CloudTrail Lake queries

Introducing a preview feature for CloudTrail Lake queries that uses generative artificial intelligence (generative AI) capabilities to produce a SQL query from an English language prompt. For more information, see Create CloudTrail Lake queries from English language prompts.

Queries in CloudTrail Lake are authored in SQL. You can build a query on the CloudTrail Lake Editor tab by writing the query in SQL from scratch, or by opening a saved or sample query and editing it. You cannot overwrite an included sample query with your changes, but you can save it as a new query. For more information about the SQL query language that is allowed, see CloudTrail Lake SQL constraints.

An unbounded query (such as SELECT * FROM edsID) scans all data in your event data store. To help control costs, we recommend that you constrain queries by adding starting and ending eventTime time stamps to queries. The following is an example that searches for all events in a specified event data store where the event time is after (>) January 5, 2023 at 1:51 p.m. and before (<) January 19, 2023 at 1:51 p.m. Because an event data store has a minimum retention period of seven days, the minimum time span between starting and ending eventTime values is also seven days.

SELECT *
FROM eds-ID
WHERE
     eventtime >='2023-01-05 13:51:00' and eventtime < ='2023-01-19 13:51:00'

Topics

• Query editor tools
• Create CloudTrail Lake queries from English language prompts
• View sample queries with the CloudTrail console
• Create or edit a query with the CloudTrail console
• Run a query and save query results with the console
• View query results with the console
• Download saved query results
• Validate CloudTrail Lake saved query results
• Run and manage CloudTrail Lake queries with the AWS CLI

Query editor tools

A toolbar at the upper right of the query editor offers commands to help author and format your SQL query.

The following list describes the commands on the toolbar.

• Undo – Reverts the last content change made in the query editor.

• Redo – Repeats the last content change made in the query editor.

• Format selected – Arranges the query editor content according to SQL formatting and spacing conventions.

• Comment/uncomment selected - Comments the selected portion of the query if it is not already commented. If the selected portion is already commented, choosing this option removes the comment.