All Apps and Add-ons

What is event id in last pass data?

tprz
Explorer

I'm seeing "event_id" fields in my last pass data that appears to be a random field.

I'm getting event_id values of Event1 through Event18 across data that is otherwise identical.
Neither of the lookups enrich this data. I'm wondering if anyone knows what this field is used for?

0 Karma

lewisk03
New Member

I know this is an older thread, is it possible to look into fix/customize of the TA for LastPass to drop duplicate events like this? We see the same issue and for example, 253 event logs for one single event. Apparently because the event id is different for each log, that is why there are multiple logs, but we only need to see one of these. 

0 Karma

lewisk03
New Member
0 Karma

hcanivel_splunk
Splunk Employee
Splunk Employee

Hi @lewisk03 !

Feel free to PR into the project. I've cleared it internally for open-source contributions: https://github.com/splunk/TA-lastpass

Basically, the eventid isn't really an eventid at all; it's more of an event or queue item counter from the event query REST call based off of the time parameter in your query.

I've struggled with this when I first designed and developed the original code, but I've never come to grips on how to best capture these events and the "meta" data and minimizing transforming the raw data set itself. My happy compromise is to introduce critical fields I think are missing or reformat values that may break analysis but to not change the original, fundamental data set.

I would highly recommend you reach out to LastPass and encourage them to update their API resources (data set) to improve data quality.

I don't think these are the ideal responses you're looking for, but hopefully you can take value in what I'm sharing back. Cheers!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Look at the input data, specifically the _raw field, and see if the values you are ending up with in Event_id are in the actual data or not. If you can give more detailed examples, without showing us anything proprietary, then we can help you more.

0 Karma

tprz
Explorer

Example event

Action: Log in
Data: whatever.com
IP_Address: 10.10.10.10
Time: 2050-12-06 18:44:72
Username: user@spaghetti.com
event_id: Event5

0 Karma

tprz
Explorer

in the raw json

"event_id": "Event5"

0 Karma

hcanivel_splunk
Splunk Employee
Splunk Employee

Hello @tprz!

Unfortunately, LastPass doesn't do a great job of providing much information in their API spec doc. The event id, from what I've surmised is effectively a basic, iterated sequential count-based id generated from the reporting command API call, based on whatever parameters you've provided in the request.

The pros/cons from my perspective developing against the API, given the current restraints:

+ You can easily identify a missing event in the sequence (from 0 .. N, where N is the length of the "Data" field in the response)

+ Should be easy to identify how many events per call (once you apply some decent SPL to extract the count number)

- This Event id has no relation whatsoever to the actual payload

- Unfortunately, this event id isn't truly unique (in other data sources, this should be either a UUID or some sort of derivative hash of the event)

Take it for what's worth though. I didn't feel I should fix/customize for a better event id in the event the vendor updates their event API (and my code would break). I figured get the data out efficiently for those who prefer a TA option.

Hope this explanation helps!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...