close up photography of smartphone icons

Finding popular CAS services with Splunk

Let’s find out what our popular CAS services are by pulling our authentication logs for the server into Splunk Enterprise. To start review my CAS+Splunk configuration from my last post.

We need to add a new field extraction for service_url like I did below.


Then I started with the following query:

index=authentication service_ticket_created|top limit=40 service_url

This worked, however, it returned duplicate entries when there was a difference after the question mark in the URL. Since this was not desired I used the following regular expression to strip the GET variables from the URL.

index=authentication service_ticket_created
|rex field=service_url "^(?<stripped_url>.+?)\?" 
|top limit=40 stripped_url

This did not work. It removed all entries that didn’t include a question mark at all. Instead of coming up with a better regular expression I simply used an eval() statement to display the original url if “stripped_url” was null.

index=authentication service_ticket_created
|rex field=service_url "^(?<stripped_url>.+?)\?" 
|eval url=if(isnull(stripped_url),service_url,stripped_url)
|top limit=40 url

This worked and gave the following graph. Because there was such a variance in our top services, I switched the graph scale to logarithmic.

Graphed Results

Finding popular CAS services using Splunk can give you useful insight into your users’ behavior and help you understand your IT landscape a little better.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: