Tutorial: View and run sample queries - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tutorial: View and run sample queries

CloudTrail Lake provides a number of sample queries that can help you get started writing your own queries. This tutorial shows you how to select and run a sample query.

Queries in CloudTrail Lake are authored in SQL. You can build a query on the CloudTrail Lake Editor tab by writing the query in SQL from scratch, or by opening a saved or sample query and editing it. You cannot overwrite an included sample query with your changes, but you can save it as a new query. For more information about the SQL query language that is allowed, see CloudTrail Lake SQL constraints.

CloudTrail queries incur charges based upon the amount of data scanned. To help control costs, we recommend that you constrain queries by adding starting and ending eventTime time stamps to queries. For more information about CloudTrail pricing, see Amazon CloudTrail Pricing.

To view and run a sample query
  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. From the navigation pane, under Lake, choose Query.

  3. On the Query page, choose the Sample queries tab.

  4. Choose a sample query from the list or search for the query to filter the list. In this example, we'll open the query Investigate who made console changes by choosing the Query name. This opens the query in the Editor tab.

  5. On the Editor tab, choose the event data store for which you want to run the query. When you choose the event data store from the list, CloudTrail automatically populates the event data store ID in the FROM line of the query editor.

  6. Choose Run to run the query.

    The Command output tab shows you metadata about your query, such as whether the query was successful, the number of records matched, and the run time of the query.

    The Query results tab shows you the event data in the selected event data store that matched your query.

For more information about editing a query, see Create or edit a query. For more information about running a query and saving query results, see Run a query and save query results.