About structured audit trail logs
The structured audit trail format, also known as Audit Trail Log v2, complies with the Common Information Model (CIM) and uses comprehensive metadata. It is more appropriate for compliance requirements.
Audit Trail Log v2 is a structured audit log format that complies with the Common Information Model (CIM). It uses a JSON format that ensures easier parsing and interpretation of log data.
The structured audit log format is more appropriate for compliance requirements because it includes comprehensive metadata. As a result, structured audit logs improve efficiency of compliance checks and security investigations. The structured audit log format introduces the following metadata:
| Metadata | Description |
|---|---|
| roles |
Roles of the user who performed an action provide context for permissions and responsibilities. |
| session_id |
A unique session identifier you can use to reconstruct a sequence of events within that session. |
| correlation_id |
A unique identifier of a request, such as a REST API call. You can use it to trace log entries related to an action, even if they originate in different systems and services. Particularly useful in distributed environments. |
{ [-]
action: edit
actor: { [-]
name: admin
roles: [ [-]
admin
power
user
]
}
category: system
correlation_id: F7E9BFB7-B544-43B2-ACB2-F6A2F6FC1365
data: { [-]
attributes: { [-]
default_app: launcher
email: support@splunk.com
is_user_locked: false
password_changed: false
password_state:
real_name: Splunk Administrator
roles: admin, sc_admin
}
name: admin
type: account
}
previous_data: { [-]
attributes: { [-]
roles: admin
}
}
result: success
session_id: 8171829d78e8075ef14c59ef023c9e71
timestamp: 09-18-2025 13:44:11.703
url: /en-US/splunkd/__raw/servicesNS/-/-/authentication/users/admin?output_mode=json
}
Audit: [timestamp=07-23-2025 09:01:39.394, user-admin, action-edit_fields_alias, info-success, name-auditservicev2 : FIELDALIAS-fa_test, owner-nobody, app-search, orig_field_name_1=a, ne
w_field_name_1=b, orig_field_nane_2=c, new_field_name_2=a, overwrite_field_values-false]To ensure backward compatibility, the older format of audit trail logs continues to be supported.
You can use both formats at the same time. Using both, you can compare logs and streamline migration to the structured audit trail log format.
Benefits of using structured audit trail logs
- More efficient searching and interpretation of audit logs, because parsing problems do not occur.
- Consistent and efficient searching across Splunk applications due to aligning data with CIM.
- Reduced complexity of searching audit logs because capability checks are not included.
- Comprehensive metadata, allowing audit logs to satisfy compliance requirements better.
- More audit logs of configuration changes related to Identity and Access Management (IAM).
Turn on Audit Trail Log v2
Turn on the Audit Trail Log v2 format to use a CIM-compliant and structured log format that is easier to read and uses enhanced metadata.
- In Splunk Web, from the Apps panel, select Audit Trail to open the app.
- In the Apps bar, select the Setup tab.
- Under Audit Trail Settings, select the Enable Audit Trail Log v2 checkbox.
- Select Save.
You can use audit logs in the Audit Trail Log v2 format. The older format of audit trail logs remains turned on too.
To view audit logs only in the structured Audit Trail Log v2 format in search results, include the audittrailv2 sourcetype:
index=_audit sourcetype="audittrailv2"To view audit logs only in the older, unstructured format, include the audittrail sourcetype.
Without filtering by sourcetype, audit logs in both formats display in search results.