Hi all,
I've been working on getting the number of active VPN users from our ASA logs by a simple query to get the latest event for a user+IP and checking if its a vpn_start event, and counting the total. Premise being that if a start event has been last logged, the session is still currently active:
index=ciscoasa (eventtype="cisco_vpn_start" OR eventtype="cisco_vpn_end")
| dedup user, src_ip sortby -_time
| eval Active=if(eventtype="cisco_vpn_start",1,null)
| stats count(Active)
This works fine at a point in time when i run the search/refresh dashboard etc. however i want to be able to timechart this over a day/week to show me how many active connections i have at different intervals of the day. i.e. at 7am - 10 active sessions 7:30am - 15 active sessions 8am - 20 active sessions 8:30am - 30 active sessions
I only want it to show the active sessions at that particular point in time, not how many sessions were started/stopped in the interval prior, so some way of "executing" the search at different times and mapping the results. Or if there's a better way.
Any thoughts or suggestions?
... View more