Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Tracking active sessions over time

ajtokar
Engager
‎05-06-2021 11:05 AM

I have a query where I can see in a snapshot current active users per VPN profile (group). Having a hard time being able to plot number of active sessions on a timechart. The timecharts I make show me number of new connections, which is not what I am after. I am after seeing the total number of active connections per VPN profile (group) every 10 minutes for example. 

SPL: 

index=vpn_index message_id IN (113039 113019) group IN (ABC* XYZ* DEF* UVW*)
| transaction Username keepevicted=true startswith="113039" endswith="113019"
| eval session-status=if(closed_txn==1,"Completed","In Progress")
| search message_id="113039"
| fields src, _time, session-status, Username
| search session-status="In Progress"
| rename group as "VPN Profile"
| stats count as "Active Sessions" by "VPN Profile"

Any help is appreciated!

- Adam

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-06-2021 12:05 PM

If sessions start with 113039 and end with 113019, you could assign a field with 1  for 113039 events and -1 for 113019 events then sum the field over 10 minutes periods (timechart span=10m sum(field) as active). A bit crude as it doesn't take into account active sessions when the time period starts, but you might be able to do something about that if you calculate how many ends you have which didn't have starts (assuming you can identify these by username or something like that).

Reply

ajtokar
Engager
‎05-06-2021 12:10 PM

Thank you for the reply. That's very clever and took me a minute to grasp it will be a "running total" of the number of sessions, however as you stated that is somewhat compounded by the fact is is never truly 0.

 

Thanks,

Adam

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...