I'm working on creating a report to monitor VPN usage based on unique user per day. I was able to get the format I want done but I'm having trouble filtering unique users by day over 30 days.
index=network sourcetype=cisco:asa device_name="*vpnfrw01" eventtype=cisco_vpn_* log_level=4 Username=*
| dedup _time
| rex "Duration: (?<h>\d+)h:(?<m>\d+)m:(?<s>\d+)s,"
| fillnull value=0 h m s
| eval duration=h*(60*60)+m*60+s
| eval end=_time
| eval start=end-duration
| eval start=strftime(start, "%x %X")
| eval duration=h."h:".m."m:".s."s"
| eval logon = if(group="piv_group", "PIV", "RSA")
| stats count by start userIdentity logon duration userEmployeeType userDivision userNick userEmail
| table start userIdentity logon duration userEmployeeType userDivision userNick userEmail
| rename start as "Date" duration as "Total Session Time" userNick as "Account Name" logon as "Logon Type" userDivision as Division userEmail as Email userEmployeeType as "Employee Type" userIdentity as "User"
| sort Date desc
| search User=*
It's output looks like this:
Date User Logon Type Total Session Time Employee Type Division Account Name Email
02/14/2017 7:30 user1 PIV 0h:09m:43s Contractor IT User 1 firstname.lastname@example.org
02/14/2017 6:04 user3 PIV 0h:35m:54s Contractor IT User 3 email@example.com
02/13/2017 23:50 user2 PIV 0h:06m:24s Contractor IT User 2 firstname.lastname@example.org
I need to be able to only find unique users per day keeping this format.