Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Joining Searches for Authentication Times

dsmeerkat
Explorer
‎05-01-2014 07:35 AM

So I have two searches; one for the client_vpn_asa and one for the nac, they both require regex:

index=client_vpn_asa "ASA-4-722051" | rex field=_raw ".*?ASA-4-722051: Group \<(?<Group>.*?)\> User \<(?<username>.*?)\> IP \<(?<Source_IP>\\d+.\\d+.\\d+.\\d+)\> Address \<(?<Framed_IP>\\d+.\\d+.\\d+.\\d+)\> assigned to session" | fields + _time, host, Group, username, Source_IP, Framed_IP | fields - "_cd","_indextime","_kv","_raw","_serial","_si","_sourcetype"

and

index=nac | rex field=_raw "(?P<Source_IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "(?P<username>\w{1,30}\\\.\S+)" | rex field=_raw "(?P<email_addr>\S+@\S+)" | eval analysis=if(isnull(username),0,1) | eval user=case(analysis=="0", email_addr, analysis=="1", username)

I tried "join username [search index=nac......]" didn't work right.

What I want to do is see how long it takes a user to hit the ASA, get authenticated and then be authorized by the NAC...what is the total time of that transaction by user.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎05-01-2014 08:40 AM

Try something like this

index=client_vpn_asa "ASA-4-722051" | rex field=_raw ".*?ASA-4-722051: Group \<(?<Group>.*?)\> User \<(?<username>.*?)\> IP \<(?<Source_IP>\\d+.\\d+.\\d+.\\d+)\> Address \<(?<Framed_IP>\\d+.\\d+.\\d+.\\d+)\> assigned to session" | fields + _time, host, Group, username, Source_IP, Framed_IP | fields - "_cd","_indextime","_kv","_raw","_serial","_si","_sourcetype"
|append [search index=nac | rex field=_raw "(?P<Source_IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "(?P<username>\w{1,30}\\\.\S+)" | rex field=_raw "(?P<email_addr>\S+@\S+)" | eval analysis=if(isnull(username),0,1) | eval user=case(analysis=="0", email_addr, analysis=="1", username)] 
|transaction username maxevents=2 | table _time , username, duration
0 Karma
Reply

somesoni2
Revered Legend
‎05-01-2014 09:13 AM

Yes and yes.

Reply

dsmeerkat
Explorer
‎05-01-2014 08:55 AM

Very nice indeed, so this is the duration between the ASA and NAC, right? Duration here is in seconds?

0 Karma
Reply

dsmeerkat
Explorer
‎05-01-2014 08:19 AM

So what I want to do is have a username, with an entry from the ASA first, then an entry from the NAC....so i can calculate the time from first seen on the ASA to successful authentication on the NAC....

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...