Finding popular CAS services with Splunk

Let’s find out what services are using our CAS server for authentication using Splunk Enterprise. To start review my CAS+Splunk configuration from my last post.

We need to add a new field extraction for service_url like I did below.

service_url

Then I started with the following query:

index=authentication service_ticket_created|top limit=40 service_url

This worked, however, it returned duplicate entries when there was a difference after the question mark in the URL. Since this was not desired I used the following regular expression to strip the GET variables from the URL.

index=authentication service_ticket_created
|rex field=service_url "^(?<stripped_url>.+?)\?" 
|top limit=40 stripped_url

This did not work. It removed all entries that didn’t include a question mark at all. Instead of coming up with a better regular expression I simply used an eval() statement to display the original url if “stripped_url” was null.

index=authentication service_ticket_created
|rex field=service_url "^(?<stripped_url>.+?)\?" 
|eval url=if(isnull(stripped_url),service_url,stripped_url)
|top limit=40 url

This worked and gave the following graph. Because there was such a variance in our top services, I switched the graph scale to logarithmic.

Graphed Results

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.