TroyB.17277 (Customer) asked a question.
Removing Duplicates before creating a table
I am using the "search system logs" card to find out user.authentication.sso for our app. this app is used highly by the company but I needed to audit the user list. With multiple entries for the same person I want to remove all the duplicate entries via username. In c* it would be something of a list.distinct. Ultimately I don't want to create a list then iterate through it to remove entries. I prefer this to happen before using the create row element card.
@TroyB.17277 (Customer) -- So something like this. The Search returned 31 results of the same user. The final card has 1 result since there is only the 1 unique user.
Something to keep in mind. You are going to need to perform this leveraging API Connector since you are likely going to have more than 200 results (Max per page) which means you will need to buildout pagination to make a combined list that is then filtered. The Built-In card doesn't have a means for you to do this. Streaming on built-in cards does perform Pagination but the results are processed as a "for each" which means they cannot be passed back up to be processed in a block.
The example I provided is just to show there is a means to filter off of a unique value.
Thank you for this insite. I will have more than 220 results and was having issues using the card. I will attempt leveraging the api connector.
@TroyB.17277 (Customer) -- So in the returned headers when the call is made with API Connector it will contain a "next" link. You will need to pull that out and use it to return the next page then rinse repeat until there are no pages and a way to break out of the loop once that completes.
You can use an API Key (Authorization: SSWS <API KEY) or Oauth (auth code) to an OIDC Webapp that you create to gain access to the endpoints.
The following API Documentation contains the scopes for the API calls you need to make (In your instance the Syslog read one) if you go the Oauth route.
https://developer.okta.com/docs/api/
Then it is just a matter of filtering down to the user.authentication.sso event and the target.id of your app. You can build that filter out in the UI using the wizard and it should port just fine into your api call.
There are also a bunch of examples here on how to do queries.
https://developer.okta.com/docs/reference/api/system-log/
User App Access report
Use this report to view who can access applications and how the access was granted. You can also monitor their resource usage to help meet your org's audit and compliance requirements.
https://help.okta.com/en-us/content/topics/reports/access/user-app-access-report.htm
Thank for this. At this point it would work but I am looking for a workflow because eventually it will parse the list and remove users automatically for lack of use. I will keep this for other use cases though.