Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I create a table with the currently logged in VPN users?

5plunked
Explorer
‎10-16-2017 09:13 PM

Hi,

I wanted to display in a form of a table the current logged in VPN users.

my search command is this

host="" user=* | stats count by user

However, i do not want it to show the count and i want to see the time logged in as well, how can i improve my search to show that?
I am new to Splunk and from what i understand, if I am using openvpn logs i should have the PF-sense app downloaded for the CIM compliant field extractions?
I have downloaded the add-on to my Splunk but have problems understanding how i should be configuring the PF-sense app to support the field extractions for openvpn logs?

Any help would be appreciated! Thank you!

this is something that i would like:

user | ip address | Connected Time

user01 | 192.168.0.80 | 02:50:51

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 01:26 AM

Hi 5plunked,
try something like this

index=your_index host=your_host user=* 
| stats earliest(_time) AS Connected_Time values(IP_Address) AS IP_Address by user

use always index in searches, it's quicker!

Bye.
Giuseppe

Reply

5plunked
Explorer
‎10-19-2017 11:40 PM

Thank you, this is extremely helpful! 🙂

0 Karma
Reply

kunalmao
Communicator
‎10-16-2017 11:18 PM

can you run it in verbose mode and show me the available fields if any exist for connected_time and ip_addr in that case just append your search with host="" user=* | stats count by user ip_addr connected_time

also you can try this

host="" user=* | stats count by user _time ip_addr.

Sharing the raw events will actually help in building query

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...