Hi,
I am creating a search to find the users that are actually connected with VPN. In the Cisco logs, I can only see the the events of connect or disconnect .
I have created a search with append to join two searches, but the results show how many times the user has connected and disconnected.
My search:
index=my_index %ASA-6-113004 | rex field=_raw ".*:\s+AAA\s+(?[^:]+).*user\s+=\s+(?[^$]+)" | rename user_connected AS user | top user showperc=false | append [search index=firewall %ASA-4-113019 | rex field=_raw ".*Username\s+=\s+(?[^,]+).*,\s+(?[^.]+)" | rename user_disconnected as user | top user showperc=false]
and the result is:
user count
test 3 (number of times is disconnected)
test 4 (number of times is connected)
How I can create a search only show the users actually connected?
thanks
... View more