All Apps and Add-ons

Cisco VPN total user duration

boss3668
Engager

i would like to total the time that each user is logged in to the VPN.

This is what one of my logs looks like.

Apr 30 00:48:25 "ip_address" Apr 30 2012 00:48:25: %ASA-4-113019: Group = "Group",
Username = "User", IP = "ip_address",
Session disconnected. Session Type: SSL, Duration: 1h:59m:24s, Bytes xmt: 86659734,
Bytes rcv: 4557700, Reason: User Requested
host="ip_address" | Group="Group" | Username="User" | Session_Type=Session Type: SSL | Duration=1h:59m:24s

After totaling the durations i would like to graph each user.
I have tried to use (eval, stats, and strptime) but cannot get any to work on this correctly.

If someone could help. What would the search string look like in order to do this?

Thank You

0 Karma
1 Solution

ziegfried
Influencer
... | rex field=Duration "((?<dur_h>\d+)h:)?(?<dur_m>\d+)m:(?<dur_s>\d+)s" | eval duration=dur_s+60*dur_m+3600*coalesce(dur_h,0) | stats sum(duration) as total_duration by Username

View solution in original post

gilbou
Explorer

In the 1st search posted, rex field=Duration

duration must have a lower case "d" for it to work

0 Karma

eegilbert
Explorer

Thank you, Sowings. That was the hint I needed. I created a field called duration with the field extractor and then made sure it was one of the selected fields.

0 Karma

eegilbert
Explorer

Hi, I'm very glad to have found this thread as I am trying to get the same information from Splunk, however I'm not getting any results past the table, which only contains the user names. I've even tried shortening the query to the table portion, however I still do not receive data.

0 Karma

sowings
Splunk Employee
Splunk Employee

The original log event looks something like this:

Apr 30 00:48:25 "ip_address" Apr 30 2012 00:48:25: %ASA-4-113019: Group = "Group", Username = "User", IP = "ip_address", Session disconnected. Session Type: SSL, Duration: 1h:59m:24s, Bytes xmt: 86659734, Bytes rcv: 4557700, Reason: User Requested

By default, Splunk will do automatic Key=Value extraction, meaning that in this case, it will only find Group, Username, and IP. You'll have to write field extraction rules to collect the other values from the log event.

0 Karma

sowings
Splunk Employee
Splunk Employee

You could also | eval dur=strptime(Duration, "%Hh:%Mm:%Ss")

0 Karma

sowings
Splunk Employee
Splunk Employee

Hmm, noted. It seems that mktime (available in convert) does the same thing. Seconds math it is!

0 Karma

ziegfried
Influencer

It's a different result, though. This will result in Today's epoch time plus the duration.

0 Karma

ziegfried
Influencer
... | rex field=Duration "((?<dur_h>\d+)h:)?(?<dur_m>\d+)m:(?<dur_s>\d+)s" | eval duration=dur_s+60*dur_m+3600*coalesce(dur_h,0) | stats sum(duration) as total_duration by Username

boss3668
Engager

I re-ran the search with just the host and your search and I did get results! now I have to figure out how to turn it back into human readable time, but it looks like the string you sent works great, I must have messed something up when I tried it before. Thank you for the great help with this.

0 Karma

ziegfried
Influencer

Can you see the field "Duration" in the field picker (on the left side)? What's the exact search you're running?

0 Karma

boss3668
Engager

No, I get no results found. Sorry if i'm missing something small, i'm very new to splunk. It doesn't return an error, but it does not return any extracted dur_* fields

0 Karma

ziegfried
Influencer

if you execute the search without the trailing stats command, can you see any extracted dur_* fields?

... | rex field=Duration "((?<dur_h>\d+)h:)?(?<dur_m>\d+)m:(?<dur_s>\d+)s" | eval duration=dur_s+60*dur_m+3600*coalesce(dur_h,0) | table dur*

boss3668
Engager

correct, "Duration" is exactly as it appears in the log statement from my initial question. That is definitely the field we are trying to get the cumulative duration of a user from It did create the total_duration field and the Usernames were listed just no data at all in the total_duration output.

0 Karma

ziegfried
Influencer

There's a field "Duration" in your results, right?

0 Karma

boss3668
Engager

The answer from ziegried does return results without error. The Username field is shown with the usernames listed but the total_duration field that is created is blank. Any ideas on why that would be?

0 Karma

gilbou
Explorer

rex field=Duration

duration must have a lower case "d" for it to work

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...