kt events
Use kt events to inspect recent governance events and to export event evidence from the Keeptrusts control plane.
Both subcommands require API authentication. Set KEEPTRUSTS_API_TOKEN or
sign in before running them. Reading events requires events:read; exporting
them requires events:export.
kt events tail
Query recent events once, or poll for new events in follow mode.
Usage
kt events tail [OPTIONS]
Options
| Flag | Description |
|---|---|
--json | Print JSON output instead of terminal summaries. |
--since <duration|rfc3339> | Start the query at a relative duration like 10m, 2h, 7d, or an RFC3339 timestamp. |
--cursor <cursor> | Resume from a cursor returned by a previous call. |
--limit <n> | Maximum number of events to request (default: 100). |
--event-type <type> | Filter by event type such as decision. |
--gateway-id <id> | Filter by gateway identifier. |
--verdict <verdict> | Filter by allowed, blocked, redacted, or escalated. |
--follow | Poll for new events continuously. |
--follow-interval-secs <n> | Poll interval for follow mode (default: 5). |
--config <path>, --api-url <url>, --api-token <token>, --profile <name>, --region <region> | Standard connection and profile overrides. |
Examples
# Last 5 minutes of events
kt events tail --since 5m
# Blocked events in the last hour, as JSON
kt events tail --since 1h --verdict blocked --json
# Follow one gateway and print each new event as JSON
kt events tail --gateway-id gw_prod_eu --follow --json
Output modes
<event-time> decision blocked model=<model> policy=<policy>
If the queried page is empty, the command prints No events found. in plain-text mode.
Non-follow --json prints the full API response object, including the event
array and any next cursor. In follow mode, the CLI advances the cursor between
polls and prints each event as it arrives. --follow does not itself switch
the output format; add --json for one JSON object per event.
kt events export
Export event data to stdout in one of the supported formats.
Usage
kt events export --since <duration|rfc3339> --format <csv|json> [OPTIONS]
Options
| Flag | Description |
|---|---|
--since <duration|rfc3339> | Required export window start; relative values use an integer followed by m, h, d, or w. |
--format <csv|json> | Export format implemented by the Events API. |
--config <path>, --api-url <url>, --api-token <token>, --profile <name>, --region <region> | Standard connection and profile overrides. |
The command writes raw export bytes to stdout. Redirect the output to a file when you want a saved artifact.
Examples
# Export the last 7 days as CSV
kt events export --since 7d --format csv > events-7d.csv
# Export the last 24 hours as structured JSON
kt events export --since 24h --format json > events-24h.json
Next steps
- Escalations - Review and resolve escalations
- Export Evidence for a Review - Compliance workflow
- kt export-jobs - Asynchronous export jobs
- CLI Overview - Full CLI workflow