Getting Data In
Highlighted

Create an event for user login to VPN and the network

New Member

I'm new at creating Splunk searches and events. I would like a Notable Event to alert whenever an employee login is detected on the network and the VPN at the same time. I read that this can be done with a sub-search, but I'm having trouble creating the search query. Any suggestions would be greatly appreciated.

Tags (4)
0 Karma
Highlighted

Re: Create an event for user login to VPN and the network

SplunkTrust
SplunkTrust

If you can post non-confidential samples of searches that return a LAN logon, and a VPN logon, we can get closer, but here's a version in pseudocode...

( index=fooLAN sourcetype=LANsource "whatever other stuff that shows LAN logons") OR
( index=fooVPN sourcetype=VPNsource "whatever other stuff that shows VPN logons")
| bin _time as mytime span=10m
| eval userid=coalesce(LANUseridField,VPNUseridField)
| eval mytype=if(sourcetype=LANsource,"LAN","VPN")
| stats  range(_time) as timerange, min(_time) as startTime, max(_time) as endTime values(mytype) as mytype by mytime userid
| where (mvcount(mytype) >1)
0 Karma