Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I create a table with the currently logged in VPN users?

5plunked
Explorer
‎10-16-2017 09:13 PM

Hi,

I wanted to display in a form of a table the current logged in VPN users.

my search command is this

host="" user=* | stats count by user

However, i do not want it to show the count and i want to see the time logged in as well, how can i improve my search to show that?
I am new to Splunk and from what i understand, if I am using openvpn logs i should have the PF-sense app downloaded for the CIM compliant field extractions?
I have downloaded the add-on to my Splunk but have problems understanding how i should be configuring the PF-sense app to support the field extractions for openvpn logs?

Any help would be appreciated! Thank you!

this is something that i would like:

user | ip address | Connected Time

user01 | 192.168.0.80 | 02:50:51

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 01:26 AM

Hi 5plunked,
try something like this

index=your_index host=your_host user=* 
| stats earliest(_time) AS Connected_Time values(IP_Address) AS IP_Address by user

use always index in searches, it's quicker!

Bye.
Giuseppe

Reply

5plunked
Explorer
‎10-19-2017 11:40 PM

Thank you, this is extremely helpful! 🙂

0 Karma
Reply

kunalmao
Communicator
‎10-16-2017 11:18 PM

can you run it in verbose mode and show me the available fields if any exist for connected_time and ip_addr in that case just append your search with host="" user=* | stats count by user ip_addr connected_time

also you can try this

host="" user=* | stats count by user _time ip_addr.

Sharing the raw events will actually help in building query

Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...