Splunk Search

How can I create a table with the currently logged in VPN users?

5plunked
Explorer

Hi,

I wanted to display in a form of a table the current logged in VPN users.

my search command is this

host="" user=* | stats count by user

However, i do not want it to show the count and i want to see the time logged in as well, how can i improve my search to show that?
I am new to Splunk and from what i understand, if I am using openvpn logs i should have the PF-sense app downloaded for the CIM compliant field extractions?
I have downloaded the add-on to my Splunk but have problems understanding how i should be configuring the PF-sense app to support the field extractions for openvpn logs?

Any help would be appreciated! Thank you!

this is something that i would like:

user | ip address | Connected Time

user01 | 192.168.0.80 | 02:50:51

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi 5plunked,
try something like this

index=your_index host=your_host user=* 
| stats earliest(_time) AS Connected_Time values(IP_Address) AS IP_Address by user

use always index in searches, it's quicker!

Bye.
Giuseppe

5plunked
Explorer

Thank you, this is extremely helpful! 🙂

0 Karma

kunalmao
Communicator

can you run it in verbose mode and show me the available fields if any exist for connected_time and ip_addr in that case just append your search with host="" user=* | stats count by user ip_addr connected_time

also you can try this

host="" user=* | stats count by user _time ip_addr.

Sharing the raw events will actually help in building query

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...