Does this mean the only action taken during that login session was to disable? That doesn't sound like me at all. Is that even possible?
Only certain actions require the token (disable, enable, settings page actions, etc). Try grepping for part of the timestamp:
cat /var/log/lighttpd/access.log | grep 15022968
I take full responsibility for the site crashing for a couple minutes, I'm the problem child today. 
edit: My apologies, you asked for a different command. I greped that specific epoch second, here is your request:
edit2: if you have any control over the matter, it would be very help to have the timestamp already translated in the access log.
edit3: what does it mean when it has a URL in the access log instead of the PiHole's IP? I'm looking at grep 1502296 and there are several others.
(my yellow highlight)
That log shows that someone logged in to the web interface (the POST to /index.php?login) and 10 seconds later disabled the Pi-hole for 30 seconds.
The domains show that it was answering a redirected ad request. The URL is the original ad request URL and the domain is its domain.