You can now check a consumer or customers journey on their accounts through Elastic. This will allow you to see the reasons why they can't access their account, what steps they've already taken and their recent activity. 



How to investigate log in attempts

To find any recent log in attempts for a particular email address, depending on which type of account is having an issue logging in, you can use either:


(1) custom_email:”email@domain.co.uk” 

(2) application:customer-portal and custom_email:”email@domain.co.uk” 

The index pattern you need to search within is access-log_*. Set the time range you want to view (you can view up to 14 days) and hit enter or refresh.



You can then add some filters to find out more specific information. You’ll probably most likely want to use the following:


  • custom_email
  • userIp
  • custom_LoginType
  • custom_loginevent
  • custom_failCount


This will give you the information to allow you to troubleshoot the issue. But you can still add others such as agent and request to aid your investigation. 





How to investigate password reset requests? 

To see if the email address has requested a password reset you’ll need to search via the IP address. Use the userIp:"XXX.XXX.X.XXX" string, set your timeframe and the following filters:


  • custom_email
  • request
  • custom_loginType
  • custom_failCount



IP addresses normally change after 24 hours unless they are static so you will likely need to narrow down your time frame to a specific period. 


How do I know if they've received a password reset email?

We can find out if the email address has received our password reset email by using another index pattern called exim_log_*. Use the env_rcpt:”email@domain.co.uk” string to see a full list of emails we have sent them. Set the timeframe and use the following filters:


  • exim_msg_state
  • exim_msg_id



The above screenshot shows that a single email has been delivered in the last 7 days so you will likely need to dig a little deeper to confirm it was the password reset email.


To do this, use exim_msg_id:"XXXX" and replace XXXX with the exim_msg_id. For the example above it would be exim_msg_id:"1piGSr-0003cL-Fs". Set your timeframe again if you need to and use the following filters:


  • exim_msg_state
  • exim_msg_id
  • exim_subject


This confirms that the email was a Rightmove Forgotten Password request and that it was delivered.

 

Setting the time range

Display data within a specified time range when your index contains time-based events, and a time-field is configured for the selected index pattern. The default time range is 15 minutes, but you can customize it in Advanced Settings.


  1. Click clock icon.
  2. Choose one of the following:
    • Quick select to use a recent time range, then use the back and forward arrows to move through the time ranges.
    • Commonly used to use a time range from options such as Last 15 minutes, Today, and Week to date.
    • Recently used date ranges to use a previously selected data range.
    • Refresh every to specify an automatic refresh rate
  3. To set start and end times, click the bar next to the time filter. In the popup, select Absolute, Relative or Now, then specify the required options.


What strings can I use? 

Please be aware that all strings are case sensitive


  • custom_email:”email@domain.co.uk- My Rightmove account
  • application:customer-portal AND custom_email:”email@domain.co.uk” – Rightmove Plus account
  • userIp:"XXX.XXX.X.XXX" – IP address
  • env_rcpt:"email@domain.co.uk" – Check if an email is delivered
  • exim_msg_id:"XXXX" – message ID


What filters can I use?


  • custom_email – user’s email address
  • userIp – IP address
  • agent – internet browser
  • custom_loginStatus – log in status
  • custom_redirectToPage – page they were redirected to
  • request – page they went to
  • perm_user_id - a unique ID given to a RM Plus user
  • custom_sso2v – verification cookie
  • custom_failCount – number of failed log in attempts
  • custom_failStatus – number of failed attempts out of 5
  • exim_msg_state – message status
  • exim_msg_id – a unique ID for the email
  • exim_subject – email subject