Splunk Search

Concurrent VPN connections.

weetabixsplunk
Explorer

Hi guys,

 

I'm going crazy and I'm completely lost. I'm trying to create a query that displays concurrent connections. I understand that this has been previously asked but what seemed to be the solution or "most popular" answer didn't work for me and seemed to be too complicated.

I'm trying to create a search that finds concurrent connections and then creates a table with the time, user and when the concurrency occurred.

I know I am missing something because even though I get no errors, I see a message saying "572781 events were ignored due to missing or invalid start or duration fields."

This is my search

index=fw tag=vpn
|eval "start"=cisco_vpn_start
|eval "start"=ftnt_fgt_vpn_start
|eval "stop"=cisco_vpn_end
|eval "stop"=ftnt_fgt_vpn_end
|eval "total_time"=start-stop
| concurrency duration=total_time
| timechart span=5m max(concurrency) as concurrency
| where concurrency > 0
| table concurrency, user, _time

 

Explained, we basically have to vpns
Duration: the total time from when one session starts until it ends.
Concurrency: measures the number of events which have spans that overlap with the start of each event.

I'm using 5 minutes as a time span and I want it to display the events where there is at least one concurrent connection. My brain is fried and I can't figure out what I'm doing wrong. I've been biting my nails and I think I peeled off all my nail polish.

Any help would be greatly appreciated.

 

Labels (1)
Tags (3)
0 Karma

tscroggins
Influencer

@weetabixsplunk 

The concurrency command has no by-clause, and the concurrency field value it returns includes all observed events. In your case, all events is all VPN sessions.

Assuming both Cisco and Fortinet solutions log events at session end with minimal indexing delay, you can find which users ended multiple sessions within a five minute window using streamstats:

tag=network tag=session tag=vpn
| streamstats time_window=5m count by user
| where count>1
| table _time user count

If you expect sessions to overlap with end times more than five minutes apart, you can modify the time_window argument.

This isn't a perfect solution, but it may work well for ad hoc investigations.

0 Karma
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...