Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I create a table with the currently logged in VPN users?

5plunked
Explorer
‎10-16-2017 09:13 PM

Hi,

I wanted to display in a form of a table the current logged in VPN users.

my search command is this

host="" user=* | stats count by user

However, i do not want it to show the count and i want to see the time logged in as well, how can i improve my search to show that?
I am new to Splunk and from what i understand, if I am using openvpn logs i should have the PF-sense app downloaded for the CIM compliant field extractions?
I have downloaded the add-on to my Splunk but have problems understanding how i should be configuring the PF-sense app to support the field extractions for openvpn logs?

Any help would be appreciated! Thank you!

this is something that i would like:

user | ip address | Connected Time

user01 | 192.168.0.80 | 02:50:51

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 01:26 AM

Hi 5plunked,
try something like this

index=your_index host=your_host user=* 
| stats earliest(_time) AS Connected_Time values(IP_Address) AS IP_Address by user

use always index in searches, it's quicker!

Bye.
Giuseppe

Reply

5plunked
Explorer
‎10-19-2017 11:40 PM

Thank you, this is extremely helpful! 🙂

0 Karma
Reply

kunalmao
Communicator
‎10-16-2017 11:18 PM

can you run it in verbose mode and show me the available fields if any exist for connected_time and ip_addr in that case just append your search with host="" user=* | stats count by user ip_addr connected_time

also you can try this

host="" user=* | stats count by user _time ip_addr.

Sharing the raw events will actually help in building query

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...