Let’s find out what our popular CAS services are by pulling our authentication logs for the server into Splunk Enterprise. To start review my CAS+Splunk configuration from my last post.
We need to add a new field extraction for service_url like I did below.
Then I started with the following query:
index=authentication service_ticket_created|top limit=40 service_url
This worked, however, it returned duplicate entries when there was a difference after the question mark in the URL. Since this was not desired I used the following regular expression to strip the GET variables from the URL.
index=authentication service_ticket_created |rex field=service_url "^(?<stripped_url>.+?)\?" |top limit=40 stripped_url
This did not work. It removed all entries that didn’t include a question mark at all. Instead of coming up with a better regular expression I simply used an eval() statement to display the original url if “stripped_url” was null.
index=authentication service_ticket_created |rex field=service_url "^(?<stripped_url>.+?)\?" |eval url=if(isnull(stripped_url),service_url,stripped_url) |top limit=40 url
This worked and gave the following graph. Because there was such a variance in our top services, I switched the graph scale to logarithmic.
Finding popular CAS services using Splunk can give you useful insight into your users’ behavior and help you understand your IT landscape a little better.
