Filtering AuditEvent in a custom report inside an attribute (8.4)

bjarcilla · October 16, 2025, 4:16am

Filtering AuditEvent in a custom report inside an attribute (8.4)

Hi all,

I’m trying to filter the AuditEvent from the Native Change Operation from this sample

<AuditEvent action="Audit Native Change"  source="Scheduler" trackingId="NativeChangeDetection">
  <Attributes>
    <Map>
      <entry key="Attribute Name" value="Entitlement Value"/>
      <entry key="Entitlement 1 Classification" value="None"/>
      <entry key="Entitlement 1 Value" value="CL TEST"/>
      <entry key="Entitlement Operation" value="Added"/>
      <entry key="Native Change Operation" value="Modify"/>
    </Map>
  </Attributes>
</AuditEvent>

In the custom report, I’ve added in the form to filter the Native Change Operation. Is there a way we can filter the value inside the attibutes?

Here’s the code of my current custom report trying to filter from the value inside the attribute

<DataSource objectType="sailpoint.object.AuditEvent" type="Filter">
              <QueryParameters>
                <Parameter argument="action" property="action">
                  <QueryScript>
                    <Source>
                      import sailpoint.object.Filter;
                      import sailpoint.object.QueryOptions;


                      if(value != null &amp;&amp; value instanceof List){
                      queryOptions.addFilter(Filter.in("action", value));
                      }

                      return queryOptions;
                    </Source>
                  </QueryScript>
                </Parameter>
                <Parameter argument="nativeOperation" property="attributes.Native Change Operation">
                  <QueryScript>
                    <Source>
                      import sailpoint.object.Filter;
                      import sailpoint.object.QueryOptions;

                      if (value != null &amp;&amp; value instanceof List) {
                      queryOptions.addFilter(Filter.in("attributes", value));
                      }
                      return queryOptions;
                    </Source>
                  </QueryScript>
                </Parameter>
                <Parameter argument="creationDateStart" operation="GT" property="created"/>
                <Parameter argument="creationDateEnd" operation="LT" property="created"/>
                <Parameter argument="app_list">
                  <QueryScript>
                    <Source>
                      import sailpoint.object.Filter;
                      import sailpoint.object.QueryOptions;
                      import sailpoint.api.ObjectUtil;
                      import sailpoint.object.Application;

                      if(value != null &amp;&amp; value instanceof List){

                      List app_names = ObjectUtil.convertIdsToNames(context, Application.class, value);
                      if(app_names != null &amp;&amp; !app_names.isEmpty())queryOptions.addFilter(Filter.in("application", app_names));
                      }
                      log.error("== "+queryOptions);
                      return queryOptions;                      
                    </Source>
                  </QueryScript>
                </Parameter>
              </QueryParameters>
            </DataSource>

bjarcilla · October 29, 2025, 7:24am

						<QueryParameters>
                            <Parameter argument="entOperation" property="attributes">
                                <QueryScript>
                                    <Source>
                                        import sailpoint.object.Filter;
                                        import sailpoint.object.QueryOptions;
                                        import sailpoint.object.AuditEvent;
                                        import sailpoint.tools.Util;
                                        try {


                                        private List getAddedOrRemovedAuditIds( String input) {
                                        List returnList = new ArrayList();
                                        String sqlQuery = "sql: Select id from identityiq.spt_audit_event where action='Audit Native change' AND attributes like '%" + input +"%'";

                                        Iterator it = context.search(sqlQuery, null, null);
                                        while (it != null &amp;&amp; it.hasNext()) {
                                        String id = it.next();
                                        if (Util.isNotNullOrEmpty(id)) {
                                        returnList.add(id);
                                        }

                                        }
                                        return returnList;
                                        }

                                        List idList = new ArrayList();
                                        if(value != null &amp;&amp; value.equalsIgnoreCase("Added")){
                                        String input = "&lt;entry key=\"Entitlement Operation\" value=\"Added\"/>";
                                        idList = getAddedOrRemovedAuditIds(input);
                                        }
                                        else if(value != null &amp;&amp; value.equalsIgnoreCase("Removed")){
                                        String input = "&lt;entry key=\"Entitlement Operation\" value=\"Removed\"/>";
                                        idList = getAddedOrRemovedAuditIds(input);
                                        }
                                        if (Util.nullSafeSize(idList) >0 ) {
                                        queryOptions.addFilter(Filter.in("id",idList));
                                        }
                                        }
                                        catch(Exception e) {
                                        log.error("MGL NCD Audit Events Report Error  :"+e);
                                        return queryOptions;
                                        }
                                        return queryOptions;
                                    </Source>
                                </QueryScript>
                            </Parameter>
                            <Parameter argument="nativeOperation" property="attributes">
                                <QueryScript>
                                    <Source>
                                        import sailpoint.object.Filter;
                                        import sailpoint.object.QueryOptions;
                                        import sailpoint.object.AuditEvent;
                                        import sailpoint.tools.Util;
                                        try {


                                        private List getAddedOrRemovedAuditIds( String input) {
                                        List returnList = new ArrayList();
                                        String sqlQuery = "sql: Select id from identityiq.spt_audit_event where action='Audit Native change' AND attributes like '%" + input +"%'";

                                        Iterator it = context.search(sqlQuery, null, null);
                                        while (it != null &amp;&amp; it.hasNext()) {
                                        String id = it.next();
                                        if (Util.isNotNullOrEmpty(id)) {
                                        returnList.add(id);
                                        }

                                        }
                                        return returnList;
                                        }

                                        List idList = new ArrayList();
                                        if(value != null &amp;&amp; value.equalsIgnoreCase("Create")){
                                        String input = "&lt;entry key=\"Native Change Operation\" value=\"Create\"/>";
                                        idList = getAddedOrRemovedAuditIds(input);
                                        }
                                        else if(value != null &amp;&amp; value.equalsIgnoreCase("Modify")){
                                        String input = "&lt;entry key=\"Native Change Operation\" value=\"Modify\"/>";
                                        idList = getAddedOrRemovedAuditIds(input);
                                        }
                                        if (Util.nullSafeSize(idList) >0 ) {
                                        queryOptions.addFilter(Filter.in("id",idList));
                                        }
                                        }
                                        catch(Exception e) {
                                        log.error("MGL NCD Audit Events Report Error  :"+e);
                                        return queryOptions;
                                        }
                                        return queryOptions;
                                    </Source>
                                </QueryScript>
                            </Parameter>
                            <Parameter argument="action" property="action">
                                <QueryScript>
                                    <Source>
                                        import sailpoint.object.Filter;
                                        import sailpoint.object.QueryOptions;
                                        if(value != null &amp;&amp; value instanceof List){
                                        queryOptions.addFilter(Filter.in("action", value));
                                        }

                                        return queryOptions;
                                    </Source>
                                </QueryScript>
                            </Parameter>
                            <Parameter argument="creationDateStart" operation="GT" property="created"/>
                            <Parameter argument="creationDateEnd" operation="LT" property="created"/>
                            <Parameter argument="app_list">
                                <QueryScript>
                                    <Source>
                                        import sailpoint.object.Filter;
                                        import sailpoint.object.QueryOptions;
                                        import sailpoint.api.ObjectUtil;
                                        import sailpoint.object.Application;

                                        if(value != null &amp;&amp; value instanceof List){

                                        List app_names = ObjectUtil.convertIdsToNames(context, Application.class, value);
                                        if(app_names != null &amp;&amp; !app_names.isEmpty())queryOptions.addFilter(Filter.in("application", app_names));
                                        }

                                        return queryOptions;
                                    </Source>
                                </QueryScript>
                            </Parameter>
                        </QueryParameters>

system · December 28, 2025, 7:24am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rule to get Audit event in IIQ IIQ Discussion and Questions identityiq , audit	4	226	March 1, 2025
Custom report for audit events IIQ Discussion and Questions identityiq , reports , reporting	8	315	February 28, 2025
Creating an Audit Log for Attribute Changes IIQ Discussion and Questions identityiq	6	130	December 2, 2025
Custom Application Attribute Report IIQ Discussion and Questions identityiq , reports	6	211	July 17, 2025
Adding Custom Information in Audit Logs IIQ Discussion and Questions identityiq	3	963	August 14, 2023

Filtering AuditEvent in a custom report inside an attribute (8.4)

Filtering AuditEvent in a custom report inside an attribute (8.4)

Related topics