home User Guide Getting Started Help Center Documentation Community Training Certification
menu
close
settings
Looker keyboard_arrow_down
language keyboard_arrow_down
English
Français
Deutsch
日本語
search
print
Looker events

This page describes the events that Looker generates and how to view them.

Viewing events

Looker events are visible in the System Activity and i__looker Event and Event Attribute Explores. You must be a Looker admin or have the see_system_activity permission to view the Event and Event Attribute Explores.

If you have enabled the System Activity Model Labs feature, you will see the list of System Activity Explores, including the Event and Event Attribute Explores, at the bottom of your Explore menu.

To view the Event and Event Attribute Explores using i__looker, access them using one of the following URLs:

The Event Explore includes the Event view, which includes categories, created dates and times, and names of each event created:

(The above image is from the System Activity Explore; the i__looker Explore contains a subset of these fields.)

The Event view is useful for seeing lists or counts of events when you don’t need the associated attribute data.

The Event Attribute Explore includes both the Event view and the Event Attribute view. The Event Attribute view shows the name and value of each attribute related to an individual event.

To view a list of events and their attribute values, use the Event Attributes Explore, and select the required fields from the Events and Event Attribute views. For example, the image below shows the time recent events were created, the event category they are in, the event name, the attribute names associated with each event, and the attribute values:

Common event attributes

Each Looker-generated event includes a set of data about the event. These common attributes are:

Attribute Name Description
id Unique numeric identifier of the event
user_id Unique numeric ID of the user who triggered the event
name Name of the specific event that occurred, for example, create_dashboard
created Date and time, in UTC, that the event was created
category High-level category associated with the event, for example, dashboard
sudo_user_id Unique numeric ID of the actual user who is impersonating the user indicated by user_id
is_looker_employee Whether the user identified by user_id is a Looker employee
is_admin Whether the user identified by user_id is a Looker admin
is_api_call Whether the event was caused by an API call

List of event types

The table below lists each event that can be generated by a Looker server.

This list includes the name of the event, the action or situation that can trigger the generation of the event, and a list of attributes associated with each event.

