Query Actor Data

The following sections provide some examples of querying the actor data.

Query Token Usage
Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result

Search Repository: humio-audit

logscale
actor.type = /token/i
| groupBy([actor.user.username,actor.tokenName,actor.type,type],function={
    max(@timestamp)})
| latest_usage_timestamp := formatTime("%Y/%m/%d %H:%M:%S", field=_max)
Introduction

To search for the last usage of any of the supported LogScale tokens within the system and show who used it last, you can do this by searching the actor.type field and looking for a token, rather than user, entry.

Step-by-Step
  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    actor.type = /token/i

    Search for the text token within the actor.type field using a case-insensitive regular expression. This will search for all entries that contain a reference to the use of a token, regardless of the type.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupBy([actor.user.username,actor.tokenName,actor.type,type],function={
        max(@timestamp)})
    | latest_usage_timestamp := formatTime("%Y/%m/%d %H:%M:%S", field=_max)

    Group the resulting list of entries to provide the user name, the name of the token and the token type. The aggregate function uses the maximum value of the last latest_usage_timestamp which will be the last time the token was used.

  4. Event Result set.

Summary and Results

This query shows how to use the humio-audit to check the usage by looking at the tokens being used. The sample output provides information on the last usage for each token:

_maxactor.tokenNameactor.typelatest_usage_timestamptype
1709099191104datareadviewPermissionToken2024/02/28 05:46:31dataspace.query
1709106083071sysmanagementsystemPermissionToken2024/02/28 07:41:23role.create