Create or edit a query - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create or edit a query

In this walkthrough, we open one of the sample queries, edit it to find actions taken by a specific user named Alice, and save it as a new query. You can also edit a saved query on the Saved queries tab, if you have saved queries. To help control costs, we recommend that you constrain queries by adding starting and ending eventTime time stamps to queries.

  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. From the navigation pane, under Lake, choose Query.

  3. On the Query page, choose the Sample queries tab.

  4. Open a sample query by choosing the Query name. This opens the query in the Editor tab. In this example, we'll select the query named Investigate user actions and edit the query to find the actions for a specific user named Alice.

  5. In the Editor tab, edit the WHERE line to specify the user that you want to investigate and update the eventTime values as needed. The value of FROM is the ID portion of the event data store's ARN and is automatically populated by CloudTrail when you choose the event data store.

    SELECT eventID, eventName, eventSource, eventTime, userIdentity.arn AS user FROM event-data-store-id WHERE userIdentity.arn LIKE '%Alice%' AND eventTime > '2023-06-23 00:00:00' AND eventTime < '2023-06-26 00:00:00'
  6. You can run a query before you save it, to verify that the query works. To run a query, choose an event data store from the Event data store drop-down list, and then choose Run. View the Status column of the Command output tab for the active query to verify that a query ran successfully.

  7. When you have updated the sample query, choose Save.

  8. In Save query, enter a name and description for the query. Choose Save query to save your changes as the new query. To discard changes to a query, choose Cancel, or close the Save query window.

    
                        Saving a changed query
    Note

    Saved queries are tied to your browser; if you use a different browser or a different device to access the CloudTrail console, the saved queries are not available.

  9. Open the Saved queries tab to see the new query in the table.

    
                        Saved queries tab

Query editor tools

A toolbar at the upper right of the query editor offers commands to help author and format your SQL query.


                    Query editor toolbar

The following list describes the commands on the toolbar.

  • Undo – Reverts the last content change made in the query editor.

  • Redo – Repeats the last content change made in the query editor.

  • Format selected – Arranges the query editor content according to SQL formatting and spacing conventions.

  • Comment/uncomment selected - Comments the selected portion of the query if it is not already commented. If the selected portion is already commented, choosing this option removes the comment.