Hi all,
I am new to elastic and kibana. I want to get current active users in web application using audit logs stored in elastic index. We capture login and logout event of user in audit log and stored as document in elastic index.
Below is the sample document:
For logout event:
Jan 23, 2021 @ 17:35:44.893
id: c384f67e-de6a-4161-bcbe-ca434bb62453
entityType:idmauditlogentity
userId:8ac8953561c2db8c0161dbef14c21519
principal:M31XX
managedSysId:-
timestamp:Jan 23, 2021 @ 17:35:44.893
source:https://myhostname.com/service/menu/MYINFO
clientIP:100.34.100.25
nodeIP:myhostname
action:LOGOUT
result:SUCCESS
hash:d5f0d34add6dyedil04e5a38ddmange546bcb630a5470more83bb25db2c317c698a
For login event:
id:07b5ebc6-82ba-4113-a93d-09b6b47278d0
entityType:idmauditlogentity
userId:8ac8953561c2db8c0161dbef14c21519
principal:M31XXX
managedSysId:0
timestamp:Jan 23, 2021 @ 17:35:26.465
source:-
clientIP:100.34.100.25
nodeIP:myhostname
action:LOGIN
result:SUCCESS
hash:facdf7e925670c8f491192ca055c105a47042e122f2b327712c809b0f2d94257
Now here field principal is user name, action is action performed by user and result is either success or failure.
Here logic is that we need to check last action (LOGIN/LOGOUT/others) performed by user . If last(latest) performed action is not equal to LOGOUT , then consider user as an active user.
Query:
- Get the count of users whose name(principal field is user name in elastic index) start with either CC*|MM*|VC* and their latest(last) action is not equal to LOGOUT.
Help will be greatly appreciate.
Thanks.