I am trying to show how long someone has been connected to the VPN for the last X days. There is an action field with the results of "connected" or "closed". How do I show the times in between as connected time then send the connected time with the start times and days to a visualization?
index=vpn NOT user=System user=Billy juniper_sslvpn_action!=NULL juniper_sslvpn_action!=succeeded
index=vpn NOT user=System sslvpn_action!=NULL juniper_sslvpn_action!=succeeded | bucket _time span=1d | streamstats count(eval(juniper_sslvpn_action="closed")) AS sessionID BY _time user | stats range(_time) AS duration BY sessionID user | stats sum(duration) AS total_connected_time BY user _time | eval total_connected_time = tostring(total_connected_time, "duration") | fieldformat _time = strftime(_time, "%b %d") | field - sessionID
This is closer to what I am looking for. How do I show connection times by day?
Basically a search I where I can input a userID and it will show how long they were connected to the VPN by the day.
After your search you have to correlate events using e.g. TransactionId or user and Ip or identifying start and end transaction strings.
In this way, you'll have an additional field called "duration" that you can sum.
Something like this:
| transaction user IP startswith="start_string" endswith="end_string"
| stats sum(duration) AS total by user