How to search number of active VPN users over time

trajedy · ‎03-30-2020

Hi all,

I've been working on getting the number of active VPN users from our ASA logs by a simple query to get the latest event for a user+IP and checking if its a vpn_start event, and counting the total.
Premise being that if a start event has been last logged, the session is still currently active:

index=ciscoasa (eventtype="cisco_vpn_start" OR eventtype="cisco_vpn_end")
| dedup user, src_ip sortby -_time
| eval Active=if(eventtype="cisco_vpn_start",1,null)
| stats count(Active)

This works fine at a point in time when i run the search/refresh dashboard etc. however i want to be able to timechart this over a day/week to show me how many active connections i have at different intervals of the day. i.e.
at
7am - 10 active sessions
7:30am - 15 active sessions
8am - 20 active sessions
8:30am - 30 active sessions

I only want it to show the active sessions at that particular point in time, not how many sessions were started/stopped in the interval prior, so some way of "executing" the search at different times and mapping the results. Or if there's a better way.

Any thoughts or suggestions?

sb01splunk · ‎03-18-2022

I know this is old but did you ever come up with a query that worked over time?

woodcock · ‎03-31-2020

You should be able to easily adapt my answer from this question:
https://answers.splunk.com/answers/319585/how-to-graph-the-number-of-active-sessions-over-ti.html

How to search number of active VPN users over time

timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases