[Use Case] Last Login Time for User


I have created an index which is populated with event logs from my application. I would like to attempt to do the following using logstash:

  1. Determine all user login events (using pre-defined tags in logstash configuration file) and move them to a separate index. This index should contain only unique login events for any given user (username is parsed to the field "username")
  2. For any new login event received for the same user, update the @timestamp field of the login event received for that user in the 2nd index which is storing login events only.

The purpose of this activity is to identify the last login time for a given user and hence identify dormant users. This would be a multi-document index whose data can be viewed as a saved search with key fields user name and @timestamp.

I read some topics in the forum related to this and noted that the document_id field can be used to update the existing document but this is limited to single document indices only.

Can anyone please let me know if the above requirement can be achieved ? If yes, please guide me on how to achieve the same.

Thank you.

In the 2nd index you can use the user name as the document id. It will then overwrite @timestamp every time you get a new login.

That worked. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.