Looking for a search that will provide the duratio...

bluemarvel · ‎12-21-2017

The search should provide the time period in which the user was logged through VPN and possibly when the IP lease is up.

anthonymelita · ‎12-22-2017

Take a look at the transaction command. You select one or more fields to key on and your search merges the matching events into a single transaction and auto-calculates duration. There are a handful of optional arguments for tuning as well to do stuff like limit or capture gaps in events.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

niketn · ‎12-21-2017

@bluemarvel, community members will be able to assist you with your query if you provide more details of what your VPN data looks like in case user logs in or logs out (this should include timestamp, unique ID for logged in user and field indicating Login and Logout).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nickhills · ‎12-21-2017

Can yougive us some sample logs, or at least a clue as to what the vpn solution is?

If my comment helps, please give it a thumbs up!

bluemarvel · ‎12-21-2017

below is the query

index=enterprise sourcetype="callzone:vpn" source="/var/log/vpn.log" "virtual IP" | streamstats current=f global=f window=1 last(_time) as last_ts | eval time_since_last = _time - last_ts | fieldformat time_since_last = tostring(time_since_last, "duration")

I would like to gage the duration of how long the user-VPN IP was online , this query is not working to the extent i would like

Looking for a search that will provide the duration of time a VPN user was seen online

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...