Event Type Trigger Attributes
add_external_email_to_scheduled_task An email outside the organization domain was added to a scheduled task.
  • scheduled_task_id: ID of the scheduled task
  • external email: email that was added
  • add_group_group A group was added as a member of another group.
  • parent_group_id: ID of the parent group
  • adding_group_id: ID of the added group
  • deleting_group_id: ID of the deleted group
  • add_group_user A user was added to a group.
  • group_id: ID of the group
  • user_id: ID of the user
  • add_user_to_scheduled_task A user was added to a scheduled task.
  • scheduled_task_id: ID of the scheduled task
  • user_id: ID of the added user
  • create_dashboard_render_task A new task was created to render a dashboard to a document or an image.
  • render_task_id: ID of the render task
  • dashboard_id: ID of the dashboard to be rendered
  • lookml_dashboard: whether the dashboard is a LookML dashboard
  • target_type: resulting format of the rendered dashboard
  • create_homepage_item A new curated homepage item was created.
  • has_title: whether the item has a title
  • has_text: whether the item has text
  • has_link: whether the item has a link
  • has_image: whether the item has an image
  • create_homepage_section A new curated homepage section was created.
  • homepage_section_id: ID of the curated section
  • create_look_prefetch A prefetch for a Look was created with the specified information.
  • look_id: ID of the Look that had a prefetch created
  • create_look A Look was created or deleted.
  • look_id: ID of the Look
  • create_look_render_task A new task was created to render a Look to an image.
  • render_task_id: ID of the render task
  • look_id: ID of the Look to be rendered
  • format: resulting image format
  • create_query_render_task A new task was created to render an existing query to an image.
  • render_task_id: ID of the render task
  • query_id: ID of the query to be rendered
  • format: resulting image format
  • create_query A query was created.
  • query_id: ID of the new query
  • create_role A new role was created.
  • role_id: ID of the new role
  • permission_set_id: ID of the role’s permission set
  • model_set_id: ID of the role’s model set
  • create_saml_test_config A SAML test configuration was created.
  • has_error: whether the SAML config has an error
  • create_scheduled_plan_destination A scheduled plan destination was created. scheduled_plan_destination_id: ID of the created plan
    create_sql_query A SQL Runner query was created.
  • query_id: ID of the new query
  • create_upload A CSV file for user-defined table generation/load was uploaded.
  • upload_id: ID of the uploaded data
  • create_user_access_filter An access filter was created for the specified user.
  • for_user_id: ID of the user whose access filters were created
  • create_user_credentials_api (Legacy) API login information was created for the specified user. This is for API Users used for the old query API.
  • for_user_id: ID of the user whose API credentials were created
  • create_user_credentials_api3 API 3 login information was created for the specified user. This is for the newer API keys that can be added for any user.
  • for_user_id: ID of the user whose API 3 credentials were created
  • create_user_credentials_email Email/password login information was created for the specified user.
  • for_user_id: ID of the user whose email credentials were created
  • create_user_credentials_email_password_reset A password reset token was created.
  • for_user_id: ID of the user whose password reset token was created
  • create_user_credentials_totp Two-factor login information was created for the specified user.
  • for_user_id: ID of the user whose TOTP credentials were created
  • create_user A user was created with the specified information.
  • user_id: ID of the user whose account was created
  • reason: (optional) method used to create the user account. If reason is missing, an admin created the user account. Otherwise, the account was automatically created as a result of a user action like login, license_setup, marketplace_setup, or self_created.
  • type: (optional) credentials type for this user, especially if the user was auto-created at login
  • datagroup_trigger_changed A datagroup trigger was changed.
  • runtime: total time to run the trigger
  • connection_id: ID of the connection
  • connection_name: name of the connection
  • dialect: dialect of the connection
  • name: name of the datagroup
  • delete_group_from_group A group was deleted as a member of another group.
  • parent_group_id: ID of the parent group
  • adding_group_id: ID of the added group
  • deleting_group_id: ID of the deleted group
  • delete_group_user A user was removed from a group.
  • group_id: ID of the group
  • user_id: ID of the user who was removed from the group
  • delete_homepage_item A homepage item was deleted.
  • homepage_item_id: ID of the deleted homepage item
  • delete_homepage_section A homepage section was deleted.
  • homepage_section_id: ID of the deleted homepage section
  • delete_look A Look was deleted.
  • look_id: ID of the deleted Look
  • delete_model_set A model set was deleted.
  • model_set_id: ID of the deleted model set
  • delete_permission_set A permission set was deleted.
  • permission_set_id: ID of the deleted permission set
  • delete_role A role was deleted.
  • role_id: ID of the deleted role
  • delete_saml_test_config A SAML test configuration was deleted. none
    delete_scheduled_plan_destination A scheduled plan destination was deleted. scheduled_plan_destination_id: ID of the deleted scheduled plan
    delete_space A folder was removed. none
    delete_upload An uploaded table with a specific ID was dropped.
  • upload_id: ID of the table
  • delete_user_access_filter An access filter for the specified user was deleted.
  • for_user_id: ID of the user whose access filters were deleted
  • delete_user_credentials_api (Legacy) API login information for the specified user was deleted. This is for API Users used for the old query API.
  • for_user_id: ID of the user whose API credentials were deleted
  • delete_user_credentials_api3 API 3 login information for the specified user was deleted. This is for the newer API keys that can be added for any user.
  • for_user_id: ID of the user whose API 3 credentials were deleted
  • delete_user_credentials_email Email/password login information for the specified user was deleted.
  • for_user_id: ID of the user whose email credentials were deleted
  • delete_user_credentials_embed Embed login information for the specified user was deleted.
  • for_user_id: ID of the user whose Embed credentials were deleted
  • delete_user_credentials_google Google authentication login information for the specified user was deleted.
  • for_user_id: ID of the user whose Google credentials were deleted
  • delete_user_credentials_ldap LDAP login information for the specified user was deleted.
  • for_user_id: ID of the user whose LDAP credentials were deleted
  • delete_user_credentials_looker_openid Looker OpenID login information for the specified user was deleted. Used by Looker analysts.
  • for_user_id: ID of the user whose Looker OpenID credentials were deleted
  • delete_user_credentials_saml SAML authentication login information for the specified user was deleted.
  • for_user_id: ID of the user whose SAML credentials were deleted
  • delete_user_credentials_totp Two-factor login information for the specified user was deleted.
  • for_user_id: ID of the user whose TOTP credentials were deleted
  • delete_user_session A web login session for the specified user was deleted.
  • for_user_id: ID of the user whose session was deleted
  • delete_user A user was deleted.
  • user_id: ID of the user whose account was deleted
  • disable_user A user account was disabled.
  • user_id: ID of the user whose account was disabled
  • enable_user A user account was enabled.
  • user_id: ID of the user whose account was enabled
  • enter_sudo A user entered sudo (impersonation) as another user in the UI.
  • target_user_id: ID of the target user
  • session_id: ID of the Looker session
  • exit_sudo A user exited sudo (impersonation) as another user in the UI.
  • target_user_id: ID of the target user
  • session_id: ID of the Looker session
  • fetch_and_parse_saml_idp_metadata The given URL was fetched and parsed as a SAML IdP metadata document, and the result was returned. none
    find_and_replace The find and replace function of the Content Validator was used.
  • replace_type: type of replacement. field, view, model, or explore
  • error_count: number of errors, if any
  • look_ids: IDs of Looks that were successfully updated, if any
  • generating_mail_dashboard A dashboard was rendered as an email.
  • source_url: source URL of the dashboard
  • items: number of dashboard elements rendered
  • generating_pdf A dashboard was rendered as a PDF.
  • source_url: source URL of the dashboard
  • items: number of dashboard elements rendered
  • login A user logged in to the UI or API.
  • type: type of authentication system
  • ldap: whether the login occurred via the LDAP protocol
  • ip: IP address of the request
  • user_id: ID of the user who logged in
  • login_failure A user’s login attempt to the UI or API failed.
  • type: type of authentication system
  • ip: IP address of the request
  • user_id_offered: user identifier string that the user offered in the attempt (as appropriate for the different auth systems)
  • msg: details string about the attempt processing
  • login_user An API session was transformed to impersonate a user. This is often used when a service account is configured to enable API calls on behalf of users without needing to provision API credentials for individual users.
  • target_user_id: ID of the target user
  • token_id: ID of the session token for this API session
  • mail_opened An email was opened.
  • mail_type: password reset or scheduled task, for example
  • recipient: hash of the recipient’s email address
  • build_time: time at which the MailJob was created
  • look_id: ID of the Look (if a Look email is scheduled); otherwise, null
  • dashboard_id: ID of the dashboard (if a dashboard email is scheduled); otherwise, null
  • scheduled_task_id: ID of the scheduled task (if a task email is scheduled); otherwise, null
  • mail_sent An email was sent by the mailer.
  • mail_type: password reset or scheduled task, for example
  • recipient: hash of the recipient’s email address
  • look_id: ID of the Look (if a Look email is scheduled); otherwise, null
  • dashboard_id: ID of the dashboard (if a dashboard email is scheduled); otherwise, null
  • scheduled_task_id: ID of the scheduled task (if a task email is scheduled); otherwise, null
  • move_space A folder was moved or renamed.
  • origin_space_id: ID of the original parent
  • destination_space_id: ID of the new parent
  • new_model_set A model set was created.
  • model_set_id: ID of the new model set
  • models: JSON object containing the models
  • new_permission_set A permission set was created.
  • permission_set_id: ID of the new permission set
  • permissions: JSON object containing the permissions
  • new_space A folder was added.
  • has_parent: whether the folder has a parent folder
  • pan_detected ADDED6.22 A row in a query was detected that possibly contains a primary account number (PAN). This event supports PCI requirements and is emitted only when the pci_features license feature and an admin setting are enabled.
  • user: user ID
  • model: model name
  • time_of_query: time the query was issued
  • slug: slug of the history entry
  • explore: name of the Explore
  • dashboard_id: ID of the dashboard
  • look_id: ID of the Look
  • parse_saml_idp_metadata The given XML was parsed as a SAML IdP metadata document, and the result was returned. none
    pdt_build A PDT was rebuilt.
  • temporary: table generated a temporary table
  • runtime: total time to build the table
  • connection_id: ID of the connection
  • connection_name: name of the connection
  • dialect: dialect of the connection
  • status: build_ready, build_complete, build_aborted, build_canceled, build_error, or nil
  • source: regenerator or query
  • dev_mode: whether the PDT was built for a user in Development Mode
  • pdt_regen A PDT regen was executed on a connection.
  • connection_id: ID of the connection
  • connection_name: name of the connection
  • dialect: dialect of the connection
  • status: skipped_pending_cron, skipped_invalid_connection, skipped_unwritable_schema, success, error_in_regen, or nil
  • runtime: total time to regen all PDTs on the connection
  • checked_count: number of PDTs checked
  • built_count: number of PDTs built
  • canceled_count: number of PDT regens canceled (query killed)
  • failed_count: number of PDT regens that failed for an unknown reason
  • render_scheduled_dashboard A scheduled dashboard was rendered.
  • target_uri: URI of the dashboard to be rendered
  • type: rendered file type
  • render_scheduled_look A scheduled Look was rendered.
  • target_uri: URI of the Look to be rendered
  • type: rendered file type
  • dimensions: dimensions of the rendered image
  • render_timeout_for_scheduled_dashboard A timeout occurred while a scheduled dashboard was being rendered.
  • target_uri: URI of the dashboard that was rendered
  • type: rendered file type
  • render_timeout_for_scheduled_look A timeout occurred while a scheduled Look was being rendered.
  • target_uri: URI of the Look that was rendered
  • type: rendered file type
  • dimensions: dimensions of the rendered image
  • run_query A query was completed through the Query Manager.
  • model: model used
  • view: view in model
  • query: query string stored in the history entry
  • history_id: ID of the history entry
  • runtime: runtime up to completion, error, or kill
  • status: completed, killed, or error
  • uri_length: length of the query string passed in query
  • dialect: dialect of the database for this query
  • dashboard_id: ID of the UDD dashboard or the name of the LookML dashboard
  • look_id: ID of the Look for this query
  • run_query_as_developer A query was run in Development Mode. This event supports PCI requirements and is emitted only when the pci_features license feature and an admin setting are enabled. This event and run_query_in_sqlrunner are intended to catch all cases where users run a query bypassing the use of a production model. Note that often these events are omitted before the query has completed and the runtime and status might not be in their final states.
  • model: model used
  • view: view in model
  • query: query URL fragments
  • history_id: ID of the row in the history
  • runtime: interval for running the query
  • status: how did it end?
  • result_source: where did the result come from?
  • source: what kind of query?
  • dialect: SQL dialect
  • dashboard_id: ID of the dashboard
  • look_id: ID of the Look
  • table_calculations_count: count of table calculations
  • created_at: when created
  • connection_name: name of the connection
  • force_production: was production model forced (even if the user is in Development Mode)?
  • sql_query_id: ID in the query table
  • workspace_id: ID of the workspace (production, dev, etc.)
  • cache: was result from the cache?
  • node_id: node in cluster when the query ran
  • slug: history slug
  • cache_key: key in the cache for this query
  • sql_text: generated or provided SQL for the query
  • run_query_in_sqlrunner A query was run using SQL Runner (or a model generated with SQL Runner). This event supports PCI requirements and is only emitted when the pci_features license feature is enabled and an admin setting is enabled. This event and run_query_as_developer are intended to catch all cases where users run a query bypassing the use of a production model. Note that often these events are omitted before the query has completed and the runtime and status might not be in their final states.
  • model: model used
  • view: view in model
  • query: query URL fragments
  • history_id: ID of the row in history
  • runtime: interval for running the query
  • status: how did it end?
  • result_source: where did the result come from?
  • source: what kind of query?
  • dialect: SQL dialect
  • dashboard_id: ID of the dashboard
  • look_id: ID of the Look
  • table_calculations_count: count of table calcs
  • created_at: when created
  • connection_name: name of the connection
  • force_production: was production model forced (even if the user is in Development Mode)?
  • sql_query_id: ID in query table
  • workspace_id: ID of the workspace (production, dev, etc.)
  • cache: was result from the cache?
  • node_id: node in cluster when the query ran
  • slug: history slug
  • cache_key: key in the cache for this query
  • sql_text: generated or provided SQL for the query
  • run_query_task A saved query was run asynchronously.
  • query_task_id: ID of the query task to run asynchronously
  • run_scheduled_task A scheduled task was run.
  • scheduled_task_id: ID of the scheduled task
  • sent: whether the results were sent (published)
  • run_sql_query A SQL query was run from SQL Runner.
  • slug: slug of the query
  • user_id: user who ran the query
  • last_runtime: how long the query took the last time it executed
  • run_count: how many times the query has been executed
  • dialect: dialect of the query
  • save_look A Look was saved.
  • look_id: ID of the Look
  • vis_type: vis type of the query
  • keep_exploring: user did not immediately view the new Look
  • set_legacy_feature_#{id}_to_#{val} The legacy feature #{id} was set to #{val} by a user.
  • legacy_feature_id: ID of the legacy feature being altered
  • support_access_disabled Looker Support auth access was turned off or toggled by an admin or a privileged developer.
  • support_access_open: false
  • support_access_open_until: time at which the toggle was set to nil
  • support_access_enabled Looker Support auth access was turned on or toggled by an admin or a privileged developer.
  • support_access_open: true
  • support_access_open_until: time at which the toggle was automatically set to false
  • test_ldap_config_auth The connection authentication settings for an LDAP configuration were tested.
  • success: whether the test was successful
  • test_ldap_config_connection The connection settings for an LDAP configuration were tested.
  • success: whether the test was successful
  • test_user_auth The user authentication settings for an LDAP configuration were tested.
  • success: whether the test was successful
  • test_user_info The user authentication settings for an LDAP configuration were tested without the user being authenticated.
  • success: whether the test was successful
  • update_embed_config The Embed configuration was updated.
  • old_value: previous auth enabled setting
  • new_value: new auth enabled setting
  • action: whether auth was enabled or disabled
  • domain_whitelist_count: count of allowlist domains
  • update_google_config The Google auth settings were updated.
  • action: enabled, disabled, or modified
  • update_homepage_item A curated homepage item was updated.
  • homepage_item_id: ID of the updated homepage item
  • has_title: whether the item has a title
  • has_text: whether the item has text
  • has_link: whether the item has a URL
  • has_image: whether the item has an image
  • update_homepage_section A curated homepage section (title) was updated.
  • homepage_item_id: ID of the updated homepage item
  • update_ldap_config The LDAP auth settings were updated.
  • action: enabled, disabled, or modified
  • update_model_set The models in a model set were changed.
  • model_set_id: ID of the updated model set
  • old_models: JSON object containing the old models
  • update_oidc_config The OpenID Connect auth settings were updated.
  • action: enabled, disabled, or modified
  • update_permission_set The permissions in a permission set were changed.
  • permission_set_id: ID of the updated permission set
  • old_permissions: JSON object containing the old permissions
  • new_permissions: JSON object containing the new permissions
  • update_role_groups All groups for a role were set, and all existing group associations from that role were removed.
  • role_id: ID of the role
  • group_ids: IDs of groups to set for the role
  • update_role_users The set of users with a given role was edited.
  • role_id: ID of the role
  • old_user_ids: JSON object containing the old users with the role
  • new_user_ids: JSON object containing the new users with the role
  • update_role A role was updated.
  • role_id: ID of the role
  • old_permission_set_id: ID of the role’s old permission set
  • old_model_set_id: ID of the role’s old model set
  • new_permission_set_id: ID of the role’s new permission set
  • new_model_set_id: ID of the role’s new model set
  • update_saml_config The SAML auth settings were updated.
  • action: enabled, disabled, or modified
  • update_scheduled_plan_destination A scheduled plan destination was updated. scheduled_plan_destination_id: ID of the updated plan
    update_space A folder was updated.
  • space_id: ID of the updated folder
  • update_totp_config The two-factor auth settings were updated.
  • action: enabled, disabled, or modified
  • update_upload The upload table definition was updated and the DB table was created/loaded.
  • upload_id: ID of the uploaded data that was imported to the database
  • update_user A user’s information was updated.
  • user_id: ID of the modified user
  • update_user_access_filter An access filter was updated for the specified user.
  • for_user_id: ID of the user whose access filters were updated
  • update_user_credentials_email Email/password login information was updated for the specified user.
  • for_user_id: ID of the user whose email credentials were updated
  • update_whitelabel_configuration The whitelabel configuration was updated. none
    upload_file The contents of file were uploaded to Looker for user-defined table generation and load.
  • upload_id: ID of the upload that has the custom file attached to it for later import
  • user_permission_elevation A change occurred that caused a user’s permissions to be increased in some way.
  • user_id: ID of the user whose permissions changed
  • embed_user: whether this was an Embed user
  • added_permissions: list or permissions that were added
  • old_permissions: list of permissions before the change
  • new_permissions: list of permissions after the change
  • cause: name of the event that caused the change, or unknown if the change can’t be attributed to a specific event
  • cause_event_id: ID of the event that caused the change
  • user_roles_updated A user’s roles were edited.
  • user_id: ID of the modified user
  • role_ids: JSON object containing the user’s roles
  • Top