I was checking out the following video on ordering events:
I am unable to understand what is the difference between `target.user.userid` and `principal.user.userid` fields?
Page 1 / 1
Similar to the message on your other thread, theres the idea in UDM of a Principal being the one acting and the Target being the one acted upon. In some instances this is clear and intuitive. However, I often find myself digging into the logs to understand how various fields have been filled in.
In this instance, the principal user for a USER_CREATION event is going to be the user creating another user, while the target will be the new user account. Going further with this example:
- tim.smith (principal.user.userid) created a user account called alice.young (target.user.userid)
- The account alice.young was logged into and performed some actions
- tim.smith then deleted the account.
Does that help?
In this example, the target_user is used as a placeholder variable and a common value that exists across all 3 types of events, a creation event, a login event and a deletion event.
The userid is defined in the events section as a placeholder variable but for our aggregation, we are also using it as a match variable so all of the events that occur in a 1 hour window with the same userid value are aggregated together.
The same field that is used to join events together does not need to be the same as the one that is being aggregated against. In fact when there are multiple joins across event variables, they don't need to always be on the same field either. So depending on the data sets, you could end up having a placeholder variable that bridged the principal.user.userid of one event and the target.user.userid of another event (for example).
Thank you!
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.