View sample queries in the CloudTrail console

The CloudTrail console provides a number of sample queries that can help you get started writing your own queries.

CloudTrail queries incur charges based upon the amount of data scanned. To help control costs, we recommend that you constrain queries by adding starting and ending eventTime time stamps to queries. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.

Note

You can also view queries created by the GitHub community. For more information and to view these sample queries, see CloudTrail Lake sample queries on the GitHub website. AWS CloudTrail has not evaluated the queries in GitHub.

To view and run a sample query

1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

2. From the navigation pane, under Lake, choose Query.

3. On the Query page, choose the Sample queries tab.

4. Choose a sample query from the list or search for the query to filter the list. In this example, we'll open the query Investigate who made console changes by choosing the Query name. This opens the query in the Editor tab.

   

5. On the Editor tab, choose the event data store for which you want to run the query. When you choose the event data store from the list, CloudTrail automatically populates the event data store ID in the FROM line of the query editor.

   

6. Choose Run to run the query.

   The Command output tab shows you metadata about your query, such as whether the query was successful, the number of records matched, and the run time of the query.

   

   The Query results tab shows you the event data in the selected event data store that matched your query.

   

For more information about editing a query, see Create or edit a query. For more information about running a query and saving query results, see Run a query and save query results.