Splunk Search

How to edit my search to pull the first instance of an AnyConnect VPN connection for each start and end session?

fmpa_isaac
Path Finder

I want to know if anyone can help me pull the first instance of a VPN Connection for each start and end session. Anyconnect is currently set up to refresh all VPN session every 30 minutes. The problem I have is that it continues to alert me ever time a session is refreshed and I don't need that. Ideally, I would only like to see the first session when an employee logs in and the terminated session. But it needs to do this each time the employee connects. Please see my notes below to assist with. I will place my current search string below that.

_time Group User LANIP IP Message My notes
4/4/2016 10:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need
4/4/2016 10:02 SharePoint_Contractor terrence xxx.xx.xxx.xxx The user has requested to disconnect the connection Need
4/4/2016 9:47 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:44 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:17 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 9:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:47 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:44 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Don't need
4/4/2016 8:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need
4/4/2016 8:14 SharePoint_Contractor terrence xxx.xx.xxx.xxx The user has requested to disconnect the connection Need
4/4/2016 8:13 SharePoint_Contractor terrence xxx.xx.xxx.xxx xxx.xx.x.xxx assigned to session Need

sourcetype="cisco:asa" host="xxx.xx.x.x" source="udp:514" message_id=722012 OR message_id=722051 | stats values(User) as Employee | mvexpand Employee | sort User
0 Karma

mcronkrite
Splunk Employee
Splunk Employee
 | stats earliest(_time) as connect_start, latest(_time) as connectstop
   by user,src_ip

try adding this to end

0 Karma

fmpa_isaac
Path Finder

thank you. I was able to include it in my search but the date format seems to be off now. They look like this now.
Connect Start - "1459884707" and Connect Stop - "1459891908". Can you help with that?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...