Splunk Search

Trend of latest value per user

macd0170
New Member

I appologize if this has been asked and answered.  I tried searching the forum but couldn't find the answer (if might have been that I don't know what to search for).

We are logging VPN logins and I have a requirement to track the client version overtime as we upgrade it.  I have a log message that has both user and version and am trying to plot a daily chart that shows how the number of users who's last login was with each version of software.  So far I have:

| stats first(Version) AS version by User

Which looks like it gives me a table of the last version that each user logged in with but first of all, it doesn't seem super efficient.

I am also lost on how to:

- Turn it into count of the number of entries for each version
- Chart this for past values

Labels (2)
0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

could you give a anonymizes sample so community could better help you?

r. Ismo

0 Karma

macd0170
New Member

Sample of the logs?  or something else?

0 Karma

soutamo
SplunkTrust
SplunkTrust

Yes at least sample of logs and maybe your query.

r. Ismo

0 Karma

macd0170
New Member

Thanks for getting back to me.  I have attached a few rows of our logs and extracted fields in csv format.

We are in the process of upgrading our software (AnyConnectVersion) from 4.x.x to 4.y.y.  Management is asking for graphic to show how many users (ACVersionUsername) are on the each version on a daily basis.

The only way that I can think of how to get this is to check AnyConnectVersion for each user on their last connection.

The search ‘| stats first(ACVersion) AS version by ACVersionUsername’ seems to give me a table with each users last version for today but I can’t seem to figure out how to:

  • Get the count of each version
  • Get the count of each version in the past
  • Plot these on a chart including the results for the past X number of days.

Any help you could give would be appreciated.  I’m trying to learn splunk but since it’s not my primary duty, I can’t put as much time into learning is as I would like.

ACVersion,ACVersionIPAddress,ACVersionUsername,AnyConnectVersion,"Cisco_ASA_action","Cisco_ASA_message_id","Cisco_ASA_user",GroupPolicy,"_raw","_time",action,app,bytes,"change_class","change_description","change_type","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone",description,dest,"dest_dns",duration,dvc,eventtype,group,host,"ids_type",index,linecount,"log_level","message_id",msg,object,"object_type",product,punct,rule,"severity_level",source,sourcetype,"splunk_server","splunk_server_group",src,"src_dns","src_ip",tag,"tag::eventtype",timeendpos,timestartpos,transport,user,vendor,"vendor_class","vendor_definition"
"Windows 4.x.x","x.x.x.x",user1,"4.x.x",,722055,user1,"Default","Aug 31 12:10:37 x.x.x.x %ASA-6-722055: Group <Default> User <user1> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:37.000-0400",,AAA,,,,,12,31,10,august,37,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user1> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user1,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user2,"4.x.x",,722055,user2,"Default","Aug 31 12:10:36 x.x.x.x %ASA-6-722055: Group <Default> User <user2> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:36.000-0400",,AAA,,,,,12,31,10,august,36,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user2> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user2,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user3,"4.x.x",,722055,user3,"Default","Aug 31 12:10:30 x.x.x.x %ASA-6-722055: Group <Default> User <user3> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:30.000-0400",,AAA,,,,,12,31,10,august,30,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user3> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user3,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user4,"4.y.y",,722055,user4,"Default","Aug 31 12:10:27 x.x.x.x %ASA-6-722055: Group <Default> User <user4> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y","2020-08-31T08:10:27.000-0400",,AAA,,,,,12,31,10,august,27,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user4> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user4,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user5,"4.x.x",,722055,user5,"Default","Aug 31 12:10:17 x.x.x.x %ASA-6-722055: Group <Default> User <user5> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:17.000-0400",,AAA,,,,,12,31,10,august,17,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user5> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user5,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user6,"4.y.y",,722055,user6,"Default","Aug 31 12:10:14 x.x.x.x %ASA-6-722055: Group <Default> User <user6> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y","2020-08-31T08:10:14.000-0400",,AAA,,,,,12,31,10,august,14,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user6> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user6,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user7,"4.x.x",,722055,user7,"Default","Aug 31 12:10:11 x.x.x.x %ASA-6-722055: Group <Default> User <user7> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:11.000-0400",,AAA,,,,,12,31,10,august,11,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user7> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user7,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user8,"4.x.x",,722055,user8,"Default","Aug 31 12:10:03 x.x.x.x %ASA-6-722055: Group <Default> User <user8> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:03.000-0400",,AAA,,,,,12,31,10,august,3,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user8> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user8,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user9,"4.x.x",,722055,user9,"Default","Aug 31 12:10:01 x.x.x.x %ASA-6-722055: Group <Default> User <user9> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:01.000-0400",,AAA,,,,,12,31,10,august,1,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user9> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user9,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user10,"4.x.x",,722055,user10,"Default","Aug 31 12:10:00 x.x.x.x %ASA-6-722055: Group <Default> User <user10> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:00.000-0400",,AAA,,,,,12,31,10,august,0,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user10> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user10,Cisco,svc,"SSL VPN Client"

0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

based on your examples (I just take some of lines and changed those little).

index=_internal
| head 1
| eval _raw ="time,src,ASA_Version, GP, User, dst, CT
Aug 31 2020 12:10:37, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user1>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x
Aug 31 2020 12:10:36, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user2>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x
Aug 30 2020 12:10:27, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user4>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y
Aug 31 2020 12:10:14, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user6>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y"
| multikv forceheader=1
| rex field=CT "Windows (?<CT_Version>\d+\.\w+\.\w+)"
| eval _time = strptime(time, "%b %d %Y %T")
| rename COMMENT as "Above prepare sample, below creates result"
| timechart span=1d count by CT_Version

r. Ismo 

0 Karma

ITWhisperer
Ultra Champion

Another stats clause would get you the counts by version

...
| stats count by version

You could set up a summary index adding to it on a daily basis, then build your chart based on the values in this index 

0 Karma