user | ip address | Connected Time

5plunked · ‎10-16-2017

Hi,

I wanted to display in a form of a table the current logged in VPN users.

my search command is this

host="" user=* | stats count by user

However, i do not want it to show the count and i want to see the time logged in as well, how can i improve my search to show that?
I am new to Splunk and from what i understand, if I am using openvpn logs i should have the PF-sense app downloaded for the CIM compliant field extractions?
I have downloaded the add-on to my Splunk but have problems understanding how i should be configuring the PF-sense app to support the field extractions for openvpn logs?

Any help would be appreciated! Thank you!

this is something that i would like:

user | ip address | Connected Time

user01 | 192.168.0.80 | 02:50:51

gcusello · ‎10-17-2017

Hi 5plunked,
try something like this

index=your_index host=your_host user=* 
| stats earliest(_time) AS Connected_Time values(IP_Address) AS IP_Address by user

use always index in searches, it's quicker!

Bye.
Giuseppe

5plunked · ‎10-19-2017

Thank you, this is extremely helpful! 🙂

kunalmao · ‎10-16-2017

can you run it in verbose mode and show me the available fields if any exist for connected_time and ip_addr in that case just append your search with host="" user=* | stats count by user ip_addr connected_time

also you can try this

host="" user=* | stats count by user _time ip_addr.

Sharing the raw events will actually help in building query

How can I create a table with the currently logged in VPN users?

user | ip address | Connected Time

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?