Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to calculate the total vpn connection time per user?

jfeitosa_real
Path Finder
‎07-10-2020 03:07 PM

Hi All!

Can anyone help with these questions below?
How to calculate the total vpn connection time per user?
The Duration field is of type string.

"Jul 10 07:14:17 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zya3, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:41m:42s, Bytes xmt: 27921408, Bytes rcv: 4612882, Reason: User Requested

Jul 9 23:55:49 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zya3, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: SSL, Duration: 0h:11m:46s, Bytes xmt: 13452434, Bytes rcv: 5072740, Reason: User Requested

Jul 9 21:36:12 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zzw2, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: SSL, Duration: 14h:38m:38s, Bytes xmt: 487160561, Bytes rcv: 39385026, Reason: User Requested"

 

- Through the eval command you can concatenate the corresponding fields of the numeric type.

| transaction user endswith="duration:" keepevicted=true| eval full_duration = duration_hour.":".duration_minute.":".duration_second

@woodcock you are the man"

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-10-2020 03:56 PM 
| makeresults
| eval _raw="Jul 10 07:14:17 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zya3, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:41m:42s, Bytes xmt: 27921408, Bytes rcv: 4612882, Reason: User Requested

Jul 9 23:55:49 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zya3, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: SSL, Duration: 0h:11m:46s, Bytes xmt: 13452434, Bytes rcv: 5072740, Reason: User Requested

Jul 9 21:36:12 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zzw2, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: SSL, Duration: 14h:38m:38s, Bytes xmt: 487160561, Bytes rcv: 39385026, Reason: User Requested"
| multikv noheader=t
| table _raw
| kv
| rex "(?<date>\w+ \d+ \S+)"
| rex "(?<status>Session \w+)\. Session Type: (?<type>\S+), Duration: (?<duration>\S+),"
| rex field=duration "(?<hours>\d*)h:(?<minutes>\d*)m:(?<seconds>\d*)s"
| eval _time=strptime(date,"%b %d %T")
| eval duration_sec=hours * 60 * 60 + minutes * 60 + seconds
| eventstats sum(duration_sec) as total_duration by Username

View solution in original post

Reply
Solved! Jump to solution

marshalb
New Member
‎07-24-2020 01:09 AM

A VPN just moves all your traffic through an encrypted tunnel to a different network...

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-24-2020 02:13 AM

I see, that's VPN.

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-10-2020 03:56 PM 
| makeresults
| eval _raw="Jul 10 07:14:17 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zya3, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:41m:42s, Bytes xmt: 27921408, Bytes rcv: 4612882, Reason: User Requested

Jul 9 23:55:49 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zya3, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: SSL, Duration: 0h:11m:46s, Bytes xmt: 13452434, Bytes rcv: 5072740, Reason: User Requested

Jul 9 21:36:12 xxx.xxx.xxx.xx %ASA-4-113019: Group = XYZ-SSL, Username = zzw2, IP = xxx.xxx.xxx.xx, Session disconnected. Session Type: SSL, Duration: 14h:38m:38s, Bytes xmt: 487160561, Bytes rcv: 39385026, Reason: User Requested"
| multikv noheader=t
| table _raw
| kv
| rex "(?<date>\w+ \d+ \S+)"
| rex "(?<status>Session \w+)\. Session Type: (?<type>\S+), Duration: (?<duration>\S+),"
| rex field=duration "(?<hours>\d*)h:(?<minutes>\d*)m:(?<seconds>\d*)s"
| eval _time=strptime(date,"%b %d %T")
| eval duration_sec=hours * 60 * 60 + minutes * 60 + seconds
| eventstats sum(duration_sec) as total_duration by Username
Reply
Solved! Jump to solution

jfeitosa_real
Path Finder
‎07-27-2020 05:56 AM

Hello @to4kawa,

I decided to do it just by calculating the total in seconds.

index=vpn eventtype=cisco_vpn_end Username=* Group="*"
| fillnull value=0 duration_day
| multikv noheader=t
| eval total_duration=duration_day * (86400) + duration_hour * 60 * 60 + duration_minute * 60 + duration_second
| stats sum(total_duration) as Total_duration by Username Group
| eventstats sum(total_duration) as Total_duration by Username duration_day duration_hour duration_minute duration_second
| sort - Total_duration

So I did another research with more details of the navigation, making a statistic by the time and user.

index=vpn (eventtype=cisco_vpn_start OR eventtype=cisco_vpn_end) user=*
| transaction user endswith="duration:" keepevicted=true
| fillnull value=0 duration_day
| eval full_duration = duration_day."d-" .duration_hour.":" .duration_minute.":".duration_second
| eval bytesMB=round(((bytes/1024)/1024),2), bytes_inMB=round(((bytes_in/1024)/1024),2), bytes_outMB=round(((bytes_out/1024)/1024),2)
| eval Start_time=strftime(_time,"%Y/%m/%d %H:%M:%S"), End_time=(strftime(_time + duration,"%Y/%m/%d %H:%M:%S")), Total_time=if(isnull(full_duration), Start_time." --> current session",Start_time." --> ".End_time)
| mvexpand src
| iplocation src
| eval LocationIP=City.", ".Country
| stats values(Total_time) as "Session Time" values(src) as "PublicIP" values(LocationIP) as LocationIP values(IP) as "Assigned IP" values(reason) as "Termination Reason" values(bytesMB) as bytesMB values(bytes_inMB) as bytes_inMB values(bytes_outMB) as bytes_outMB values(full_duration) as Duration by _time, user
| sort -_time
| search PublicIP=*

 

Thank you so much for your help, it was awesome.

James \o/

0 Karma
Reply
Solved! Jump to solution

jfeitosa_real
Path Finder
‎07-13-2020 11:12 AM

Hi, @to4kawa, thanks for your response.

But how to calculate the total time per user of the duration field, since this is a string type? For example, if in two events of the same user, the duration field has the values (0h: 47m: 42s and 0h: 18m: 46s) that total time would be (01h: 06m: 28s). It would be possible?

Thx.

 

 

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-14-2020 01:56 PM

try following REX

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...