Sample of the logs?  or something else?

Yes at least sample of logs and maybe your query.

r. Ismo

Thanks for getting back to me.  I have attached a few rows of our logs and extracted fields in csv format.

We are in the process of upgrading our software (AnyConnectVersion) from 4.x.x to 4.y.y.  Management is asking for graphic to show how many users (ACVersionUsername) are on the each version on a daily basis.

The only way that I can think of how to get this is to check AnyConnectVersion for each user on their last connection.

The search ‘| stats first(ACVersion) AS version by ACVersionUsername’ seems to give me a table with each users last version for today but I can’t seem to figure out how to:

• Get the count of each version
• Get the count of each version in the past
• Plot these on a chart including the results for the past X number of days.

Any help you could give would be appreciated.  I’m trying to learn splunk but since it’s not my primary duty, I can’t put as much time into learning is as I would like.

ACVersion,ACVersionIPAddress,ACVersionUsername,AnyConnectVersion,"Cisco_ASA_action","Cisco_ASA_message_id","Cisco_ASA_user",GroupPolicy,"_raw","_time",action,app,bytes,"change_class","change_description","change_type","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone",description,dest,"dest_dns",duration,dvc,eventtype,group,host,"ids_type",index,linecount,"log_level","message_id",msg,object,"object_type",product,punct,rule,"severity_level",source,sourcetype,"splunk_server","splunk_server_group",src,"src_dns","src_ip",tag,"tag::eventtype",timeendpos,timestartpos,transport,user,vendor,"vendor_class","vendor_definition"
"Windows 4.x.x","x.x.x.x",user1,"4.x.x",,722055,user1,"Default","Aug 31 12:10:37 x.x.x.x %ASA-6-722055: Group <Default> User <user1> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:37.000-0400",,AAA,,,,,12,31,10,august,37,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user1> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user1,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user2,"4.x.x",,722055,user2,"Default","Aug 31 12:10:36 x.x.x.x %ASA-6-722055: Group <Default> User <user2> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:36.000-0400",,AAA,,,,,12,31,10,august,36,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user2> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user2,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user3,"4.x.x",,722055,user3,"Default","Aug 31 12:10:30 x.x.x.x %ASA-6-722055: Group <Default> User <user3> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:30.000-0400",,AAA,,,,,12,31,10,august,30,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user3> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user3,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user4,"4.y.y",,722055,user4,"Default","Aug 31 12:10:27 x.x.x.x %ASA-6-722055: Group <Default> User <user4> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y","2020-08-31T08:10:27.000-0400",,AAA,,,,,12,31,10,august,27,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user4> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user4,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user5,"4.x.x",,722055,user5,"Default","Aug 31 12:10:17 x.x.x.x %ASA-6-722055: Group <Default> User <user5> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:17.000-0400",,AAA,,,,,12,31,10,august,17,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user5> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user5,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user6,"4.y.y",,722055,user6,"Default","Aug 31 12:10:14 x.x.x.x %ASA-6-722055: Group <Default> User <user6> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y","2020-08-31T08:10:14.000-0400",,AAA,,,,,12,31,10,august,14,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user6> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user6,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user7,"4.x.x",,722055,user7,"Default","Aug 31 12:10:11 x.x.x.x %ASA-6-722055: Group <Default> User <user7> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:11.000-0400",,AAA,,,,,12,31,10,august,11,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user7> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user7,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user8,"4.x.x",,722055,user8,"Default","Aug 31 12:10:03 x.x.x.x %ASA-6-722055: Group <Default> User <user8> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:03.000-0400",,AAA,,,,,12,31,10,august,3,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user8> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user8,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user9,"4.x.x",,722055,user9,"Default","Aug 31 12:10:01 x.x.x.x %ASA-6-722055: Group <Default> User <user9> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:01.000-0400",,AAA,,,,,12,31,10,august,1,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user9> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user9,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user10,"4.x.x",,722055,user10,"Default","Aug 31 12:10:00 x.x.x.x %ASA-6-722055: Group <Default> User <user10> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:00.000-0400",,AAA,,,,,12,31,10,august,0,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user10> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user10,Cisco,svc,"SSL VPN Client"

Hi

based on your examples (I just take some of lines and changed those little).

index=_internal
| head 1
| eval _raw ="time,src,ASA_Version, GP, User, dst, CT
Aug 31 2020 12:10:37, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user1>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x
Aug 31 2020 12:10:36, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user2>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x
Aug 30 2020 12:10:27, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user4>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y
Aug 31 2020 12:10:14, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user6>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y"
| multikv forceheader=1
| rex field=CT "Windows (?<CT_Version>\d+\.\w+\.\w+)"
| eval _time = strptime(time, "%b %d %Y %T")
| rename COMMENT as "Above prepare sample, below creates result"
| timechart span=1d count by CT_Version

r. Ismo 

Another stats clause would get you the counts by version

...
| stats count by version

You could set up a summary index adding to it on a daily basis, then build your chart based on the values in this index