ai_sessions_claude
Note
The ai_sessions_claude dataset is provisioned globally and created automatically the first time a tenant emits Claude Code telemetry. Access is restricted to admins by default. It backs the session content behind Code Agents Intelligence.
Purpose
The ai_sessions_claude dataset captures the content of Claude Code sessions — the prompts developers typed, the model's answers, tool inputs, tool results, and errors. The cost and token metrics that drive the Code Agents dashboards live in the regular claude_code_* metric stream; the conversation transcript lives here. Together they let admins reconstruct per-session activity and answer "what did this spend buy us?" with concrete prompt and response evidence.
This dataset is the privacy control for prompt and response capture. Content logging on the developer side (via OTEL_LOG_USER_PROMPTS, OTEL_LOG_RAW_API_BODIES, OTEL_LOG_TOOL_CONTENT, OTEL_LOG_TOOL_DETAILS) sends the data to Coralogix; routing it into this admin-only dataset is what limits who can read it.
Schema description
Each LogRecord in the data set is one Claude Code event. The body field discriminates which event you're looking at; the attributes field carries the per-event payload. The data set is structured as native OpenTelemetry LogRecord, so any LogRecord-compatible query works against it.
Event types
Values of the LogRecord body field:
| Event | When it fires | Notable attributes |
|---|---|---|
claude_code.user_prompt | A developer enters a prompt in the Claude Code session | prompt (only when OTEL_LOG_USER_PROMPTS=1) |
claude_code.api_request | Claude Code calls the model | model, token counts, cost, latency |
claude_code.api_request_body | Claude Code sends a request to the model | body (JSON; only when OTEL_LOG_RAW_API_BODIES=1, which requires the CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1 companion flag) |
claude_code.api_response_body | The model returns a response | body (JSON; only when OTEL_LOG_RAW_API_BODIES=1, which requires the CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1 companion flag; the UI extracts the first "text" block) |
claude_code.api_error | The model call errors | status, error message |
claude_code.tool_result | A tool invocation completes | tool name, duration, outcome, tool_parameters (Bash sends bash_command, full_command, description by default; MCP and Skill tools send their parameters only when OTEL_LOG_TOOL_DETAILS=1) |
claude_code.tool_decision | The agent decides whether to invoke a tool | tool name, decision, source |
Common attributes
Present on every event, under attributes:
| Attribute | Description |
|---|---|
session.id | Claude Code session ID — primary join key across events and across the cost and token metrics |
user.id | The Anthropic user ID |
user.account_uuid | The Anthropic account UUID |
user.email | The user's email, when authenticated via OAuth |
organization.id | The Anthropic organization ID |
app.version | Claude Code version |
terminal.type | The terminal where Claude Code is running |
model | Active model identifier |
Opt-in content capture
Prompt text, raw request and response bodies, and tool-parameter content are off by default to limit log volume and exposure of sensitive strings. Four environment variables on the developer's machine turn them on:
| Variable | What it enables |
|---|---|
OTEL_LOG_USER_PROMPTS=1 | Populates the prompt attribute on claude_code.user_prompt events |
OTEL_LOG_RAW_API_BODIES=1 (Beta) | Routes claude_code.api_request_body and claude_code.api_response_body events carrying the full request and response JSON. Requires CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1 as a companion flag |
OTEL_LOG_TOOL_CONTENT=1 | Enriches claude_code.tool_result events with the content tool calls return |
OTEL_LOG_TOOL_DETAILS=1 | Adds MCP server and tool names to claude_code.tool_result events, and populates tool_parameters for MCP and Skill tool calls. Bash tool parameters (bash_command, full_command, description) ship by default — leave them off only if your developers can run Bash commands that contain secrets |
When none of these flags is set, the data set still records that each event happened, by which user, against which model — just without the body text.
Permissions
Permissions on the AI Claude Sessions data set follow Coralogix's standard data-set permissions model, scoped so that only admins have read access by default. The same gate applies in AI Center — non-admins don't see the raw session content.
If you need to grant read access to specific non-admin roles (for example, a finance analyst auditing AI spend), use the standard scope management via Dataset management: create a scope for ai.sessions.claude and bind the relevant team or role to it.
Example event
A claude_code.api_request event for a typical model call:
{
"timestamp": 1717459200000000000,
"body": "claude_code.api_request",
"attributes": {
"session.id": "01HYZABCDEFGHJKMN",
"user.account_uuid": "550e8400-e29b-41d4-a716-446655440000",
"user.email": "[email protected]",
"organization.id": "org_01ABCDEFGH",
"app.version": "2.1.42",
"terminal.type": "iTerm.app",
"model": "claude-opus-4-7",
"input_tokens": 12450,
"output_tokens": 1820,
"cache_read_tokens": 8120,
"cache_creation_tokens": 0,
"cost_usd": 0.0934,
"duration_ms": 4221
}
}
Query the dataset
Users with read access can query the dataset in DataPrime using the dataspace path:
From Explore, select ai_sessions_claude in the data-source selector to search and visualize it interactively. The dataset is archive-backed and not indexed in OpenSearch, so it doesn't appear in LiveTail or Frequent Search — queries run against the archive.
Customize access or routing
The defaults — auto-provisioned, admin-only — work for most organizations. If you need to grant access to additional roles, scope access to a subset of the data, or route a different subset of events into a separate dataset, manage the dataset through Dataset management:
- Grant access to non-admin roles. Create a scope on
ai.sessions.claudeand bind the relevant team or role to it. Useful, for example, when a finance analyst needs read access to audit AI spend. - Scope access to a subset of the data. Attach a DPXL expression to an exception rule on the access policy for this dataset. Useful for restricting a role to a single subsystem or organization.
- Route a different subset of events. Layer a TCO Optimizer policy on top of the default routing. Policies are evaluated in order; the first match wins.
Next steps
- Set up content capture: see Capture prompts and responses in the Claude Code integration guide.
- View session data in context: see Code Agents Intelligence.