- Schemas:
For guidance on query performance when using organization-wide usage views, see Performance (Organization Usage).
LOGIN_
Important
This view is only available in the organization account. For more information, see Premium views in the organization account.
Organization Usage performance
When you query a specific view in the SNOWFLAKE.ORGANIZATION_USAGE schema, follow the organization-wide guidance in
Performance (Organization Usage): bound every scan on history views, list
columns explicitly, and use the time filter column table plus worked SQL and anti-patterns there.
This Organization Usage view can be used to query login attempts by Snowflake users.
Details about the error codes/messages for login attempts that were unsuccessful can be found in the following documentation:
Columns¶
Organization-level columns
| Column Name | Data Type | Description |
|---|---|---|
| ORGANIZATION_NAME | VARCHAR | Name of the organization. |
| ACCOUNT_LOCATOR | VARCHAR | System-generated identifier for the account. |
| ACCOUNT_NAME | VARCHAR | User-defined identifier for the account. |
Additional columns
| Column Name | Data Type | Description |
|---|---|---|
| READER_ACCOUNT_NAME | VARCHAR | Name of the reader account for the user authentication event. This column is only included in the view in the READER_ACCOUNT_USAGE schema. |
| EVENT_ID | NUMBER | Internal/system-generated identifier for the login attempt. |
| EVENT_TIMESTAMP | TIMESTAMP_LTZ | Time (in the UTC time zone) of the event occurrence. |
| EVENT_TYPE | VARCHAR | Event type, such as LOGIN for authentication events. |
| USER_NAME | VARCHAR | User associated with this event. |
| CLIENT_IP | VARCHAR | IP address where the request originated. This value can be an IPv4 or IPv6 address. |
| REPORTED_CLIENT_TYPE | VARCHAR | Reported type of the client software, such as JDBC_DRIVER, ODBC_DRIVER, and so on. This information is not authenticated. |
| REPORTED_CLIENT_VERSION | VARCHAR | Reported version of the client software. This information is not authenticated. |
| FIRST_AUTHENTICATION_FACTOR | VARCHAR | Method used to authenticate the user (the first factor in multi factor authentication, if used). |
| SECOND_AUTHENTICATION_FACTOR | VARCHAR | The second factor in multi factor authentication. If the user did not use multi-factor authentication, this value is NULL. |
| IS_SUCCESS | VARCHAR | Whether the user’s request was successful or not. |
| ERROR_CODE | NUMBER | Error code, if the request was not successful. |
| ERROR_MESSAGE | VARCHAR | Error message returned to the user, if the request was not successful. |
| RELATED_EVENT_ID | NUMBER | Reserved for future use. |
| CONNECTION | VARCHAR | Name of the connection used by the client, or NULL if the client is not using a connection URL. A connection is a Snowflake object that is part of Client Redirect. It represents a connection URL that you can use to fail over to another account for business continuity and disaster recovery. NOTE: If a client authenticates through an identity provider (IdP) that is configured with the account URL rather than the connection URL, the IdP directs the client to the account URL after authentication is complete. The CONNECTION column for this login event is NULL. See Authentication and Client Redirect. |
| CLIENT_PRIVATE_LINK_ID | VARCHAR | If the user logged in using private connectivity, specifies the identifier of the endpoint from which the request originated. |
| FIRST_AUTHENTICATION_FACTOR_ID | VARCHAR | ID of the credential used to authenticate the user (the first factor in multi-factor authentication, if used). |
| SECOND_AUTHENTICATION_FACTOR_ID | VARCHAR | ID of the credential used for the second factor in multi-factor authentication. If the user did not use multi-factor authentication, this value is NULL. |
| LOGIN_DETAILS | VARCHAR | Displays details for each login event, including malicious IP protection category name, risk category, and blocking status. |
Usage notes¶
- Latency for the view may be up to 24 hours.
-
INTERNAL_SNOWFLAKE_IP/0.0.0.0appears as the client IP for login events triggered by internal Snowflake operations that support your usage. For example: -
This view doesn’t record the activity of internal users the system defines to perform various operations, such as maintaining Snowsight worksheets.
-
To see the blocking status of potentially malicious IP addresses, examine the LOGIN_DETAILS column output. For examples, see View network login details.