Splunk Search

Concurrent VPN connections.

weetabixsplunk
Explorer

Hi guys,

 

I'm going crazy and I'm completely lost. I'm trying to create a query that displays concurrent connections. I understand that this has been previously asked but what seemed to be the solution or "most popular" answer didn't work for me and seemed to be too complicated.

I'm trying to create a search that finds concurrent connections and then creates a table with the time, user and when the concurrency occurred.

I know I am missing something because even though I get no errors, I see a message saying "572781 events were ignored due to missing or invalid start or duration fields."

This is my search

index=fw tag=vpn
|eval "start"=cisco_vpn_start
|eval "start"=ftnt_fgt_vpn_start
|eval "stop"=cisco_vpn_end
|eval "stop"=ftnt_fgt_vpn_end
|eval "total_time"=start-stop
| concurrency duration=total_time
| timechart span=5m max(concurrency) as concurrency
| where concurrency > 0
| table concurrency, user, _time

 

Explained, we basically have to vpns
Duration: the total time from when one session starts until it ends.
Concurrency: measures the number of events which have spans that overlap with the start of each event.

I'm using 5 minutes as a time span and I want it to display the events where there is at least one concurrent connection. My brain is fried and I can't figure out what I'm doing wrong. I've been biting my nails and I think I peeled off all my nail polish.

Any help would be greatly appreciated.

 

Labels (1)
Tags (3)
0 Karma

tscroggins
Influencer

@weetabixsplunk 

The concurrency command has no by-clause, and the concurrency field value it returns includes all observed events. In your case, all events is all VPN sessions.

Assuming both Cisco and Fortinet solutions log events at session end with minimal indexing delay, you can find which users ended multiple sessions within a five minute window using streamstats:

tag=network tag=session tag=vpn
| streamstats time_window=5m count by user
| where count>1
| table _time user count

If you expect sessions to overlap with end times more than five minutes apart, you can modify the time_window argument.

This isn't a perfect solution, but it may work well for ad hoc investigations.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...