Splunk Search

Concurrent VPN connections.

weetabixsplunk
Explorer

Hi guys,

 

I'm going crazy and I'm completely lost. I'm trying to create a query that displays concurrent connections. I understand that this has been previously asked but what seemed to be the solution or "most popular" answer didn't work for me and seemed to be too complicated.

I'm trying to create a search that finds concurrent connections and then creates a table with the time, user and when the concurrency occurred.

I know I am missing something because even though I get no errors, I see a message saying "572781 events were ignored due to missing or invalid start or duration fields."

This is my search

index=fw tag=vpn
|eval "start"=cisco_vpn_start
|eval "start"=ftnt_fgt_vpn_start
|eval "stop"=cisco_vpn_end
|eval "stop"=ftnt_fgt_vpn_end
|eval "total_time"=start-stop
| concurrency duration=total_time
| timechart span=5m max(concurrency) as concurrency
| where concurrency > 0
| table concurrency, user, _time

 

Explained, we basically have to vpns
Duration: the total time from when one session starts until it ends.
Concurrency: measures the number of events which have spans that overlap with the start of each event.

I'm using 5 minutes as a time span and I want it to display the events where there is at least one concurrent connection. My brain is fried and I can't figure out what I'm doing wrong. I've been biting my nails and I think I peeled off all my nail polish.

Any help would be greatly appreciated.

 

Labels (1)
Tags (3)
0 Karma

tscroggins
Influencer

@weetabixsplunk 

The concurrency command has no by-clause, and the concurrency field value it returns includes all observed events. In your case, all events is all VPN sessions.

Assuming both Cisco and Fortinet solutions log events at session end with minimal indexing delay, you can find which users ended multiple sessions within a five minute window using streamstats:

tag=network tag=session tag=vpn
| streamstats time_window=5m count by user
| where count>1
| table _time user count

If you expect sessions to overlap with end times more than five minutes apart, you can modify the time_window argument.

This isn't a perfect solution, but it may work well for ad hoc investigations.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...