topic Re: How to find concurrent VPN users per hour? in Splunk Search

How to find concurrent VPN users per hour?

jwalzerpitt — Wed, 30 Sep 2020 04:38:41 GMT

We are using pulse secure as our VPN solution and I'm looking to build a search that tracks concurrent users per hour. Using my account as a test, I see the first event starts with, "Primary authentication successful for*" and ends with "Closed connection*" so based on that I created the following search:

index=foo 
| transaction startswith="Primary authentication successful for*" endswith="Closed connection*"
| eval count=1 
| timechart per_hour(eval(count)) as "Concurrent Users"

Is this a valid search for concurrent users?

Thx

Re: How to find concurrent VPN users per hour?

jpolvino — Mon, 16 Mar 2020 16:30:46 GMT

One solution is to use the concurrency command. You'll need to calculate your duration.

(your search)
| eval duration=(VPN session duration in minutes)
| eval new_start = _time - duration
| concurrency start=new_start duration=duration output=overlap
| timechart span=1h max(overlap)

You can change your timechart span to fit your need.

Here is the concurrency man page: https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Concurrency

Re: How to find concurrent VPN users per hour?

jwalzerpitt — Mon, 16 Mar 2020 18:05:56 GMT

Thx for the reply and info. The transaction command automatically created the duration field with values so I tried the following search:

index=foo 
| transaction startswith="Primary authentication successful for*" endswith="Closed connection*" 
| eval new_start = _time - duration 
| concurrency start=new_start duration=duration output=overlap 
| timechart span=1h max(overlap)

but the number of concurrent users is too low and not lining up

Thx

Re: How to find concurrent VPN users per hour?

jpolvino — Mon, 16 Mar 2020 18:57:57 GMT

The transaction command is not good for large volumes, and I have had issues with it. Some people will recommend using the stats command like this, assuming you have a unique identifier to group by:

(your search here)
| eval StartTime=if(match(_raw, "start_pattern"), _time, null())
| eval EndTime=if(match(_raw, "end_pattern"), _time, null())
| stats earliest(StartTime) as StartTime latest(EndTime) as EndTime by vpnID
| eval elapsed=EndTime-StartTime

At this point, you should be able to get a nice tabular view that can help with verifying your data, prior to moving on with concurrency.

Re: How to find concurrent VPN users per hour?

cnmccown — Thu, 19 Mar 2020 16:36:28 GMT

Did you get a good query working for your Pulse Secure VPN? I'm working on this as well. Everything I try gives me lower numbers than what the appliance shows in the concurrent users.

Re: How to find concurrent VPN users per hour?

jwalzerpitt — Thu, 19 Mar 2020 19:00:18 GMT

@cnmccown - I did not as I get lower numbers as well

Re: How to find concurrent VPN users per hour?

cnmccown — Thu, 19 Mar 2020 19:02:08 GMT

Alright - thanks for the response. I'll let you know if I get a query worked out.

Re: How to find concurrent VPN users per hour?

jwalzerpitt — Thu, 19 Mar 2020 19:42:06 GMT

Would greatly appreciate it.

Re: How to find concurrent VPN users per hour?

cnmccown — Wed, 30 Sep 2020 04:41:55 GMT

So I actually found a pretty simple solution for this.
You can enable "Event" logs from the VPN appliance to by syslogged (or Universal Forwarded) to your Splunk instance. Part of the Event logs are that every hour on the hour, it will generate a log entry for number of concurrent users and number of NCP connections. Now, I can just look for the log entry every hour and plot the concurrent users. The Pulse Secure App for Splunk automatically field extracted this information for me.

Very simple query for a line chart:
index=XXX concurrent_users="*" | table _time, concurrent_users

Re: How to find concurrent VPN users per hour?

jwalzerpitt — Wed, 25 Mar 2020 11:54:25 GMT

Awesome - thx so much!