> > Nothing that follows every service access-- I think that will require some > unusual joins. >
I got a working query that wasn't too bad: index=mwcas sourcetype=mwcas-audit | rex "(?<tgt>TGT-[A-Za-z0-9_-]+)" | rex "(?<service>https://[A-Za-z0-9._/-]+)" | transaction tgt maxspan=10h keepevicted=true | regex principal="[A-Za-z0-9_.-]+@.*" | chart count by service The key was to create on-demand field extractions using rex to look anywhere in the audit entry for the correlating TGT. FWIW, the purpose of the query is to identify what services our guest users (identified by email addresses) are accessing. M <http://www.ja-sig.org/wiki/display/JSG/cas-user> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
