All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco ASA: How to display a table with information about start and end, and the total time of the user on the network?

Zhanali
Path Finder
‎04-16-2021 04:35 AM

Cisco ASA VPN monitoring:

I haven't been able to finish this case for a week now. I need to display a table with information about start and end, and the total time of the user on the network.

With the information that I collected and displayed in the table, it was like this:

 

 

 

sourcetype=cisco:asa message_id=722051 OR message_id=113019 OR message_id=722011 OR message_id=722037 OR message_id=722028 OR message_id=722010 zhanali
| eval session_info = case((message_id = "113019" OR message_id = "722011" OR message_id = "722010"), "session_end",message_id="722051", "session_start",message_id="722037" OR message_id = "722028","session_close")
| eval start = if((session_info = "session_start"),_time,"null")
| eval end = if((session_info = "session_end"),_time,"null")
| eval close = if((session_info = "session_close"),_time,"null")
| table Cisco_ASA_user session_info start end close
| convert ctime(start) ctime(end) ctime(close)

 

 

 

Zhanali_0-1618570328123.png

I need to somehow leave one line from the close lines that appear sequentially. Better to leave the first in time.

Zhanali_1-1618571514377.png

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Zhanali
Path Finder
‎05-10-2023 09:24 PM

Hi all! I forgot about this post. I decided with the simplest way, the start of the session is determined using the duration. Because I learned about the logs that the duration is sent when the session really was.

index="cisco_syslog" sourcetype="cisco:asa" message_id=113019 
| eval start_time =_time-duration, end_time = _time 
| sort -start_time
| table dvc group user src_ip start_time end_time duration
| eval duration = tostring(duration, "duration")
| convert timeformat="%H:%M:%S %d.%m.%Y" ctime(start_time) ctime(end_time)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Zhanali
Path Finder
‎05-10-2023 09:24 PM

Hi all! I forgot about this post. I decided with the simplest way, the start of the session is determined using the duration. Because I learned about the logs that the duration is sent when the session really was.

index="cisco_syslog" sourcetype="cisco:asa" message_id=113019 
| eval start_time =_time-duration, end_time = _time 
| sort -start_time
| table dvc group user src_ip start_time end_time duration
| eval duration = tostring(duration, "duration")
| convert timeformat="%H:%M:%S %d.%m.%Y" ctime(start_time) ctime(end_time)

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 11:28 PM

The events are currently separate events in the pipeline - is there anything in the data that can be used to correlate the events to determine if more than one close event is present? Or do you simply want to use _time to sequence the events?

sourcetype=cisco:asa message_id=722051 OR message_id=113019 OR message_id=722011 OR message_id=722037 OR message_id=722028 OR message_id=722010 zhanali
| eval session_info = case((message_id = "113019" OR message_id = "722011" OR message_id = "722010"), "session_end",message_id="722051", "session_start",message_id="722037" OR message_id = "722028","session_close")
| eval start = if((session_info = "session_start"),_time,"null")
| eval end = if((session_info = "session_end"),_time,"null")
| eval close = if((session_info = "session_close"),_time,"null")
| table Cisco_ASA_user session_info start end close
| sort _time
| streamstats values(session_info) as previous_session_info current=f window=2
| where previous_session_info != "session_close" OR session_info != "session_close"
| convert ctime(start) ctime(end) ctime(close)
0 Karma
Reply
Solved! Jump to solution

NitLino
New Member
‎03-08-2022 09:12 AM

Hello Zhanali, 

I am also building something similar. were you able to complete your syntax?

0 Karma
Reply
Solved! Jump to solution

Zhanali
Path Finder
‎03-10-2022 10:20 PM 
sourcetype=cisco:asa message_id=722051 OR message_id=113019 OR message_id=722011 OR message_id=722037 OR message_id=722028 OR message_id=722010 "MyUserName"
| eval session_info = case((message_id = "113019" OR message_id = "722011" OR message_id = "722010"), "session_end",message_id="722051", "session_start",(message_id="722037" OR message_id = "722028"),"session_close")
| eval start = if((session_info = "session_start"),_time,"null")
| eval end = if((session_info = "session_end"),_time,"null")
| eval close = if((session_info = "session_close"),_time,"null")
| sort - _time
| table _time Cisco_ASA_user session_info start end close duration
| eval duration = tostring(duration, "duration")
| convert ctime(start) ctime(end) ctime(close)

 

This issue was not resolved, but for this situation I found a way out.
If you look at the results of this query, it turns out that the event with duration field indicates a break of the session. This is what I used to calculate the session start time.

Zhanali_0-1646978643148.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...