/audit now supports three filters working together:
- **From / To dates** — calendar pickers, day-inclusive end. Filter to a quarter, a fiscal year, an incident window. - **Event types** — toggle the type chips you care about (the same toggles that have always been there). - **Actor** — substring match across joined user emails, raw actor IDs, and actor kinds. "alice@firm.com" finds her events; "agent" finds all agent activity; "system:dlp-scanner" finds DLP auto-escalations.
All three filters compose. Once you've narrowed, click **Export CSV ↓** to download an RFC 4180 file (up to 50,000 rows; payload as JSON in the last column). When the cap is hit, the file's first line is a "# truncated:" comment so the receiving auditor sees the warning rather than silently working with an incomplete export.
**JSONL export** (D185) — sister format alongside the CSV link. One JSON object per line; the payload jsonb is preserved as a real nested object instead of being CSV-stringified, so SIEM ingestion scripts (Splunk HEC, Datadog Logs, Sumo Logic) consume it directly without an inner JSON.parse on the payload field. Same 50,000-row cap; when hit, a synthetic `{ "_truncated": true, "_maxRows": 50000, "_note": "..." }` line at the head signals partial export. Content-Type: application/x-ndjson with X-Kodori-Truncated response header for scripted exports.
Both formats use the same filter URL state — tighten filters once, export to whichever format your downstream tooling consumes. URL state preservation means you can bookmark a specific filter combo (or wire it into a scheduled export job) and return to it directly.