Hi,
I wanted to display in a form of a table the current logged in VPN users.
my search command is this
host="" user=* | stats count by user
However, i do not want it to show the count and i want to see the time logged in as well, how can i improve my search to show that?
I am new to Splunk and from what i understand, if I am using openvpn logs i should have the PF-sense app downloaded for the CIM compliant field extractions?
I have downloaded the add-on to my Splunk but have problems understanding how i should be configuring the PF-sense app to support the field extractions for openvpn logs?
Any help would be appreciated! Thank you!
this is something that i would like:
user01 | 192.168.0.80 | 02:50:51
Hi 5plunked,
try something like this
index=your_index host=your_host user=*
| stats earliest(_time) AS Connected_Time values(IP_Address) AS IP_Address by user
use always index in searches, it's quicker!
Bye.
Giuseppe
Thank you, this is extremely helpful! 🙂
can you run it in verbose mode and show me the available fields if any exist for connected_time and ip_addr in that case just append your search with host="" user=* | stats count by user ip_addr connected_time
also you can try this
host="" user=* | stats count by user _time ip_addr.
Sharing the raw events will actually help in building query