Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trend of latest value per user

macd0170
New Member
‎08-30-2020 07:23 AM

I appologize if this has been asked and answered.  I tried searching the forum but couldn't find the answer (if might have been that I don't know what to search for).

We are logging VPN logins and I have a requirement to track the client version overtime as we upgrade it.  I have a log message that has both user and version and am trying to plot a daily chart that shows how the number of users who's last login was with each version of software.  So far I have:

| stats first(Version) AS version by User

Which looks like it gives me a table of the last version that each user logged in with but first of all, it doesn't seem super efficient.

I am also lost on how to:

- Turn it into count of the number of entries for each version
- Chart this for past values

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2020 07:26 AM

Hi

could you give a anonymizes sample so community could better help you?

r. Ismo

0 Karma
Reply

macd0170
New Member
‎08-30-2020 07:39 AM

Sample of the logs?  or something else?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2020 09:55 AM

Yes at least sample of logs and maybe your query.

r. Ismo

0 Karma
Reply

macd0170
New Member
‎08-31-2020 05:42 AM

Thanks for getting back to me.  I have attached a few rows of our logs and extracted fields in csv format.

We are in the process of upgrading our software (AnyConnectVersion) from 4.x.x to 4.y.y.  Management is asking for graphic to show how many users (ACVersionUsername) are on the each version on a daily basis.

The only way that I can think of how to get this is to check AnyConnectVersion for each user on their last connection.

The search ‘| stats first(ACVersion) AS version by ACVersionUsername’ seems to give me a table with each users last version for today but I can’t seem to figure out how to:

  • Get the count of each version
  • Get the count of each version in the past
  • Plot these on a chart including the results for the past X number of days.

Any help you could give would be appreciated.  I’m trying to learn splunk but since it’s not my primary duty, I can’t put as much time into learning is as I would like.

ACVersion,ACVersionIPAddress,ACVersionUsername,AnyConnectVersion,"Cisco_ASA_action","Cisco_ASA_message_id","Cisco_ASA_user",GroupPolicy,"_raw","_time",action,app,bytes,"change_class","change_description","change_type","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone",description,dest,"dest_dns",duration,dvc,eventtype,group,host,"ids_type",index,linecount,"log_level","message_id",msg,object,"object_type",product,punct,rule,"severity_level",source,sourcetype,"splunk_server","splunk_server_group",src,"src_dns","src_ip",tag,"tag::eventtype",timeendpos,timestartpos,transport,user,vendor,"vendor_class","vendor_definition"
"Windows 4.x.x","x.x.x.x",user1,"4.x.x",,722055,user1,"Default","Aug 31 12:10:37 x.x.x.x %ASA-6-722055: Group <Default> User <user1> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:37.000-0400",,AAA,,,,,12,31,10,august,37,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user1> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user1,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user2,"4.x.x",,722055,user2,"Default","Aug 31 12:10:36 x.x.x.x %ASA-6-722055: Group <Default> User <user2> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:36.000-0400",,AAA,,,,,12,31,10,august,36,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user2> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user2,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user3,"4.x.x",,722055,user3,"Default","Aug 31 12:10:30 x.x.x.x %ASA-6-722055: Group <Default> User <user3> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:30.000-0400",,AAA,,,,,12,31,10,august,30,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user3> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user3,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user4,"4.y.y",,722055,user4,"Default","Aug 31 12:10:27 x.x.x.x %ASA-6-722055: Group <Default> User <user4> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y","2020-08-31T08:10:27.000-0400",,AAA,,,,,12,31,10,august,27,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user4> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user4,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user5,"4.x.x",,722055,user5,"Default","Aug 31 12:10:17 x.x.x.x %ASA-6-722055: Group <Default> User <user5> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:17.000-0400",,AAA,,,,,12,31,10,august,17,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user5> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user5,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user6,"4.y.y",,722055,user6,"Default","Aug 31 12:10:14 x.x.x.x %ASA-6-722055: Group <Default> User <user6> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y","2020-08-31T08:10:14.000-0400",,AAA,,,,,12,31,10,august,14,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user6> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user6,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user7,"4.x.x",,722055,user7,"Default","Aug 31 12:10:11 x.x.x.x %ASA-6-722055: Group <Default> User <user7> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:11.000-0400",,AAA,,,,,12,31,10,august,11,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user7> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user7,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user8,"4.x.x",,722055,user8,"Default","Aug 31 12:10:03 x.x.x.x %ASA-6-722055: Group <Default> User <user8> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:03.000-0400",,AAA,,,,,12,31,10,august,3,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user8> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user8,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user9,"4.x.x",,722055,user9,"Default","Aug 31 12:10:01 x.x.x.x %ASA-6-722055: Group <Default> User <user9> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:01.000-0400",,AAA,,,,,12,31,10,august,1,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user9> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user9,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user10,"4.x.x",,722055,user10,"Default","Aug 31 12:10:00 x.x.x.x %ASA-6-722055: Group <Default> User <user10> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:00.000-0400",,AAA,,,,,12,31,10,august,0,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user10> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user10,Cisco,svc,"SSL VPN Client"

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-31-2020 06:56 AM

Hi

based on your examples (I just take some of lines and changed those little).

index=_internal
| head 1
| eval _raw ="time,src,ASA_Version, GP, User, dst, CT
Aug 31 2020 12:10:37, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user1>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x
Aug 31 2020 12:10:36, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user2>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x
Aug 30 2020 12:10:27, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user4>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y
Aug 31 2020 12:10:14, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user6>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y"
| multikv forceheader=1
| rex field=CT "Windows (?<CT_Version>\d+\.\w+\.\w+)"
| eval _time = strptime(time, "%b %d %Y %T")
| rename COMMENT as "Above prepare sample, below creates result"
| timechart span=1d count by CT_Version

r. Ismo 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 06:39 AM

Another stats clause would get you the counts by version

...
| stats count by version

You could set up a summary index adding to it on a daily basis, then build your chart based on the values in this index 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...