I have users.csv as a lookup file with almost 20K users. I'm writing a query for authentication events for a specific time range for all these users. CSV file has only one column with the email add...
See more...
I have users.csv as a lookup file with almost 20K users. I'm writing a query for authentication events for a specific time range for all these users. CSV file has only one column with the email address of each user and the column header is email.
1) Get the user email from the lookup user.csv file
2) pass user email in the search
3) Authentication counts per day for specific time range.
I don't have email as a field in the authentication event.
. i can get USER-EMAIL in the authentication event using formula
Index="IndexName"| fields "_time", "eventType", "target{}.alternateId", "target{}.type" |
| search "eventType" = "user.authentication.sso" | rename "target{}.alternateId" AS "targetId" | rename "target{}.type" AS "targetType" | eval "Application"=mvindex(targetId, mvfind(targetType, "AppInstance")) | eval "USER-EMAIL"=mvindex(targetId, mvfind(targetType, "AppUser")
authentication event
{"actor": {"id": "00u1p2k8w5CVuKgeq4h7", "type": "User", "alternateId": "USER-EMAIL", "displayName": "USER-NAME", "detailEntry": null}, "device": null, "authenticationContext": {"authenticationProvider": null, "credentialProvider": null, "credentialType": null, "issuer": null, "interface": null, "authenticationStep": 0}, "displayMessage": "User single sign on to app", "eventType": "user.authentication.sso", "outcome": {"result": "SUCCESS", "reason": null}, "published": "2024-02-20T22:25:18.552Z", "signOnMode": "OpenID Connect",}, "target": [{"id": "XXXXXXX", "type": "AppInstance", "alternateId": "APPLICATION-NAME": "OpenID Connect Client", "detailEntry": {"signOnModeType": "OPENID_CONNECT"}}, {"id": "YYYYYY", "type": "AppUser", "alternateId": "USER-EMAIL, "displayName": "USER-NAME, "detailEntry": null}]}
Index="indexName" "eventType" = "user.authentication.sso" [|inputlookup "users.csv"]
is not working.
any help is appreciated.