Tracking user activity in Appsearch UI through logs

Is there any way we can track user activities like

  1. what they searched
  2. what document they accessed
    after logging in to appsearch UI through logs or some other ways for audit.

Please let me know if any solution.

1 Like

You can check at elasticsearch level, there is an index where all activities (search, results, clicks ...) are stored, something like this

1 Like

HI Ylasri, tried accessing that index but we only get lm_account_id in the above mentioned index not the user_oid, is there any way to configure app-search so that the user_oid will also be logged ?
sample response below

                "_index": ".ent-search-app-search-analytics-ecs-ilm-logs-production-2021.02.09-000001",
                "_type": "_doc",
                "_id": "IbqQhXcBk-1x-EvGC74V",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2021-02-09T06:52:20.884Z",
                    "agent": {
                        "id": "5a164c26-95e9-40d0-a193-601a771929e0",
                        "version": "7.6.0",
                        "type": "filebeat",
                        "ephemeral_id": "0f8b03ec-5471-4df4-a840-a77035f690d7",
                        "hostname": "33aab3e7aff8"
                    "labels": {
                        "index_date": "2021.02.09",
                        "engine_id": "602230fdc32e8a58371fadb8",
                        "lm_account_id": "60223043c32e8a722f8b8749"
                    "related": {
                        "ip": ""
                    "log": {
                        "offset": 0,
                        "file": {
                            "path": "/var/log/enterprise-search/filebeat.log"
                    "event": {
                        "tags": [],
                        "dataset": "app-search-analytics",
                        "category": "app-search-analytics",
                        "action": "loco_moco_search",
                        "created": "2021-02-09T06:52:20Z",
                        "query_string": "",
                        "loco_moco_search_request_id": "d55092f4-fb47-456d-a08f-27b6e0aa5f77",
                        "document_ids": [
                    "ecs": {
                        "version": "1.5.0"
                    "input": {
                        "type": "log"
                    "host": {
                        "name": "33aab3e7aff8"

Hi @Subhasis_Dash

Perhaps I am missing something have you tried the Analytics API it there to answer those questions.

Hello @stephenb ,

Analytics API do returns the number of counts but we are mainly looking to capture which user has done the operation from appsearch GUI

Perhaps use the tags on the Search and Click API have you tried to put a user identifier into the tags?

BTW I checked with the App Search team and they said you could absolutely use this method.

Give it a try and let us know.

1 Like

Putting user identifier into tags and then using search and click API helps if we are making query via APIs. I am looking to track the user activities if they actually login to APP Search GUI interface and search/view any document. Is there anyway if I can also add tags in this scenario?

1 Like

Hi @ylasri @stephenb ,
To explain more about this scenario:

  1. users named "testUser","testUser1","testUser2" are created in appsearch UI
  2. testUser logs into appsearch UI
  3. testUser uses Query tester in appsearch UI to search using "test" keyword (Not the search api) and gets some result
  4. testUser clicks on one of the document
  5. now testUser2 follows the same steps as "testUser" but clicks on another document

Now in analytics we can see "test" keyword is searched 2 times and click count is 2 also we see what documents are clicked,
However what we donot see is which document is clicked by testUser2 and which by testUser
And as both users in this scenario are using Appsearch UI portal not the apis we are not sure how to send tags.

If the scenario is clear, our question Is there a way to capture/configure or see these kind of user activites that were performed using appsearch UI?


this index seems to have some details but only with account_id, which is same for all users. Is it possible to capture UserId too?

1 Like

Hi @Subhasis_Dash

Apologies I did not understand you are trying to use the app Search UI for this, using it it as the search interface.

It is not really the the intended use for the App Search UI it is meant to be and Admin interface so I don't think it supports what you are looking to do.

I have passed this on to product to take a look.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.