Query Actor Data

The following sections provide some examples of querying the actor data.

Query Token Usage

Querying the last usage of any LogScale token

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result

Search Repository: humio-audit

logscale

actor.type = /token/i
| groupBy([actor.user.username,actor.tokenName,actor.type,type],function={
    max(@timestamp)})
| latest_usage_timestamp := formatTime("%Y/%m/%d %H:%M:%S", field=_max)

Introduction

To search for the last usage of any of the supported LogScale tokens within the system and show who used it last, you can do this by searching the actor.type field and looking for a token, rather than user, entry.

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
actor.type = /token/i
```
Search for the text token within the actor.type field using a case-insensitive regular expression. This will search for all entries that contain a reference to the use of a token, regardless of the type.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| groupBy([actor.user.username,actor.tokenName,actor.type,type],function={
    max(@timestamp)})
| latest_usage_timestamp := formatTime("%Y/%m/%d %H:%M:%S", field=_max)
```
Group the resulting list of entries to provide the user name, the name of the token and the token type. The aggregate function uses the maximum value of the last latest_usage_timestamp which will be the last time the token was used.
Event Result set.

Summary and Results

This query shows how to use the humio-audit to check the usage by looking at the tokens being used. The sample output provides information on the last usage for each token:

_max	actor.tokenName	actor.type	latest_usage_timestamp	type
1709099191104	dataread	viewPermissionToken	2024/02/28 05:46:31	dataspace.query
1709106083071	sysmanagement	systemPermissionToken	2024/02/28 07:41:23	role.create

LogScale System Repository Schema Guide

The humio Repository

The humio-activity Repository

The humio-audit Repository

The humio-fleet Repository

The humio-measurements Repository

The humio-metrics Repository

The humio-usage Repository