Updates

Author: Maddy-Cloudflare

src/assets/images/log-explorer/supported-sql-grammar-graph.png

@@ -1,15 +1,72 @@
----
-pcx_content_type: reference
-title: Log Explorer API
-sidebar:
-  order: 5
----
+Configuration and Log searches are also available via a public API. 
+## Authentication
+
+Log Explorer is available to users with the following permissions:
+
+- **Logs Edit**: users with Logs Edit permissions can enable datasets.
+- **Logs Read**: users with Logs Read permissions can run queries via the UI or API.
+
+Note that these permissions exist at the account and zone level and you need the appropriate permission level for the datasets you wish to query.
 
-Log searches are available via the [API](https://developers.cloudflare.com/log-explorer/). 
+Authentication with the API can be done via an authentication header or API token. Append your API call with either of the following additional parameters.
+
+- **Authentication header**
 
-Log Explorer exposes a query endpoint that uses familiar SQL syntax for querying your logs generated with Cloudflare's network.
+  - `X-Auth-Email` - the Cloudflare account email address associated with the domain
+  - `X-Auth-Key` - the Cloudflare API key
+
+- **API token**
+
+  - `Authorization: Bearer <API_TOKEN>` To create an appropriately scoped API token, refer to [Create API token](/fundamentals/api/get-started/create-token/) documentation. Copy and paste the token into the authorization parameter for your API call.
+
+## Manage Datasets
+
+Use the Log Explorer API to enable Log Explorer for each dataset you wish to store. It may take a few minutes after a log stream is enabled before you can view the logs.
+
+The following curl command is an example for enabling the zone-level dataset `http_requests`, as well as the expected response when the command succeeds.
+
+```bash
+curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logs/explorer/datasets \
+--header "Authorization: Bearer <API_TOKEN>" \
+--header "Content-Type: application/json" \
+--data '{
+  "dataset": "http_requests"
+}'
+```
+
+```json
+{
+  "result": {
+    "dataset": "http_requests",
+    "object_type": "zone",
+    "object_id": "<ZONE ID>",
+    "created_at": "2025-06-03T14:33:16Z",
+    "updated_at": "2025-06-03T14:33:16Z",
+    "dataset_id": "01973635f7e273a1964a02f4d4502499",
+    "enabled": true
+  },
+  "success": true,
+  "errors": [],
+  "messages": []
+}
+```
 
-For example, to find an HTTP request with a specific [Ray ID](/fundamentals/reference/cloudflare-ray-id/), you can perform the following SQL query:
+If you would like to enable an account-level dataset, replace `zones/{zone_id}` with `accounts/{account_id}` in the curl command. For example:
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/logs/explorer/datasets \
+--header "Authorization: Bearer <API_TOKEN>" \
+--header "Content-Type: application/json" \
+--data '{
+  "dataset": "access_requests"
+}'
+```
+
+## Query data
+
+Log Explorer includes a SQL API for submitting queries. 
+
+For example, to find an HTTP request with a specific [Ray ID](/fundamentals/reference/cloudflare-ray-id/), and use the following SQL query:
 
 ```bash
 curl https://api.cloudflare.com/client/v4/zones/{zone_id}/logs/explorer/query/sql \
@@ -36,7 +93,7 @@ Which returns the following HTTP request details:
 }
 ```
 
-A example to find Cloudflare Access requests with selected columns from a specific timeframe, you can perform the following SQL query:
+Another example to find Cloudflare Access requests with selected columns from a specific timeframe, you can perform the following SQL query:
 
 ```bash
 curl https://api.cloudflare.com/client/v4/account/{account_id}/logs/explorer/query/sql \
@@ -66,24 +123,4 @@ Which returns the following request details:
 	"errors": [],
 	"messages": []
 }
-```
-
-## Authentication
-
-Log Search is available to users with the following permissions:
-
-- **Logs Edit**: users with Logs Edit permissions can enable datasets.
-- **Logs Read**: users with Logs Read permissions can run queries via the UI or API.
-
-Note that these permissions exist at the account and zone level and you need the appropriate permission level for the datasets you wish to query.
-
-Authentication with the API can be done via an authentication header or API token. Append your API call with either of the following additional parameters.
-
-- **Authentication header**
-
-  - `X-Auth-Email` - the Cloudflare account email address associated with the domain
-  - `X-Auth-Key` - the Cloudflare API key
-
-- **API token**
-
-  - `Authorization: Bearer <API_TOKEN>` To create an appropriately scoped API token, refer to [Create API token](/fundamentals/api/get-started/create-token/) documentation. Copy and paste the token into the authorization parameter for your API call.
+```

src/content/docs/log-explorer/api.mdx

@@ -11,14 +11,20 @@ import { Description, Feature, RelatedProduct } from "~/components"
 Store and explore your Cloudflare logs directly within the Cloudflare dashboard or API.
 </Description>
 
-Log Explorer is a log storage platform that allows security teams and developers to analyze, investigate, and monitor attacks natively within the Cloudflare dashboard. Log Explorer is built on [Cloudflare R2](/r2/) which allows you to search your logs using SQL queries.
 
-With Log Explorer, you can monitor security and performance issues with custom dashboards, investigate and troubleshoot issues with Log Search, save time and collaborate with saved queries.
+Log Explorer is Cloudflare's native observability and forensics product that enables security teams and developers to analyze, investigate, and monitor issues directly from the Cloudflare dashboard, without the expense and complexity of forwarding logs to third party tools.
+
+Log Explorer provides access to Cloudflare logs with all the context available within the Cloudflare platform. You can monitor security and performance issues with custom dashboards or investigate and troubleshoot issues with log search. Benefits include: 
+
+- **Reduced cost and complexity**: Drastically reduce the expense and operational overhead associated with forwarding, storing, and analyzing terabytes of log data in external tools.
+- **Faster detection and triage**: Access Cloudflare-native logs directly, eliminating cumbersome data pipelines and the ingest lags that delay critical security insights.
+- **Accelerated investigations with full context**: Investigate incidents with Cloudflare's unparalleled contextual data, accelerating your analysis and understanding of "What exactly happened?" and "How did it happen?"
+- **Minimal recovery time**: Seamlessly transition from investigation to action with direct mitigation capabilities via the Cloudflare platform.
 
 ## Features
 
 <Feature header="Log Search" href="/log-explorer/log-search/">
-Search logs enable you to store and explore your Cloudflare logs directly within the Cloudflare dashboard or API.
+Search logs enable you to store and explore your Cloudflare logs directly within the Cloudflare dashboard or [API](/log-explorer/api/).
 </Feature>
 
 <Feature header="Custom dashboards" href="/log-explorer/custom-dashboards/">
@@ -36,7 +42,7 @@ Manage configuration and perform queries via the API.
 ## Related products
 
 <RelatedProduct header="Logpush" href="/logs/" product="logs">
-Detailed logs that contain metadata generated by Cloudflare products helpful for debugging, identifying configuration adjustments, and creating analytics. 
+Forward Cloudflare logs to third party tools for debugging, identifying configuration adjustments, and creating analytics. 
 </RelatedProduct>
 
 <RelatedProduct header="Analytics" href="/analytics/" product="analytics">

src/content/docs/log-explorer/index.mdx

@@ -9,12 +9,48 @@ import { TabItem, Tabs, Render } from "~/components";
 
 Log Explorer enables you to store and explore your Cloudflare logs directly within the Cloudflare dashboard or API. Giving you visibility into your logs without the need to forward them to third parties. Logs are stored on Cloudflare's global network using the R2 object storage platform and can be queried via the Dashboard or SQL API.
 
-## Supported datasets
+## SQL queries supported
+
+The diagram below displays the example sql grammar for SELECT statements as a railroad syntax diagram:
+
+![Supported sql grammar](~/assets/images/log-explorer/supported-sql-grammar-graph.png)
+
+Any path from left to right forms a valid query. There is a limit of 25 predicates in the `WHERE`  clause. Predicates can be grouped using parenthesis. If the `LIMIT`  clause is not specified, then the default limit of 10000 is applied. The maximum number for the `LIMIT` clause is 10000. Results are returned in descending order by time.
+
+Examples of queries include:
+
+- `SELECT * FROM table WHERE (a = 1 OR b = "hello") AND c < 25.89` 
+- `SELECT a, b, c FROM table WHERE d >= "GB" LIMIT 10`
+
+### SELECT
+
+The `SELECT` clause specifies the columns that you want to retrieve from the database tables. It can include individual column names, expressions, or even wildcard characters to select all columns.
+
+### FROM
+
+The `FROM` clause specifies the tables from which to retrieve data. It indicates the source of the data for the `SELECT` statement.
+
+### WHERE
+
+The `WHERE` clause filters the rows returned by a query based on specified conditions. It allows you to specify conditions that must be met for a row to be included in the result set.
+
+### GROUP BY
+
+The `GROUP BY` clause is used to group rows that have the same values into summary rows.
+
+### ORDER BY
 
-Log Explorer currently supports:
+The `ORDER BY` clause is used to sort the result set by one or more columns in ascending or descending order.
+
+### LIMIT
 
-- [HTTP requests](/logs/reference/log-fields/zone/http_requests/) (`FROM http_requests`)
-- [Firewall events](/logs/reference/log-fields/zone/firewall_events/) (`FROM firewall_events`)
+The `LIMIT` clause is used to constrain the number of rows returned by a query. It is often used in conjunction with the `ORDER BY` clause to retrieve the top N rows or to implement pagination.
+
+:::note
+
+Log Explorer does not support `JOINs`, `DDL`, `DML`, or `EXPLAIN` queries.
+
+:::
 
 ## Use Log Explorer
 
@@ -30,8 +66,9 @@ You can filter and view your logs via the Cloudflare dashboard or the API.
 8. Select **Run query** when you are done. The results are displayed below within the **Query results** section.
 
 :::note
-You can also access the Log Explorer dashboard directly from the [Security Analytics dashboard](/waf/analytics/security-analytics/#logs). When doing so, the filters you applied in Security Analytics will automatically carry over to your query in Log Explorer.
-:::
+
+
+
 
 For example, to find an HTTP request with a specific [Ray ID](/fundamentals/reference/cloudflare-ray-id/), go to **Custom SQL**, and enter the following SQL query:
 
@@ -47,6 +84,7 @@ For example, to find an HTTP request with a specific [Ray ID](/fundamentals/refe
 	LIMIT 1
 ```
 
+
 Another example to find Cloudflare Access requests with selected columns from a specific timeframe, you can perform the following SQL query:
 
 ```sql
@@ -65,10 +103,22 @@ Another example to find Cloudflare Access requests with selected columns from a
 	WHERE Date >= '2025-02-06' AND Date <= '2025-02-06' AND CreatedAt >= '2025-02-06T12:28:39Z' AND CreatedAt <= '2025-02-06T12:58:39Z'
 ```
 
+
+
+
+
+
+
 ### Save queries
 
 After selecting all the fields for your query, you can save it by selecting **Save query**. Provide a name and description to help identify it later. To view your saved and recent queries, select **Queries** — they will appear in a side panel where you can insert a new query, or delete any query.
 
+## Integrated with Security Analytics
+
+You can also access the Log Explorer dashboard directly from the [Security Analytics dashboard](/waf/analytics/security-analytics/#logs). When doing so, the filters you applied in Security Analytics will automatically carry over to your query in Log Explorer.
+
+:::
+
 ## Optimize your queries
 
 All the tables supported by Log Explorer contain a special column called `date`, which helps to narrow down the amount of data that is scanned to respond to your query, resulting in faster query response times. The value of `date` must be in the form of `YYYY-MM-DD`. For example, to query logs that occurred on October 12, 2023, add the following to your `WHERE` clause: `date = '2023-10-12'`. The column supports the standard operators of `<`, `>`, and `=`.
@@ -102,40 +152,6 @@ All the tables supported by Log Explorer contain a special column called `date`,
 - Omit `ORDER BY` and `LIMIT` clauses. These clauses can slow down queries, especially when dealing with large datasets. For queries that return a large number of records, reduce the time frame instead of limiting to the newest `N` records from a broader time frame.
 - Select only necessary columns. For example, replace `SELECT *` with the list of specific columns you need. You can also use `SELECT RayId` as a first iteration and follow up with a query that filters by the Ray IDs to retrieve additional columns. Additionally, you can use `SELECT COUNT(*)` to probe for time frames with matching records without retrieving the full dataset.
 
-## SQL queries supported
-
-These are the SQL query clauses supported by Log Explorer.
-
-### SELECT
-
-The `SELECT` clause specifies the columns that you want to retrieve from the database tables. It can include individual column names, expressions, or even wildcard characters to select all columns.
-
-### FROM
-
-The `FROM` clause specifies the tables from which to retrieve data. It indicates the source of the data for the `SELECT` statement.
-
-### WHERE
-
-The `WHERE` clause filters the rows returned by a query based on specified conditions. It allows you to specify conditions that must be met for a row to be included in the result set.
-
-### GROUP BY
-
-The `GROUP BY` clause is used to group rows that have the same values into summary rows.
-
-### ORDER BY
-
-The `ORDER BY` clause is used to sort the result set by one or more columns in ascending or descending order.
-
-### LIMIT
-
-The `LIMIT` clause is used to constrain the number of rows returned by a query. It is often used in conjunction with the `ORDER BY` clause to retrieve the top N rows or to implement pagination.
-
-:::note
-
-Log Explorer does not support `JOINs`, `DDL`, `DML`, or `EXPLAIN` queries.
-
-:::
-
 ## FAQs
 
 ### Which fields (or columns) are available for querying?

src/content/docs/log-explorer/log-search.mdx

@@ -9,6 +9,14 @@ import { TabItem, Tabs, Render } from "~/components";
 
 Log Explorer allows you to enable or disable which datasets are available to query in Log Search.
 
+## Supported datasets
+
+Log Explorer currently supports:
+
+- [HTTP requests](/logs/reference/log-fields/zone/http_requests/) (`FROM http_requests`)
+- [Firewall events](/logs/reference/log-fields/zone/firewall_events/) (`FROM firewall_events`)
+
+
 ## Enable Log Explorer
 
 In order for Log Explorer to begin storing logs, you need to enable the desired datasets. You can do this via the dashboard or the API.

src/content/docs/log-explorer/manage-datasets.mdx

@@ -207,7 +207,7 @@ You can choose the output format with an HTTP `Accept` header, as shown in the t
 | CSV           | `text/csv`             | Yes        |
 | Plain text    | `text/plain`           | Yes        |
 
-## Optimizing your queries
+## Optimize your queries
 
 All the tables supported by Log Explorer contain a special column called `date`, which helps to narrow down the amount of data that is scanned to respond to your query, resulting in faster query response times. The value of `date` must be in the form of `YYYY-MM-DD`. For example, to query logs that occurred on October 12, 2023, add the following to your `WHERE` clause: `date = '2023-10-12'`. The column supports the standard operators of `<`, `>`, and `=`.