Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create an event for user login to VPN and the network

aschroeder
New Member
‎04-27-2017 06:39 AM

I'm new at creating Splunk searches and events. I would like a Notable Event to alert whenever an employee login is detected on the network and the VPN at the same time. I read that this can be done with a sub-search, but I'm having trouble creating the search query. Any suggestions would be greatly appreciated.

Tags (4)
0 Karma
Reply

DalJeanis
Legend
‎04-27-2017 03:13 PM

If you can post non-confidential samples of searches that return a LAN logon, and a VPN logon, we can get closer, but here's a version in pseudocode...

( index=fooLAN sourcetype=LANsource "whatever other stuff that shows LAN logons") OR
( index=fooVPN sourcetype=VPNsource "whatever other stuff that shows VPN logons")
| bin _time as mytime span=10m
| eval userid=coalesce(LANUseridField,VPNUseridField)
| eval mytype=if(sourcetype=LANsource,"LAN","VPN")
| stats  range(_time) as timerange, min(_time) as startTime, max(_time) as endTime values(mytype) as mytype by mytime userid
| where (mvcount(mytype) >1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...