It didn't work for me either but got me down the right path. Unless I was doing something wrong, I had to rename user to title to join it to the rest data. I also added the timestamp and limited it to the role I'm interested in. The results look accurate. Using Splunk 6 by the way (didn't mention it earlier)

index=_audit action="login attempt" | eval last=max(timestamp) | dedup user | rename user as title | join title [| rest /services/authentication/users] | search roles=cerner | table title roles last | sort title

Thanks for your help!!

Glad you found it useful!

This is super clever, but it doesn't work for me- I correctly get a list of logged-in users, but with the roles all incorrectly as 'user'. I modified your search slightly and it seems to work for me-

index=_audit action="login attempt" | dedup user | join user [| rest /services/authentication/users | rename title as user ] | table user, roles