Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to edit my search to pull the first instance of an AnyConnect VPN connection for each start and end session?

fmpa_isaac
Path Finder
‎04-06-2016 11:55 AM

I want to know if anyone can help me pull the first instance of a VPN Connection for each start and end session. Anyconnect is currently set up to refresh all VPN session every 30 minutes. The problem I have is that it continues to alert me ever time a session is refreshed and I don't need that. Ideally, I would only like to see the first session when an employee logs in and the terminated session. But it needs to do this each time the employee connects. Please see my notes below to assist with. I will place my current search string below that.

_time Group User LANIP IP Message My notes
4/4/2016 10:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need
4/4/2016 10:02 SharePoint_Contractor terrence xxx.xx.xxx.xxx The user has requested to disconnect the connection Need
4/4/2016 9:47 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:44 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:17 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:47 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:44 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need
4/4/2016 8:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx The user has requested to disconnect the connection Need
4/4/2016 8:13 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need

sourcetype="cisco:asa" host="xxx.xx.x.x" source="udp:514" message_id=722012 OR message_id=722051 | stats values(User) as Employee | mvexpand Employee | sort User
0 Karma
Reply

mcronkrite
Splunk Employee
Splunk Employee
‎04-06-2016 06:27 PM 
 | stats earliest(_time) as connect_start, latest(_time) as connectstop
   by user,src_ip

try adding this to end

0 Karma
Reply

fmpa_isaac
Path Finder
‎04-07-2016 06:57 AM

thank you. I was able to include it in my search but the date format seems to be off now. They look like this now.
Connect Start - "1459884707" and Connect Stop - "1459891908". Can you help with that?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...