Splunk

[jlangy]

Reporting

We are using splunk as a reporting tool for our rh-sso instance.

Querying

You can search through our sso logs with sql using the | es sql="..." syntax. Make sure that your sql query limits the number of results as much as possible before piping into other splunk commands. SQL is limited to 1,000,000 events and will drop any over that amount, as well as run much more quickly. e.g use group by in your sql if possible instead of aggregating in a plunk chart.

Our data

The returned value from our sso-logs can include the following fields:

• client.ip
• container.id
• container.labels.namespace
• container.labels.pod
• container.name
• event.category
• event.created
• event.dataset
• event.id
• event.ingested
• event.module
• event.original
• event.outcome
• host.id
• host.name
• labels.audit_client_auth_method
• labels.audit_client_id
• labels.audit_code_id
• labels.audit_grant_type
• labels.audit_message
• labels.audit_realm_id
• labels.audit_refresh_token_id
• labels.audit_refresh_token_type
• labels.audit_scope
• labels.audit_token_id
• labels.audit_type
• labels.pipeline
• labels.relay_id
• log.level
• log.logger
• log.syslog.application
• log.syslog.facility.code
• log.syslog.severity.code
• organization.id
• user.id
• Time
• _time