Log Explorer
Log Explorer enables you to store and explore your Cloudflare logs directly within the Cloudflare Dashboard or API. Giving you visibility into your logs without the need to forward them to third parties. Logs are stored on Cloudflare's global network using the R2 object storage platform and can be queried via the Dashboard or SQL API.
Log Explorer is available at the account and zone level. At the zone level, datasets currently available are:
- HTTP requests (FROM http_requests)
- Firewall events (FROM firewall_events)
At the account level, the datasets available are:
- Access requests (FROM access_requests)
- CASB Findings (FROM casb_findings)
- Device posture results (FROM device_posture_results)
- Gateway DNS (FROM gateway_dns)
- Gateway HTTP (FROM gateway_http)
- Gateway Network (FROM gateway_network)
- Zero Trust Network Session Logs (FROM zero_trust_network_sessions)
Log Explorer is available to users with the following permissions:
- Logs Edit: users with Logs Edit permissions can enable datasets.
- Logs Read: users with Logs Read permissions can run queries via the UI or API.
Note that these permissions exist at the account and zone level and you need the appropriate permission level for the datasets you wish to query.
Authentication with the API can be done via an authentication header or API token. Append your API call with either of the following additional parameters.
- 
Authentication header - X-Auth-Email- the Cloudflare account email address associated with the domain
- X-Auth-Key- the Cloudflare API key
 
- 
API token - Authorization: Bearer <API_TOKEN>To create an appropriately scoped API token, refer to Create API token documentation. Copy and paste the token into the authorization parameter for your API call.
 
In order for Log Explorer to begin storing logs, you need to enable the desired datasets. You can do this via the dashboard or the API.
- Log in to the Cloudflare dashboard ↗ and select your account or domain (also known as zone).
- Go to Analytics & Logs > Log Explorer.
- Select Enable a dataset to select the datasets you want to query. You can enable more datasets later.
Use the Log Explorer API to enable Log Explorer for each dataset you wish to store. It may take a few minutes after a log stream is enabled before you can view the logs.
The following curl command is an example for enabling the zone-level dataset http_requests, as well as the expected response when the command succeeds.
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logs/explorer/datasets \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{  "dataset": "http_requests"}'{  "result": {    "id": <JOB_ID>,    "dataset": "http_requests",    "created_at": "2023-09-25T22:12:31Z",    "updated_at": "2023-09-25T22:12:31Z"  },  "success": true,  "errors": [],  "messages": []}If you would like to enable an account-level dataset, replace zones/{zone_id} with accounts/{account_id} in the curl command. For example:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logs/explorer/datasets \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{  "dataset": "access_requests"}'Filtering and viewing your logs is available via the Cloudflare Dashboard or via query API.
- Log in to the Cloudflare dashboard ↗ and select your account or domain (also known as zone).
- Go to Analytics & Logs > Log Explorer.
- From the dropdown, select the Dataset you want to use.
- Select a Limit. That is the maximum number of results to return, for example, 50.
- Select the Time period from which you want to query, for example, the previous 12 hours.
- Select Add filter to create your query. Select a Field, an Operator, and a Value.
- A query preview is displayed. Select Use custom SQL, if you would like to change it.
- Select Run query when you are done. The results are displayed below within the Query results section.
Log Explorer exposes a query endpoint that uses a familiar SQL syntax for querying your logs generated with Cloudflare's network.
For example, to find an HTTP request with a specific Ray ID, you can perform the following SQL query.
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logs/explorer/query/sql \--header "Authorization: Bearer <API_TOKEN>" \--url-query query="SELECT clientRequestScheme, clientRequestHost, clientRequestMethod, edgeResponseStatus, clientRequestUserAgent FROM http_requests WHERE RayID = '806c30a3cec56817' LIMIT 1"Which returns the following HTTP request details:
{  "result": [    {      "clientrequestscheme": "https",      "clientrequesthost": "example.com",      "clientrequestmethod": "GET",      "clientrequestuseragent": "curl/7.88.1",      "edgeresponsestatus": 200    }  ],  "success": true,  "errors": [],  "messages": []}For another example using an account-level dataset, to find Cloudflare Access requests with selected columns from a specific timeframe, you can perform the following SQL query.
