References → Engine Audit
Overview
In releases before 2024.7.x, the Engine audit files track essential information only, including the tenant, the logged-in user, and actions performed, such as viewing or analyzing insights, applying filters, or downloading a dashboard. These details are saved on CSV files in the following location: /home/incorta/IncortaAnalytics/Tenants/<tenantName>/data/audit.
In 2024.7.x, Incorta has introduced a new enhanced version of the audit files. These files capture detailed tracking information, including the request source, service, off-heap memory used for processing the request, and task state time. The new files are saved under the /home/incorta/IncortaAnalytics/Tenants/<tenantName>/engine_audit.2.0 folder.
After upgrading to 2024.7.x, Incorta records user activities in both files by default. However, you can specify one type of them to use. In the Cluster Management Console (CMC) > Clusters > your_cluster > Server Configurations > Analytics Workload Management, for the Analytics Auditing option, specify if you want to log activities in the Standard audit files, the Enhanced ones, or Both.
- To start logging user actions in the audit files, Incorta requires at least one of the actions it tracks, such as opening a dashboard or downloading an insight, to be executed manually or via a scheduled job.
- You can create schemas on top of these files and build dashboards to analyze the recorded details.
In 2024.7.4, a newer version of the enhanced Engine audit, engine_audit.2.1, is available with new audit files and updates to existing ones. After upgrading to this release, audit data will be stored in the /home/incorta/IncortaAnalytics/Tenants/<tenantName>/engine_audit.2.1 folder. If you have schemas reading from the old engine_audit.2.0 folder, create multi-source tables that read from both folders to maintain a complete audit history.
The naming convention of the Engine audit files in releases before 2025.7 is:
<nodeName>.<serviceName>-part<partNumber>.csv.Example:
MyCluster-node.analytics-part-00000-00.csvStarting with the 2025.7 release, the naming convention has been changed to include the date and cluster name as follows:
<date>-<clusterName>.<nodeName>.<serviceName>-part<partNo.>.csv
Example:2025-07-15-MyCluster.MyCluster-node.analytics-part-00000-00.csv
Standard Audit files
User activities recorded in the Standard audit files include:
- Insight actions, such as analyzing or viewing an insight
- Variable evaluation
- Applying filters
- Downloading insights or dashboards
Columns available on these files include the following:
- Date
- Timestamp
- Tenant
- User
- Command
- Elapsed Time (Total duration in seconds)
- Dashboard Layout GUID
- Parameter1 (The insight ID)
- Parameter2 (The dashboard name)
- Parameter3 (The query mode or source: Engine or cache)
- Parameter4 (Filters or prompts)
- Parameter5 (The insight name)
- Parameter6 (The Dashboard ID)
- Parameter7 (The Query duration in seconds)
- Parameter8 (The run ID)
Enhanced Audit files
Folder structure
The engine_audit.2.0 folder contains four sub-folders as follows:
action: Files in this folder include a row for each HTTP request or Scheduler job.action_details: Files in this folder include the action state updates: one row per update.tasks: Files in this folder include a list of tasks included in an action: one row per task. For example, downloading a dashboard tab may contain 10 queries (insights), representing 10 tasks.tasks_details: Files in this folder include the task state updates: one row per update.
In addition to the previous sub-folders, the engine_audit.2.1 folder contains the task_properties folder. Files in this folder record specific properties for each task, such as the number of measures and dimensions in the query.
The task details files in the engine_audit.2.1 folder have two additional columns: rows_count and log_message.
The following section describes the columns in each file.
Action
| Column | Description |
|---|---|
| action_id | The action ID |
| user_name | The name of the user who triggered the action |
| tenant_id | The tenant ID |
| source | The action source: ● PRIVATE_API_RENDER ● PRIVATE_API_DOWNLOAD ● PRIVATE_API_SEARCH ● SQI_X ● SCHEDULER_RENDER ● SCHEDULER_DOWNLOAD ● UNDEFINED (Includes Public API, SQLi, and variable evaluation requests) |
| format | The requested action format: ● JSON ● CSV ● XLSX ● UNDEFINED |
| isSampled | A boolean represented in 1 and 0 options |
| mode | The requested mode from the action: ● VIEW ● ANALYZE |
| dashboard_id | The ID of the dashboard the action is related to. For some actions, such as Analyzer queries, this value is null. |
| dashboard_name | The dashboard name |
| start_time | The action start time |
| end_time | The action end time |
| tasks_count | The number of tasks included in this action |
| termination_state | The action termination state: ● DONE ● FAILED ● ANOTHER_REQUEST_OVERRIDE |
| service_name | The name of the service that executed the action |
Action details
| Column | Description |
|---|---|
| parent_id | The parent action ID |
| state | The action state: ● INITIALIZED ● RUNNING ● PENDING_MATCHING_RUNNING_REQUEST ● SERVED_FROM_MATCHING_REQUEST_RESULT ● REJECTED ● DONE ● FAILED ● ANOTHER_REQUEST_OVERRIDE |
| start_time | The state start time |
| duration | The state duration in Milliseconds |
Tasks
| Column | Description |
|---|---|
| action_id | The parent action ID |
| task_id | The task ID |
| insight_id | The ID of the insight related to the action. For some actions, such as Analyzer queries and searches, this value is null. |
| insight_name | The insight name |
| task_type | The task type: ● QUERY ● SEARCH |
| thread_id | The ID of the thread assigned to execute this task |
| start_time | The task start time |
| end_time | The task end time |
| termination_state | The task terminal state: ● DONE ● FAILED |
Tasks details
| Column | Description |
|---|---|
| action_id | The parent action ID |
| parent_id | The parent task ID |
| state | The task state. For information about the different task states, see Task state details. |
| state_suffix | An identifier for the state if it is repeated in the same task |
| start_time | The state start time |
| duration | The state duration in milliseconds |
| off_heap_usage_bytes | The off-heap memory used while executing the task (Doesn’t include the memory used for loading the columns) |
| rows_count | The number of rows. This is valid only for the following task states: FILTER, MATERIALIZE_FORMULA, GROUP_AND_AGGREGATE, and ADD_EMPTY_GROUPS. |
| log_message | A summary of the filter, for example, ("SALES_B.sales.CUST_STATE_PROVINCE IN_LIST AL,CA,CO,CT,FL,GE,HI,IA,IL,IN,KS,KY,MA,MD... totalSize 107") |
Task state details
The following table describes the different task states, the related task type, and the parent state of each task, if any.
| Task Type | State | Parent State | Description |
|---|---|---|---|
| Query, Search | INITIALIZED | Task initialization and preparation | |
| Query, Search | QUEUED | Task queued and waiting for available running threads | |
| Query, Search | INTERRUPTING | Interruption attempt triggered, but the task not interrupted yet | |
| Query, Search | RENDERING | Rendering the query or search in the required format: JSON, CSV, XLSX, etc. | |
| Query, Search | SERVED_FROM_CACHE | Main query or runtime view retrieved from cache | |
| Query, Search | INTERRUPTED | Task interrupted (timeout, termination, override, etc.) | |
| Query, Search | SUBQUERY_EXECUTION | A general state for all events that occurred during the subQuery execution | |
| Query, Search | FINISH_SUBQUERY_EXECUTION | A general state for all events that occurred while finalizing the subQuery execution | |
| Query, Search | RUNTIME_VIEW_EXECUTION | A general state for all events that occurred during the runtime view execution | |
| Query, Search | FINISH_RUNTIME_VIEW_EXECUTION | A general state for all events that occurred while finalizing the runtime view execution | |
| Query, Search | ACQUIRING_METADATA_LOCKS | Getting read locks for related schemas. This state may take time if a write lock (sync) is acquired on the required schema. | |
| Query, Search | REQUESTING_NEEDED_COLUMNS | Reading columns from files and storing them in memory | |
| Query, Search | CREATE_LAYOUT | A preparation step used by some queries | |
| Query, Search | PROCESSING_SESSION_VARIABLES | Checking and evaluating session variables | |
| Query | FILTER_SUBQUERY | Checking and evaluating the IN Query filter queries | |
| Query | CANT_ACQUIRE_LOCKS_HOLD_FOR_RETRY | Retrying to run the scheduler after timing out due to a sync lock | |
