I am new to elastic and kibana. I want to get current active users in web application using audit logs stored in elastic index. We capture login and logout event of user in audit log and stored as document in elastic index.
Below is the sample document:
For logout event:
Jan 23, 2021 @ 17:35:44.893
timestamp:Jan 23, 2021 @ 17:35:44.893
For login event:
timestamp:Jan 23, 2021 @ 17:35:26.465
Now here field principal is user name, action is action performed by user and result is either success or failure.
Here logic is that we need to check last action (LOGIN/LOGOUT/others) performed by user . If last(latest) performed action is not equal to LOGOUT , then consider user as an active user.
- Get the count of users whose name(principal field is user name in elastic index) start with either CC*|MM*|VC* and their latest(last) action is not equal to LOGOUT.
Help will be greatly appreciate.