Query Actor Data
The following sections provide some examples of querying the actor data.
Query Token Usage
Query
Search Repository: humio-audit
actor.type = /token/i
| groupBy([actor.user.username,actor.tokenName,actor.type,type],function={
max(@timestamp)})
| latest_usage_timestamp := formatTime("%Y/%m/%d %H:%M:%S", field=_max)
Introduction
To search for the last usage of any of the supported LogScale tokens within the system and show who used it last, you can do this by searching the actor.type field and looking for a token, rather than user, entry.
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
actor.type = /token/i
Search for the text
token
within the actor.type field using a case-insensitive regular expression. This will search for all entries that contain a reference to the use of a token, regardless of the type. - flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| groupBy([actor.user.username,actor.tokenName,actor.type,type],function={ max(@timestamp)}) | latest_usage_timestamp := formatTime("%Y/%m/%d %H:%M:%S", field=_max)
Group the resulting list of entries to provide the user name, the name of the token and the token type. The aggregate function uses the maximum value of the last latest_usage_timestamp which will be the last time the token was used.
Event Result set.
Summary and Results
This query shows how to use the humio-audit to check the usage by looking at the tokens being used. The sample output provides information on the last usage for each token:
_max | actor.tokenName | actor.type | latest_usage_timestamp | type |
---|---|---|---|---|
1709099191104 | dataread | viewPermissionToken | 2024/02/28 05:46:31 | dataspace.query |
1709106083071 | sysmanagement | systemPermissionToken | 2024/02/28 07:41:23 | role.create |