PromQL-shaped aggregation over a single workspace's audit log

GET

/workspaces/{id}/audit/stats

const url = 'https://your-org.evershell.ai/v1/workspaces/example/audit/stats?time_bucket=auto&metric=count';
const options = {method: 'GET', headers: {Authorization: 'Bearer <token>'}};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request GET \
  --url 'https://your-org.evershell.ai/v1/workspaces/example/audit/stats?time_bucket=auto&metric=count' \
  --header 'Authorization: Bearer <token>'

Permissions: caller must hold both a workspace-read scope (workspace:read or workspace:read:own with creator-match) and an audit-read scope (audit:read or audit:read:own). Unlike GET /audit/stats, this route does NOT further narrow by user_id — workspace creators see aggregate metrics over every event on their workspace, including events authored by other members or API-key callers. Mirrors GET /workspaces/{id}/audit’s permission model.

Prefer this over GET /audit/stats?filter=workspace_id=<id> when you want per-workspace metrics: the org-scoped route applies the :own user_id narrowing, which silently undercounts cross-actor events on a shared workspace.

Same query model as GET /audit/stats: group_by, time_bucket, bucket_by, metric, top, filter, from, to all behave identically.

Authorizations

bearerAuth

Parameters

Path Parameters

required

string

Query Parameters

group_by

string

time_bucket

string

Allowed values: auto 5m 15m 1h 6h 1d

bucket_by

string

metric

string

default: count

top

string

filter

Array<string>

from

string format: date-time

Responses

200

application/json

object

buckets

required

Array<object>

object

group

required

object

key

additional properties

string

bucket

string

value

required

number

Example ^generated

{
  "buckets": [
    {
      "group": {
        "additionalProperty": "example"
      },
      "bucket": "example",
      "value": 1
    }
  ]
}

400

Invalid query (unknown dimension / bad metric grammar).

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}

404

Resource not found in the caller’s org

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}

PromQL-shaped aggregation over a single workspace's audit log

Authorizations

Parameters

Path Parameters

Query Parameters

Responses

200

Example generated

400

Example

404

Example

Example ^generated