| Query, Search | CHECKING_CACHE | Checking if a cached version of the query is available | |
| Query, Search | TRYING_SQL_EXECUTION | Checking if the query will be executed via the Incorta SQL engine | |
| Query, Search | CANT_EXECUTE_VIA_SQL | Task not executed via the Incorta SQL engine | |
| Query, Search | EXECUTED_VIA_SQL | Runtime view executed via the Incorta SQL engine | |
| Query, Search | RENDERED_VIA_SQL | Main query rendered via the Incorta SQL engine | |
| Query, Search | MATERIALIZE_COLS | Materializing the result set columns in memory after executing the result set query | |
| Query | RENDERED | Query rendering completed | |
| Query, Search | REJECTED | Query rejected because the Analytics task queue exceeded the configured thresholds for Analytics Task Queue Limit Calculation (%) and Analytics Concurrent Service Max Wait Time (seconds), as set in the CMC | |
| Query, Search | DONE | Task completed successfully | |
| Query, Search | FAILED | Task failed | |
| Query, Search | PROCESSING | Task being processed | |
| Query | COMPILE | PROCESSING | Query compilation |
| Query | FILTER | PROCESSING | Applying the query filter per projection |
| Query | MATERIALIZE_FORMULA | PROCESSING | Materializing new columns for runtime formulas used in the aggregate table's dimensions |
| Query | GROUP_AND_AGGREGATE | PROCESSING | Grouping the selected data and performing the required aggregation |
| Query | ADD_EMPTY_GROUPS | PROCESSING | Adding the empty groups to the query. Valid only when the Show empty groups option is enabled for a dimension in a listing or aggregated table. |
| Query | ADD_ROOT_GROUP | PROCESSING | Adding the level 0 group to the query of a listing table |
| Query | FILTER_GROUPS | PROCESSING | Fetching the groups that match the aggregate filter to apply the rollup to, and rolling out the groups that do not match the aggregate filter criteria. |
| Query | ROLLUP | PROCESSING | Calculating totals for each group |
| Query | GROUP_FILTER | PROCESSING | Calculating and applying the aggregated filter |
| Query | MATERIALIZE_MEASURES | PROCESSING | Materializing the measure values, whether listed or aggregated, to the result table after all calculations are done |
| Query | MATERIALIZE_DIMENSIONS | PROCESSING | Materializing the dimension values to the result table after all calculations are done |
| Query | SORT_GROUPS | PROCESSING | Sorting at the group (Dimension) level |
| Query | SORT_DETAILS | PROCESSING | Sorting at the details (Measures) level |
| Query | GRAND_TOTAL | PROCESSING | Calculating the grand total |
| Query | CREATE_RESULT_SET | PROCESSING | Generating the result set after query execution |
| Query | FILTER_CACHE_EVALUATION | PROCESSING | Evaluating a shared filter |
| Query | FILTER_CACHE_WAIT | PROCESSING | Waiting for a shared filter to be served |
| Query | FILTER_SERVED_FROM_CACHE | PROCESSING | Shared filter served from cache |
Task properties
| Column | Description |
|---|---|
| action_id | The action ID |
| task_id | The task ID |
| property | The property key. For information about the different task properties, see Property details. |
| value | The property value |
Property details
The following table shows the available task properties.
| Property | Description |
|---|---|
| AGGREGATED_FILTERS_COUNT | The number of regular aggregated filters |
| AGGREGATED_FORMULA_FILTERS_COUNT | The number of formula aggregated filters |
| INDIVIDUAL_FILTERS_COUNT | The number of regular individual filters |
| INDIVIDUAL_FORMULA_FILTERS_COUNT | The number of formula individual filters |
| HAS_DISTINCT_FILTER | Specifies if the query has a distinct filter |
| MEASURES_COUNT | The number of measures |
| MEASURES_FILTERS_COUNT | The number of regular filters applied to measures |
| MEASURES_FORMULA_FILTERS_COUNT | The number of formula filters applied to measures |
| ROW_DIM_COUNT | The number of row dimensions in a Pivot table |
| ROW_DIM_SORTING_COUNT | The number of regular sorting conditions applied to row dimensions |
| ROW_DIM_FORMULA_SORTING_COUNT | The number of formula sorting conditions applied to row dimensions |
| HAS_ROW_TOTAL | Specifies if the query has a row total |
| COL_DIM_COUNT | The number of column dimensions in a Pivot table |
| COL_DIM_SORTING_COUNT | The number of regular sorting conditions applied to column dimensions |
| COL_DIM_FORMULA_SORTING_COUNT | The number of formula sorting conditions applied to column dimensions |
| HAS_COL_TOTAL | Specifies if the query has a column total |
| SORTING_COUNT | The number of regular sorting conditions |
| FORMULA_SORTING_COUNT | The number of formula sorting conditions |
| HAS_SUB_QUERY | Specifies if the query has a sub-query (result set) |