scratch, or by opening a saved or sample query and editing it. You cannot overwrite an included sample query with your changes, but you can save it as a new query. For more information about the SQL query language that is allowed, see CloudTrail Lake SQL constraints.

An unbounded query (such as SELECT * FROM edsID) scans all data in your event data store. To help control costs, we recommend that you constrain queries by adding starting and ending eventTime time stamps to queries. The following is an example that searches for all events in a specified event data store where the event time is after (>) January 5, 2023 at 1:51 p.m. and before (<) January 19, 2023 at 1:51 p.m. Because an event data store has a minimum retention period of seven days, the minimum time span between starting and ending eventTime values is also seven days.

SELECT * FROM eds-ID WHERE eventtime >='2023-01-05 13:51:00' and eventtime < ='2023-01-19 13:51:00'