datumctl activity gives you two purpose-built investigation tools:
datumctl activity auditrecords the actions people and machines take against your resources: who did what, when, and to which resource. This is your compliance and forensics trail.datumctl activity eventssurfaces the lifecycle events a resource emits as it moves through its states — the warnings and status changes you reach for during an incident.
datumctl activity is scoped like every other command: it acts on your active organization or project, and honors the --project and --organization flags. See Contexts & scoping for how scope is resolved.The shared query model
Everyactivity subcommand accepts the same flags for narrowing a time window, filtering server-side, paging through large result sets, and choosing an output format.
Time range
Both commands default to the last 24 hours. Widen or narrow the window with--start-time and --end-time. Two formats are accepted:
| Format | Example | Notes |
|---|---|---|
| Relative | now-7d, now-24h, now-30m | Units: s, m, h, d, w. --end-time defaults to now. |
| Absolute | 2026-01-01T00:00:00Z | RFC3339 with a timezone. |
Pagination
Results are paged. By default you get one page of up to 25 rows.| Flag | Default | Description |
|---|---|---|
--limit | 25 | Rows per page, between 1 and 1000. |
--all-pages | off | Fetch every page automatically — ideal for an export. |
--continue-after | — | Resume from a cursor returned by a previous query. |
--all-pages and --continue-after are mutually exclusive. Use --all-pages when you want the whole result set in one go; use --continue-after when you are stepping through pages yourself (for example, in an automation loop that checkpoints its position).Output format
The default output is a human-readable table. Pass-o to get machine-readable output, and --no-headers to drop the table header row.
-o value | Description |
|---|---|
| (none) | Formatted table (the default). |
json | A single JSON document — best for piping into jq. |
yaml | A YAML document. |
jsonpath | Extract specific fields, e.g. -o jsonpath='{.items[*].objectRef.name}'. |
Audit — who did what, when, to which resource
The question: “Prove who did what, when, and to which resource — and hand me an exportable record.”
datumctl activity audit answers that question. Each entry records an action (a verb) taken by a user against a resource, together with a timestamp and the response status. It is the tool for security reviews, compliance evidence, and after-the-fact forensics.
The default table shows the timestamp, verb, user, affected resource, and status code:
Narrowing the trail
Four shorthand flags let you zero in without writing a filter expression. They combine with AND logic — every condition must match.| Flag | Filters by | Example |
|---|---|---|
--user | The identity that performed the action | --user alice@example.com |
--verb | The action taken | --verb delete |
--resource | The resource type acted on | --resource dnszones |
--namespace | The target namespace | --namespace production |
--filter takes a server-side Common Expression Language (CEL) expression that is applied on top of them — for example --filter "responseStatus.code >= 400" to find failed requests.
Not sure which values exist in your data? The audit command can suggest them.
datumctl activity audit --suggest user.username lists the users with recorded activity in the window, which is a fast way to discover exactly what to pass to --user.Scenario: who deleted resources last week?
A security auditor wants every deletion across the project over the past seven days, with the responsible identity:Scenario: export an immutable record
Auditors and SIEM pipelines need the full record, not a single page. Combine--all-pages with -o json to capture everything in the window as one JSON document:
Scenario: stream audit records into a logging pipeline
Automation and SIEM integrators typically want to ingest audit records incrementally and checkpoint their position rather than re-pull the whole window each run. Page through the results yourself with--continue-after, using the cursor the CLI reports after each page:
Events — what changed, and were there warnings?
The question: “Something broke at 14:20 — what was happening to my resources just before, and were there any warnings?”
datumctl activity events surfaces the lifecycle events resources emit as they change state — the same events you would see reported against a resource, retained far longer than the live event window so you can investigate after the fact. Each event carries a type (Normal or Warning), a reason, the object it regards, and a message.
The default table shows the last-seen time, type, reason, regarding object, and message:
The on-call reflex: filter to warnings
When you are paged, the fastest signal is the set of warning events.--type Warning cuts straight to problems:
Zeroing in during an incident
Combine these flags to narrow from “everything” down to the resource you suspect:| Flag | Filters by | Example |
|---|---|---|
--type | Event severity: Normal or Warning | --type Warning |
--reason | The machine reason for the event | --reason FailedMount |
--regarding-kind | The kind of resource the event is about | --regarding-kind Workload |
--regarding-name | A specific resource by name | --regarding-name checkout-api |
--namespace | The namespace of the regarding resource | --namespace production |
--field-selector | A raw field-selector expression | --field-selector "type=Warning,reason=Scheduled" |
--field-selector lets you express conditions the shorthands do not cover. Comma-separated conditions must all match.
Unsure which reasons appear in your data?
datumctl activity events --suggest reason lists the event reasons seen in the window, so you know exactly what to pass to --reason.Scenario: what happened to one resource?
An on-call responder suspects a specific resource is the culprit. Pull every event about it in the last hour:Scenario: hunt a recurring failure by reason
If you already know the failure mode, filter by its reason across the whole project to see how widespread it is:Choosing between audit and events
Reach for audit when…
You need to know who took an action, when, and against which resource — deletions, updates, failed requests, or a full compliance export.
Reach for events when…
You need to know what happened to a resource — warnings, lifecycle changes, and the symptoms of an incident as the platform reports them.
Related
- Querying activity — the hub for the whole
activitycommand family, including the persona routing table and the shared query model. - Change history & feed — the
feedandhistorysubcommands, for a merged, human-readable activity stream and per-resource spec diffs. - Output formats & scripting —
jq/JSONPath patterns, structured errors, and exit-code handling for wrapping these commands in pipelines and SIEM ingestion. - Contexts & scoping — how the active organization and project are resolved, and how to pin them explicitly with
--organizationand--project. - Discovering resources & schemas — find the resource-type and kind names to pass to
--resourceand--regarding-kind.