10 November 2014

Event Log File Field Lexicon

Event Log Files, new in the Winter '15 release, enables adoption, troubleshooting, and auditing use cases using an easy to download, file based API to extract Salesforce app log data.

It's an extremely rich data source, originally created by Salesforce developers to better understand the operational health of the overall service and better support our customers.

Extending access to these log files provides our customers the ability to support themselves using some of the same tools we've used to support them.

Most fields in the log files are self-describing like CLIENT_IP or TIMESTAMP. However, some of the log file fields can be difficult to understand without a lexicon.

There are a couple of reasons for this. One reason is because some fields are derived where data is encoded in an enumerated value or with an acronym which is defined in a separate place in the code.

A lot of time, this is done because less characters or numeric codes take up less total storage space which is important when you're storing terabytes of log files every day.

But this leaves us with a problem, what in the world does the data actually mean?

For instance, rather than store 'Partner' for the API_TYPE in the API log file, we store a simple code of 'P'.

Another example is when the code is spelled out and still needs interpretation. For instance, VersionRenditionDownload for the TRANSACTION_TYPE in the ContentTransfer log file simply means someone previewed a file in the app instead of downloading it (which is actually VersionDownloadAction or VersionDownloadApi).


All of this means we need a lexicon to map codes to possible values or examples so that we understand the data we're downloading.

Below are some example fields to help make sense of the data from Event Log Files.

Common Log File Fields
These are log fields you'll see across many different log files and typically address who, what, when, where, and how.

Field NameDescriptionPossible Values or Examples (e.g.)
CLIENT_IPThe IP address of the client using Salesforce services.e.g. 192.168.0.1
EVENT_TYPEThe type of event, such as content sharing.e.g. URI
ORGANIZATION_IDThe 15-character ID of the organization.e.g. 00DB00000000mZw
REQUEST_IDThe unique ID of a single transaction.e.g. 3nWgxWbDKWWDIk0FKfF5DV
REQUEST_STATUSThe status of the request for a page view or user interface action.Possible values include:
• S: Success
• F: Failure
• U: Uninitialized
TIMESTAMPThe access time of Salesforce services, in UTC time.e.g. 20130715233322.670,
which equals 2013-07-15T23:33:22.670+0000.
URIThe URI of the page receiving the request.e.g. /home/home.jsp
USER_IDThe 15-character ID of the user using Salesforce services, whether through the UI or the API.e.g. 005B00000018C2g

Log File Specific Fields
These are log fields that are typically unique to one or two log files and typically represent a type, operation, or other enumerated value.

