About structured audit trail logs

The structured audit trail format, also known as Audit Trail Log v2, complies with the Common Information Model (CIM) and uses comprehensive metadata. It is more appropriate for compliance requirements.

Audit Trail Log v2 is a structured audit log format that complies with the Common Information Model (CIM). It uses a JSON format that ensures easier parsing and interpretation of log data.

The structured audit log format is more appropriate for compliance requirements because it includes comprehensive metadata. As a result, structured audit logs improve efficiency of compliance checks and security investigations. The structured audit log format introduces the following metadata:

Metadata Description
roles

Roles of the user who performed an action provide context for permissions and responsibilities.
session_id

A unique session identifier you can use to reconstruct a sequence of events within that session.
correlation_id

A unique identifier of a request, such as a REST API call. You can use it to trace log entries related to an action, even if they originate in different systems and services.

Particularly useful in distributed environments.
Example of the audit log in the structured audit log, or Audit Trail Log v2, format:
JSON 
{ [-]
   action: edit
   actor: { [-]
     name: admin
     roles: [ [-]
       admin
       power
       user
     ]
   }
   category: system
   correlation_id: F7E9BFB7-B544-43B2-ACB2-F6A2F6FC1365
   data: { [-]
     attributes: { [-]
       default_app: launcher
       email: support@splunk.com
       is_user_locked: false
       password_changed: false
       password_state:
       real_name: Splunk Administrator
       roles: admin, sc_admin
     }
     name: admin
     type: account
   }
   previous_data: { [-]
     attributes: { [-]
       roles: admin
     }
   }
   result: success
   session_id: 8171829d78e8075ef14c59ef023c9e71
   timestamp: 09-18-2025 13:44:11.703
   url: /en-US/splunkd/__raw/servicesNS/-/-/authentication/users/admin?output_mode=json
}
For comparison, the following example shows the older format of an audit trail log.
CODE 
Audit: [timestamp=07-23-2025 09:01:39.394, user-admin, action-edit_fields_alias, info-success, name-auditservicev2 : FIELDALIAS-fa_test, owner-nobody, app-search, orig_field_name_1=a, ne
w_field_name_1=b, orig_field_nane_2=c, new_field_name_2=a, overwrite_field_values-false]

To ensure backward compatibility, the older format of audit trail logs continues to be supported.

Both formats are active by default and you can use them simultaneously. Using both, you can compare logs and streamline migration to the structured audit trail log format.

Filtering audit logs by format using sourcetypes

To view audit logs only in the structured Audit Trail Log v2 format in search results, include the audittrailv2 sourcetype:

CODE 
index=_audit sourcetype="audittrailv2"

To view audit logs only in the older, unstructured format, include the audittrail sourcetype.

Without filtering by sourcetype, search results display audit logs in both formats.

Benefits of using structured audit trail logs

Structured audit trail logs, also known as Audit Trail Log v2, offer significant benefits for organizations aiming to strengthen their security and compliance readiness, such as:
  • More efficient searching and interpretation of audit logs, because parsing problems do not occur.
  • Consistent and efficient searching across Splunk applications due to aligning data with CIM.
  • Reduced complexity of searching audit logs because capability checks are not included.
  • Comprehensive metadata, allowing audit logs to satisfy compliance requirements better.
  • More audit logs of configuration changes related to Identity and Access Management (IAM).