I'm working on creating a report to monitor VPN usage based on unique user per day. I was able to get the format I want done but I'm having trouble filtering unique users by day over 30 days. index=network sourcetype=cisco:asa device_name="*vpnfrw01" eventtype=cisco_vpn_* log_level=4 Username=* | dedup _time | rex "Duration: (?<h>\d+)h:(?<m>\d+)m:(?<s>\d+)s," | fillnull value=0 h m s | eval duration=h*(60*60)+m*60+s | eval end=_time | eval start=end-duration | eval start=strftime(start, "%x %X") | eval duration=h."h:".m."m:".s."s" | eval logon = if(group="piv_group", "PIV", "RSA") | stats count by start userIdentity logon duration userEmployeeType userDivision userNick userEmail | table start userIdentity logon duration userEmployeeType userDivision userNick userEmail | rename start as "Date" duration as "Total Session Time" userNick as "Account Name" logon as "Logon Type" userDivision as Division userEmail as Email userEmployeeType as "Employee Type" userIdentity as "User" | sort Date desc | search User=* It's output looks like this: Date User Logon Type Total Session Time Employee Type Division Account Name Email 02/14/2017 7:30 user1 PIV 0h:09m:43s Contractor IT User 1 email1@gmail.com 02/14/2017 6:04 user3 PIV 0h:35m:54s Contractor IT User 3 email3@gmail.com 02/13/2017 23:50 user2 PIV 0h:06m:24s Contractor IT User 2 email2@gmail.com I need to be able to only find unique users per day keeping this format. ... View more

I'm trying to create a simple report that shows the number of unique users logged into our Cisco ASA over the course of time. One report would be 24 hours and the other would be 30 days. tstats comes to mind when I want to create my search so my report doesn't take an hour to complete but it seems I can't get a result despite the many formats I try the command. Here is what I figured would work: |tstats dc(user) WHERE sourcetype=cisco:asa BY _time span=1h I get a simple table but the counts don't seem to show. Where am I going wrong? ... View more

I'm trying to create a report that details our VPN usage over the course of a month. I've got the base of the report completed and the last thing I'm trying to do is correlate login information with our Active Directory lookup file. The problem is depending on the method people use to log in, the Username value will differ. If they use RSA, their user ID is displayed. If they use PIV, either their common name is displayed or another link to their PIV card is displayed. Again, all of that falls under the Username field. I have all the necessary information to match the users in the lookup file, but because all the Username information falls in the same field in the event, I'm having a hell of a time trying to figure out how I would match it to the lookup for each circumstance. base search |eval logon = if(group="piv_group", "PIV", "RSA") |eval piv=if(like(Username, "%@pivcard.com"), Username, "") |lookup ad_users identity as Username, PIVAddress as piv |eval Nickname=last.", ".first |eval email=lower(email) |table start Username logon duration employeeType division Nickname email |rename duration as "Total Session Time" start as "Date" Nickname as "Account Name" logon as "Logon Type" division as Division email as Email Username as "Last Login Username" employeeType as "Employee Type" For my lookup command, if I just map idendity to Username or PIVAddress to piv , I get the correct values from the lookup. I just haven't been able to get them both simultaneously. ... View more