Hi all,
I've been working on getting the number of active VPN users from our ASA logs by a simple query to get the latest event for a user+IP and checking if its a vpn_start event, and counting the total.
Premise being that if a start event has been last logged, the session is still currently active:
index=ciscoasa (eventtype="cisco_vpn_start" OR eventtype="cisco_vpn_end")
| dedup user, src_ip sortby -_time
| eval Active=if(eventtype="cisco_vpn_start",1,null)
| stats count(Active)
This works fine at a point in time when i run the search/refresh dashboard etc. however i want to be able to timechart this over a day/week to show me how many active connections i have at different intervals of the day. i.e.
at
7am - 10 active sessions
7:30am - 15 active sessions
8am - 20 active sessions
8:30am - 30 active sessions
I only want it to show the active sessions at that particular point in time, not how many sessions were started/stopped in the interval prior, so some way of "executing" the search at different times and mapping the results. Or if there's a better way.
Any thoughts or suggestions?
I know this is old but did you ever come up with a query that worked over time?
You should be able to easily adapt my answer from this question:
https://answers.splunk.com/answers/319585/how-to-graph-the-number-of-active-sessions-over-ti.html