curl https://api.cloudflare.com/client/v4/account/{account_id}/logs/explorer/query/sql \--header "Authorization: Bearer <API_TOKEN>" \--url-query query="SELECT CreatedAt, AppDomain, AppUUID, Action, Allowed, Country, RayID, Email, IPAddress, UserUID FROM access_requests WHERE Date >= '2025-02-06' AND Date <= '2025-02-06' AND CreatedAt >= '2025-02-06T12:28:39Z' AND CreatedAt <= '2025-02-06T12:58:39Z'"Which returns the following request details:
{  "result": [    {      "createdat": "2025-01-14T18:17:55Z",      "appdomain": "example.com",      "appuuid": "a66b4ab0-ccdf-4d60-a6d0-54a59a827d92",      "action": "login",      "allowed": true,      "country": "us",      "rayid": "90fbb07c0b316957",      "email": "user@example.com",      "ipaddress": "1.2.3.4",      "useruid": "52859e81-711e-4de0-8b31-283336060e79"    }  ],  "success": true,  "errors": [],  "messages": []}Log Explorer output can be presented in different formats, besides JSON: JSON Lines (also known as NDJSON), CSV, and plain text. The plain text uses ASCII tables similar to psql's aligned output mode. Besides the convenience factor of not having to translate the format on the client side, JSON Lines, CSV, and plain text formats have the advantage of being streamed from the API. So for large result sets, you will get a response earlier.
You can choose the output format with an HTTP Accept header, as shown in the table below:
| Output format | Content type | Streaming? | 
|---|---|---|
| JSON | application/json | No | 
| JSON Lines | application/x-ndjson | Yes | 
| CSV | text/csv | Yes | 
| Plain text | text/plain | Yes | 
All the tables supported by Log Explorer contain a special column called date, which helps to narrow down the amount of data that is scanned to respond to your query, resulting in faster query response times. The value of date must be in the form of YYYY-MM-DD. For example, to query logs that occurred on October 12, 2023, add the following to your WHERE clause: date = '2023-10-12'. The column supports the standard operators of <, >, and =.
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logs/explorer/query/sql \--header "Authorization: Bearer <API_TOKEN>" \--url-query query="SELECT clientRequestMethod, clientRequestPath, clientRequestProtocol FROM http_requests WHERE date = '2023-10-12' LIMIT 500"- Narrow your query time frame. Focus on a smaller time window to reduce the volume of data processed. This helps avoid querying excessive amounts of data and speeds up response times.
- Omit ORDER BYandLIMITclauses. These clauses can slow down queries, especially when dealing with large datasets. For queries that return a large number of records, reduce the time frame instead of limiting to the newestNrecords from a broader time frame.
- Select only necessary columns. For example, replace SELECT *with the list of specific columns you need. You can also useSELECT RayIdas a first iteration and follow up with a query that filters by the Ray IDs to retrieve additional columns. Additionally, you can useSELECT COUNT(*)to probe for time frames with matching records without retrieving the full dataset.
These are the SQL query clauses supported by Log Explorer.
The SELECT clause specifies the columns that you want to retrieve from the database tables. It can include individual column names, expressions, or even wildcard characters to select all columns.
The FROM clause specifies the tables from which to retrieve data. It indicates the source of the data for the SELECT statement.
The WHERE clause filters the rows returned by a query based on specified conditions. It allows you to specify conditions that must be met for a row to be included in the result set.
The GROUP BY clause is used to group rows that have the same values into summary rows.
The HAVING clause is similar to the WHERE clause but is used specifically with the GROUP BY clause. It filters groups of rows based on specified conditions after the GROUP BY operation has been performed.
The ORDER BY clause is used to sort the result set by one or more columns in ascending or descending order.
The LIMIT clause is used to constrain the number of rows returned by a query. It is often used in conjunction with the ORDER BY clause to retrieve the top N rows or to implement pagination.
All fields listed in the datasets Log Fields are viewable in Log Explorer. For filtering, only fields with simple values, such as those of type bool, int, float, or string are supported. Fields with key-value pairs are currently not supported. For example, you cannot use the fields RequestHeaders and Cookies from the HTTP requests dataset in a filter.
Log Explorer performs best when query parameters focus on narrower ranges of time. You may experience query timeouts when your query would return a large quantity of data. Consider refining your query to improve performance.
If your query times out with an HTTP status of 524 (Gateway Timeout), consider using one of the streaming output formats, such as application/x-ndjson.
Log Explorer starts ingesting logs from the moment you enable the dataset. It will not display logs for events that occurred before the dataset was enabled. Make sure that new events have been generated since enabling the dataset, and check again.
We are actively working on improving error codes. If you receive a generic error, check your SQL syntax (if you are using the custom SQL feature), make sure you have included a date and a limit, and that the field you are filtering is not a key-value pair. If the query still fails it is likely timing out. Try refining your filters.
The data is stored in Cloudflare R2. Each Log Explorer dataset is stored on a per-customer level, similar to Cloudflare D1, ensuring that your data is kept separate from that of other customers. In the future, this single-tenant storage model will provide you with the flexibility to create your own retention policies and decide in which regions you want to store your data.
Customer metadata boundary is currently not supported for Log Explorer.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark