Network access events system table reference
Important
This system table is in Public Preview. To access the table, the schema must be enabled in your system catalog. For more information, see Enable system table schemas.
The network access events table records events where internet access is denied. Each row represents an individual event. For example, if a user attempts to access “google.com” from a notebook and fails, the failure would be logged as an event.
Table path: This system table is located at system.access.outbound_network.
Network access events system table schema
| Column name | Data type | Description | Example |
|---|---|---|---|
account_id |
string | The ID of the Databricks account | 7af234db-66d7-4db3-bbf0-956098224879 |
workspace_id |
string | The ID of the workspace where the event occurred | 1234567890123456 |
event_id |
string | The ID of the event | db52a413-7a0a-4d49-b742-7ae5f06bc4b2 |
destination_type |
string | The type of destination. Possible values are DNS, IP, and STORAGE |
DNS |
destination |
string | Details of the blocked destination. Depending on the destination type, the value could be a domain name, IP address, or storage location. | google.com |
dns_event |
struct | Details about the DNS destination. Only populates for DNS destinations, otherwise the field is NULL. |
{ "domain_name":"google.com", "rcode": 3 } |
ip_event |
struct | Details about the IP destination. Only populates for IP destinations, otherwise the field is NULL. |
{ "ip_address":"0.0.0.0" } |
storage_event |
struct | Details about the storage destination. Only populates for storage destinations, otherwise the field is NULL. |
{ "hostname":"s3://some-bucket", "path": "/some-path", "rejection_reason": "storage-bucket-path-denied" } |
event_time |
timestamp | Timestamp when the event took place | 2024-05-01T01:01:01.123 |
access_type |
string | Type of access event that occurred. | DROP |
Sample queries
The following sample queries help you gain insight into denial logs in your account:
- Get all the denial logs for a given workspace for a given time range.
- To drill down for a given error
Get all the denial logs for a given workspace for a given time range.
SELECT
event_id, destination_type, destination
COUNT(*) AS destination_count
FROM
system.access.outbound_network
WHERE
event_time > '2024-09-25'
AND event_time < '2024-09-26'
AND account_id = <id>
AND workspace_id = <id>
GROUP BY
destination;
To drill down for a given error
SELECT
storage_event.hostname, storage_event.path, storage_event.rejection_reason
FROM
system.access.outbound_network AS storage_event
WHERE
event_time > '2024-09-25'
AND event_time < '2024-09-26'
AND account_id = <id>
AND workspace_id = <id>
AND destination = 'storage path';