- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- I am trying to show VPN connection times with the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to show VPN connection times with the time of day
I am trying to show how long someone has been connected to the VPN for the last X days. There is an action field with the results of "connected" or "closed". How do I show the times in between as connected time then send the connected time with the start times and days to a visualization?
index=vpn NOT user=System user=Billy juniper_sslvpn_action!=NULL juniper_sslvpn_action!=succeeded
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=vpn NOT user=System sslvpn_action!=NULL juniper_sslvpn_action!=succeeded
| bucket _time span=1d
| streamstats count(eval(juniper_sslvpn_action="closed")) AS sessionID BY _time user
| stats range(_time) AS duration BY sessionID user
| stats sum(duration) AS total_connected_time BY user _time
| eval total_connected_time = tostring(total_connected_time, "duration")
| fieldformat _time = strftime(_time, "%b %d")
| field - sessionID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By "times" I mean length of time connected to VPN each day.
May 20 -- JJones -- 7 hours 6 min
May 19 -- JJones -- 6 hours 54 min
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try my updatef answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was an error in the last two lines....
Unknown search command 'field'.
Error in 'fieldformat' command: The expression is malformed. Expected ).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a typo in the strftime but I fixed it; try again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is closer to what I am looking for. How do I show connection times by day?
Basically a search I where I can input a userID and it will show how long they were connected to the VPN by the day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By "times" do you mean "count" or "list of in/out pairs"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
After your search you have to correlate events using e.g. TransactionId or user and Ip or identifying start and end transaction strings.
In this way, you'll have an additional field called "duration" that you can sum.
Something like this:
Your_search
| transaction user IP startswith="start_string" endswith="end_string"
| stats sum(duration) AS total by user
Bye.
Giuseppe
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
