topic Re: Cisco VPN total user duration in All Apps and Add-ons

Cisco VPN total user duration

boss3668 — Mon, 28 Sep 2020 11:45:35 GMT

i would like to total the time that each user is logged in to the VPN.

This is what one of my logs looks like.

Apr 30 00:48:25 "ip_address" Apr 30 2012 00:48:25: %ASA-4-113019: Group = "Group",
Username = "User", IP = "ip_address",
Session disconnected. Session Type: SSL, Duration: 1h:59m:24s, Bytes xmt: 86659734,
Bytes rcv: 4557700, Reason: User Requested
host="ip_address" | Group="Group" | Username="User" | Session_Type=Session Type: SSL | Duration=1h:59m:24s

After totaling the durations i would like to graph each user.
I have tried to use (eval, stats, and strptime) but cannot get any to work on this correctly.

If someone could help. What would the search string look like in order to do this?

Thank You

Re: Cisco VPN total user duration

ziegfried — Mon, 30 Apr 2012 17:55:40 GMT

... | rex field=Duration "((?<dur_h>\d+)h:)?(?<dur_m>\d+)m:(?<dur_s>\d+)s" | eval duration=dur_s+60*dur_m+3600*coalesce(dur_h,0) | stats sum(duration) as total_duration by Username

Re: Cisco VPN total user duration

sowings — Mon, 30 Apr 2012 18:19:19 GMT

You could also | eval dur=strptime(Duration, "%Hh:%Mm:%Ss")

Re: Cisco VPN total user duration

ziegfried — Mon, 30 Apr 2012 18:23:53 GMT

It's a different result, though. This will result in Today's epoch time plus the duration.

Re: Cisco VPN total user duration

boss3668 — Mon, 30 Apr 2012 18:36:55 GMT

The answer from ziegried does return results without error. The Username field is shown with the usernames listed but the total_duration field that is created is blank. Any ideas on why that would be?

Re: Cisco VPN total user duration

ziegfried — Mon, 30 Apr 2012 18:39:38 GMT

There's a field "Duration" in your results, right?

Re: Cisco VPN total user duration

sowings — Mon, 30 Apr 2012 18:50:59 GMT

Hmm, noted. It seems that mktime (available in convert) does the same thing. Seconds math it is!

Re: Cisco VPN total user duration

boss3668 — Mon, 28 Sep 2020 11:45:38 GMT

correct, "Duration" is exactly as it appears in the log statement from my initial question. That is definitely the field we are trying to get the cumulative duration of a user from It did create the total_duration field and the Usernames were listed just no data at all in the total_duration output.

Re: Cisco VPN total user duration

ziegfried — Mon, 30 Apr 2012 20:57:30 GMT

if you execute the search without the trailing stats command, can you see any extracted dur_* fields?

... | rex field=Duration "((?<dur_h>\d+)h:)?(?<dur_m>\d+)m:(?<dur_s>\d+)s" | eval duration=dur_s+60*dur_m+3600*coalesce(dur_h,0) | table dur*

Re: Cisco VPN total user duration

boss3668 — Tue, 01 May 2012 12:33:57 GMT

No, I get no results found. Sorry if i'm missing something small, i'm very new to splunk. It doesn't return an error, but it does not return any extracted dur_* fields

Re: Cisco VPN total user duration

ziegfried — Wed, 02 May 2012 08:31:12 GMT

Can you see the field "Duration" in the field picker (on the left side)? What's the exact search you're running?

Re: Cisco VPN total user duration

boss3668 — Wed, 02 May 2012 13:54:55 GMT

I re-ran the search with just the host and your search and I did get results! now I have to figure out how to turn it back into human readable time, but it looks like the string you sent works great, I must have messed something up when I tried it before. Thank you for the great help with this.

Re: Cisco VPN total user duration

eegilbert — Wed, 30 May 2012 20:42:55 GMT

Hi, I'm very glad to have found this thread as I am trying to get the same information from Splunk, however I'm not getting any results past the table, which only contains the user names. I've even tried shortening the query to the table portion, however I still do not receive data.

Re: Cisco VPN total user duration

sowings — Mon, 28 Sep 2020 11:53:22 GMT

The original log event looks something like this:

Apr 30 00:48:25 "ip_address" Apr 30 2012 00:48:25: %ASA-4-113019: Group = "Group", Username = "User", IP = "ip_address", Session disconnected. Session Type: SSL, Duration: 1h:59m:24s, Bytes xmt: 86659734, Bytes rcv: 4557700, Reason: User Requested

By default, Splunk will do automatic Key=Value extraction, meaning that in this case, it will only find Group, Username, and IP. You'll have to write field extraction rules to collect the other values from the log event.

Re: Cisco VPN total user duration

eegilbert — Thu, 31 May 2012 17:16:29 GMT

Thank you, Sowings. That was the hint I needed. I created a field called duration with the field extractor and then made sure it was one of the selected fields.

Re: Cisco VPN total user duration

gilbou — Thu, 12 Feb 2015 11:00:01 GMT

rex field=Duration

duration must have a lower case "d" for it to work

Re: Cisco VPN total user duration

gilbou — Thu, 12 Feb 2015 11:01:33 GMT

In the 1st search posted, rex field=Duration

duration must have a lower case "d" for it to work