For compliance evidence, longer-range investigations, or sharing with auditors — export a slice of the audit log to a file.
Trigger an export
Section titled “Trigger an export”Audit → Read logs → Actions → Export. Or, from a saved query → menu → Export.
You're asked:
- Format — CSV or NDJSON.
- Filter — current view's filters (default), or "all entries" (within retention).
- Time range — explicit start / end if not already on the filter.
Click Start export. The platform queues a job; the UI shows progress.
What you get
Section titled “What you get”A single file. Each row / line is one audit entry; the structure mirrors the in-console table view.
CSV (truncated for brevity):
id,type,occurred_at,actor_kind,actor_id,target_kind,target_id,outcome,context_ipevt_01HZ...,user.signed_in,2026-05-17T08:00:00Z,user,usr_01HZX...,session,ses_01HZY...,success,203.0.113.45NDJSON:
{"id":"evt_01HZ...","type":"user.signed_in","occurred_at":"2026-05-17T08:00:00Z","actor":{"kind":"user","id":"usr_01HZX..."},"target":{"kind":"session","id":"ses_01HZY..."},"outcome":"success","data":{...},"context":{...}}NDJSON preserves the full nested data and context; CSV flattens to columns and loses some structure (the data field becomes a JSON-encoded string in one column).
For programmatic processing, prefer NDJSON. For "spreadsheet review", CSV.
Format trade-offs
Section titled “Format trade-offs”| CSV | NDJSON | |
|---|---|---|
| Opens in Excel / Numbers / Sheets | Yes | No (treat as text) |
| Preserves nested fields | No (json-stringified) | Yes |
Easy grep for one event-type | No | Yes |
| File size | Smaller | Larger |
| Good for compliance evidence | Yes (humans read it) | Sometimes |
Most teams export CSV for ad-hoc human review, NDJSON for "feed this to my pipeline".
Filter before exporting
Section titled “Filter before exporting”If your filter scope is right, the export is small + relevant. If you export "everything in last 90 days", you get a huge file mostly full of routine sign-in events.
Common patterns:
- For a compliance review: filter to
admin.*event types in the relevant quarter. Auditors care about who made config changes, not every user sign-in. - For a security investigation: filter to the time window of the incident.
- For "give me all of it": don't filter. But expect the file to be large.
File size
Section titled “File size”For very large exports:
- Up to ~50,000 entries — one CSV / NDJSON file, downloads via your browser.
- 50,000 — 500,000 entries — multiple chunked files, downloadable as a zip.
- Above 500,000 — prefer streaming (see Stream to destination).
The Export panel UI handles the chunking automatically; you just get a zip of multiple files.
Retention of exports
Section titled “Retention of exports”The exported file is retained on the platform for 7 days; you download it within that window. After 7 days, the export is purged. (The original audit entries it was generated from are unaffected.)
If you need longer-term, download the export and store in your own archive.
Audit of audit exports
Section titled “Audit of audit exports”Exporting audit is itself audited. audit.exported records the actor + filter + row count + the export-job id.
This is by design — for "who saw the audit log when" investigations, the audit trail tracks itself.
CSV columns + NDJSON keys
Section titled “CSV columns + NDJSON keys”The full schema is in Event schema. Highlights:
id— the event id; stable across exports.type— the event type.occurred_at— ISO 8601, microsecond precision.actor_*— actor's kind, id, label, and optional email.target_*— target's kind, id, label.outcome— success / failure / denied / partial.data(NDJSON) /data_json(CSV) — operation-specific fields.context_*— IP, user agent, fingerprint, geolocation, request id.
The schema is stable; we add columns / keys in minor versions but never remove or rename.