EventType (File Type)Field NameDescriptionPossible Values or Examples (e.g.)
APEX_CALLOUT_EVENTMETHODThe HTTP method of the callout.e.g. GET, POST, PUT, DELETE
APEX_CALLOUT_EVENTTYPEThe type of calloute.g. REST, AJAX
APEX_TRIGGER_EVENTTRIGGER_TYPEThe type of this trigger.The types of triggers are:
• AfterInsert
• AfterUpdate
• BeforeInsert
• BeforeUpdate
API_EVENTMETHOD_NAMEThe API method that is invoked.e.g. query(), insert(), upsert(), delete()
API_EVENTAPI_TYPEThe type of API invoked.values include:
• X: XmlRPC
• O: Old SOAP
• E: SOAP Enterprise
• P: SOAP Partner
• M: SOAP Metadata
• I: SOAP Cross Instance
• S: SOAP Apex
• D: Apex Class
• R: REST API
• T: SOAP Tooling
ASYNC_REPORT_EVENTDISPLAY_TYPEThe report display type, indicating the run mode of the report.Possible values include:
• D: Dashboard
• S: Show Details
• H: Hide Details
ASYNC_REPORT_EVENTRENDERING_TYPEThe report rendering type, describing the format of the report output.Possible values include:
• W: Web (HTML)
• E: Email
• P: Printable
• X: Excel
• C: CSV (comma-separated values)
• J: JSON (JavaScript object notation)
CONTENT_DOCUMENT_LINK_EVENTSHARING_OPERATIONThe type of sharing operation on the document.e.g. INSERT, UPDATE, or DELETE.
CONTENT_DOCUMENT_LINK_EVENTSHARING_PERMISSIONWhat permissions the document was shared with.The possible values include:
• V: Viewer
• C: Collaborator
• I: Inferred—that is, the sharing permissions were inferred from a relationship between the viewer and document. For example, a document’s owner has a sharing permission to the document itself. Or, a document can be a part of a content collection, and the viewer has sharing permissions to the collection, rather than explicit permissions to the document directly.
CONTENT_TRANSFER_EVENTTRANSACTION_TYPEThe operation performed.The possible operations include:
• VersionDownloadAction and
VersionDownloadApi represent downloads via the user interface and API respectively.
• VersionRenditionDownload represents a file preview action.
• saveVersion represents a file being uploaded.
DASHBOARD_EVENTDASHBOARD_TYPEThe type of dashboard.Valid types include:
• R: Run as Running User
• C: Run as Context User
• S: Run as Specific User
LOGOUT_EVENTUSER_INITIATED_LOGOUTThe user type used when logging out.The value is 1 if the user intentionally logged out by
clicking the Logout link, and 0 if they were logged out by a timeout or other implicit logout action.
MDAPI_OPERATION_EVENTOPERATIONThe operation being performede.g. DEPLOY, RETRIEVE, LIST,
DESCRIBE
PACKAGE_INSTALL_EVENTOPERATION_TYPEThe type of package operation.Possible values include:
• INSTALL
• UPGRADE
• EXPORT
• UNINSTALL
• VALIDATE_PACKAGE
•INIT_EXPORT_PKG_CONTROLLER
REPORT_EVENTDISPLAY_TYPEThe report display type, indicating the run mode of the report.Possible values include:
• D: Dashboard
• S: Show Details
• H: Hide Details
REPORT_EVENTRENDERING_TYPEThe report rendering type, describing the format of the report output.Possible values include:
• W: Web (HTML)
• E: Email
• P: Printable
• X: Excel
• C: CSV (comma-separated values)
• J: JSON (JavaScript object notation)
REST_API_EVENTMETHODThe HTTP method of the requeste.g. GET, POST, PUT, DELETE
SITES_EVENTHTTP_METHODThe HTTP method of the requestGET, POST, PUT, DELETE
SITES_EVENTREQUEST_TYPEThe request type.Possible values include:
• page: a normal request for a page
• content_UI: a content request for a page
originated in the user interface
• content_apex: a content request initiated
by an Apex call
• PDF_UI: a request for a page in PDF format
through the user interface
• PDF_apex: a request for PDF format by an
Apex call (usually a Web Service call)
UI_TRACKING_EVENTCONNECTION_TYPEMethod used by the mobile device to connect to the web.Values can include:
• CDMA1x
• CDMA
• EDGE
• EVDO0
• EVDOA
• EVDOB
• GPRS
• HSDPA
• HSUPA
• HRPD
• LTE
• OFFLINE
• WIFI
VISUALFORCE_EVENTREQUEST_TYPEThe request type.Possible values include:
• page: a normal request for a page
• content_UI: a content request for a page
originated in the user interface
• content_apex: a content request initiated
by an Apex call
• PDF_UI: a request for a page in PDF format
through the user interface
• PDF_apex: a request for PDF format by an
Apex call (usually a Web Service call)

19 comments:

  1. Hi Adam,

    how do I access the event log file - Setup? Do I need an activiation from Salesforce Support?

    Best regards,

    Matthias

    ReplyDelete
    Replies
    1. Hi Matthais,

      It's only available via the API and needs to be enabled for your org. However, if you have a developer edition org, it's already enabled there. I suggest logging in through workbench.developerforce.com and trying it out there.

      Delete
  2. Hi Adam,

    Great post! Thank you. We have recently enabled event monitoring in our org. We have faced Org Limit exceptions during run-time. We were wondering if you would know that is any information is stored in the log files regarding the exceptions?

