Display User Account Deletion Events in Table Format

Create a table showing deleted user accounts using the table() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
#event_simpleName=UserAccountDeleted
aid=?aid
table([aid, UserName, UserId], limit=1000)

Introduction

The table() function can be used to display query results in a tabular format, making it easier to view and analyze specific fields of interest.

In this example, the table() function is used to create a structured view of deleted user accounts, displaying the account ID, username, and user ID.

Example incoming data might look like this:

@timestampevent_simpleNameaidUserNameUserId
2025-10-06 08:00:00UserAccountDeletedabc123john.doeUID001
2025-10-06 08:15:30UserAccountDeleteddef456jane.smithUID002
2025-10-06 09:20:45UserAccountDeletedghi789bob.wilsonUID003
2025-10-06 10:05:15UserAccountDeletedjkl012sarah.jonesUID004
2025-10-06 11:30:00UserAccountDeletedmno345mike.brownUID005

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    #event_simpleName=UserAccountDeleted

    Filters events where event_simpleName equals UserAccountDeleted

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    aid=?aid

    Filters results based on a specific account ID using the parameter aid.

    aid= is the parameter name and ?aid is a placeholder for the actual aid value. The question mark (?) indicates a parameter placeholder that will be replaced with an actual value during execution.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    table([aid, UserName, UserId], limit=1000)

    Creates a table displaying the fields aid, UserName, and UserId. The table() function includes a limit parameter set to 1000 rows to prevent excessive output.

  5. Event Result set.

Summary and Results

The query is used to create a structured table view of user account deletion events, showing essential account information.

This query is useful, for example, to monitor user account deletions, audit user management activities, or investigate security incidents related to account removals.

Sample output from the incoming example data:

aidUserNameUserId
abc123john.doeUID001
def456jane.smithUID002
ghi789bob.wilsonUID003
jkl012sarah.jonesUID004
mno345mike.brownUID005