I have a about 250 Admin users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use
This search will look at all the login attempts , but does not contains roles informations.
to get the role /user mapping you need a rest call search.
Remarks :
- remember that they may be more than one role per user
- understand that if a role inherit from the role admin, you will not see it in the list.
index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user | convert ctime(last_login)
So you can add a join after to get the list of roles for each user.
index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user | convert ctime(last_login)
| join user [ |rest /services/authentication/users | fields title roles |rename title AS user ]
If you want to filter ahead only for members of the admin role, you can try this prefilter condition
[ |rest /services/authentication/users | fields title roles |rename title AS user | mvexpand roles |rename roles as role | where role="admin" ]
index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user
| convert ctime(last_login)
| join user [ |rest /services/authentication/users | fields title roles |rename title AS user ]