    Thanks,
    Puneet

    ReplyDelete
    Replies
    1. Also, there is a column NUMBER_SOQL_QUERIES in ApexExecution event log file where several rows have value greater than 100. What exactly does the column NUMBER_SOQL_QUERIES represent?

      Best regards,
      Puneet Mehta

      Delete
    2. Hi Puneet - We're looking into org limits as a use case. In the meantime, have you tried out the limits endpoint in REST (https://www.salesforce.com/us/developer/docs/api_rest/Content/dome_limits.htm)? This will provide a subset of org limits.

      Delete
    3. It should represent the number of SOQL queries across the entire Apex Transaction.

      Delete
    4. Hi Adam, Thank you for your response. Yes, the org limits are our primary concern. Are any exceptions logged in the log files? Yes, we have tried the Limit resource of REST API. We make an hourly call and store the result in a object with fields as Limit Name, Max, Remaining and have created reports on it. (https://success.salesforce.com/06930000004jktA) (https://success.salesforce.com/06930000004jksv)

      Delete
    5. Entire transaction? One of the row has value as 24236. How can it be greater than 100? Also, the data for RUN_TIME column is missing in ApexCallout and ApexTrigger.

      Delete
    6. We are fixing the RUN_TIME column in ApexCallout in the Summer '15 release due in June. Still looking into Trigger.

      Delete
  3. Once you have a REQUEST_ID from an event log file, how can you get more details on that transaction? Eg, a "RestAPI" event log includes "NUMBER_FIELDS", but not the names of the fields or the actual query. I realize this may not be in the event logs themselves, so curious what other data source this would be joined with to extract additional details.

    Thanks,
    Bill

    ReplyDelete
    Replies
    1. Hi Bill,

      I know we're discussing this in a separate thread but for everyone else's edification, we do share query string information on the API log for any queries in the Tooling API. We're looking at what it would take to extend that to the other APIs like SOAP and REST.

      Delete
  4. I've had many requests to provide the full Event Log File schema. We're planning on adding it to the online documentation but in the meantime, you can download it from my Github repo: http://bit.ly/elfEventTypes

    ReplyDelete
    Replies
    1. Would it be possible to get the complete Event Log File schema in a text format like CSV, JSON, XML, HTML?

      Delete
    2. Also, is there a complete list of EVENT_TYPE values?

      Delete
    3. Hi @Yoway,

      The list of 28 types is in the schema doc (http://bit.ly/elfEventTypes) that will be incorporated into the online salesforce docs in June.

      You can also get the schema from using SOQL to query the following fields on the EventLogFile sObject:

      SELECT EventType,LogFileFieldNames,LogFileFieldTypes FROM EventLogFile

      Hope this helps.

      Thanks!

      AT

      Delete
  5. Hello,
    In Event Log File -> Report, the report ids which are fetched are that of reports in "My Personal Custom Folder" of the users. For such report ids, we can't fetch the corresponding metadata (Report name etc) even if this information is sought by the system administrator. Is there any other way of getting this information?
    Also, the standard report information (id or name) is missing form Reports. so it is not possible to figure out which report has been run.
    Any pointers? Thanks!

    ReplyDelete
    Replies
    1. Not really beyond logging in as a user to get the report metadata. The best bet is to work directly with the user who ran the report (and by proxy owns the folder). Unfortunately this is a known idea exchange posting: https://success.salesforce.com/ideaview?id=08730000000BrZAAA0

      Delete
  6. Hi Adam,
    In Content Transfer file, we are getting some userids which does not exist in Salesforce, the file preview type is Paged_flash. Do you know what is this preview type and how we can get the user details.

    Many Thanks

    ReplyDelete
  7. We've gotten some PAGED_FLASH previews of a word (WORD_X) document. The same document was previewed by the same user at much smaller footprint (THUMB120BY90). Is the Paged_Flash version a file previewed at full screen?

    ReplyDelete