- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following two events from the same index (VPN). I've been unable to try and join two searches to get a table of users logged in to VPN, srcip, and sessions (if logged out 4911 field). I'm able to pull out this infor if I search individually but unable to combine. Thanks for the help.
259 <166>1 2018-03-21T10:13:45-04:00 abc.defg.net PulseSecure: - - - 2018-03-21 10:13:45 - ive - [12.34.56.78] DHI\john(VPN)[VPN] - Login succeeded for FHI\john/VPN (session:be1c9211) from 12.34.56.78 with Open AnyConnect VPN Agent v7.08
276 <166>1 2018-03-21T11:35:39-04:00 abc.defg.net PulseSecure: - - - 2018-03-21 11:35:39 - ive - [12.34.56.78] DHI\john(VPN)[VPN] - Closed connection to TUN-VPN port 443 after 4911 seconds, with 2171883 bytes read (in 6 chunks) and 90236 bytes written (in 8 chunks)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I interpret your events correctly, this query should do the job. The three rex commands extract the desired fields then the stats command puts the events together by userid.
index=juniper-mag host=abc.defg.net ("Login succeeded" OR "Closed connection") | rex "\]\s(?<userid>[^\(]+)" | rex "Login succeeded.*from (?<srcip>[^\s]+)" | rex "after\s(?<duration>\d+)\sseconds" | stats earliest(_time) as sessionStart latest(_time) as sessionEnded values(duration) as duration values(srcip) as srcip by userid | fieldformat sessionStart=strftime(sessionStart,"%Y-%m-%dT%H:%M:%S%:z") | fieldformat sessionEnded=strftime(sessionEnded,"%Y-%m-%dT%H:%M:%S%:z")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I interpret your events correctly, this query should do the job. The three rex commands extract the desired fields then the stats command puts the events together by userid.
index=juniper-mag host=abc.defg.net ("Login succeeded" OR "Closed connection") | rex "\]\s(?<userid>[^\(]+)" | rex "Login succeeded.*from (?<srcip>[^\s]+)" | rex "after\s(?<duration>\d+)\sseconds" | stats earliest(_time) as sessionStart latest(_time) as sessionEnded values(duration) as duration values(srcip) as srcip by userid | fieldformat sessionStart=strftime(sessionStart,"%Y-%m-%dT%H:%M:%S%:z") | fieldformat sessionEnded=strftime(sessionEnded,"%Y-%m-%dT%H:%M:%S%:z")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This gave me what I was looking for. Response from kyaparla was also good. Thank you both.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please try this.
index=juniper-mag host=abc.defg.net "Login succeeded" OR "Closed connection" | eval fields=split(_raw, " ") | eval user=mvindex(fields,14) | eval duration=mvindex(fields,23)| eval srcip=mvindex(fields, 13) | stats latest(_time) as time latest(duration) as duration by user,srcip | convert ctime(time) as time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didn't even notice they were the same index and host. This is much better. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are your two searches that you want to combine?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for help Rich. First event shows userid, time session started, and srcip. Second event shows the same, except time session ended and session duration (4911 seconds). I want to generate a table of userid, srcip, time session started, time session ended, and duration. Here are the two searches that kind of get me what I'm looking for:
index=juniper-mag host=abc.defg.net _raw="Login succeeded" | eval fields=split(_raw, " ") | eval user=mvindex(fields,14) | eval srcip=mvindex(fields, 13) | table _time user srcip
index=juniper-mag host=abc.defg.net _raw="Closed connection" | eval fields=split(_raw, " ") | eval duration=mvindex(fields,23) | table _time user duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Always worth to read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... 😉
cheers, MuS
