I appologize if this has been asked and answered. I tried searching the forum but couldn't find the answer (if might have been that I don't know what to search for).
We are logging VPN logins and I have a requirement to track the client version overtime as we upgrade it. I have a log message that has both user and version and am trying to plot a daily chart that shows how the number of users who's last login was with each version of software. So far I have:
| stats first(Version) AS version by User
Which looks like it gives me a table of the last version that each user logged in with but first of all, it doesn't seem super efficient.
I am also lost on how to:
- Turn it into count of the number of entries for each version
- Chart this for past values
Hi
could you give a anonymizes sample so community could better help you?
r. Ismo
Sample of the logs? or something else?
Yes at least sample of logs and maybe your query.
r. Ismo
Thanks for getting back to me. I have attached a few rows of our logs and extracted fields in csv format.
We are in the process of upgrading our software (AnyConnectVersion) from 4.x.x to 4.y.y. Management is asking for graphic to show how many users (ACVersionUsername) are on the each version on a daily basis.
The only way that I can think of how to get this is to check AnyConnectVersion for each user on their last connection.
The search ‘| stats first(ACVersion) AS version by ACVersionUsername’ seems to give me a table with each users last version for today but I can’t seem to figure out how to:
Any help you could give would be appreciated. I’m trying to learn splunk but since it’s not my primary duty, I can’t put as much time into learning is as I would like.
ACVersion,ACVersionIPAddress,ACVersionUsername,AnyConnectVersion,"Cisco_ASA_action","Cisco_ASA_message_id","Cisco_ASA_user",GroupPolicy,"_raw","_time",action,app,bytes,"change_class","change_description","change_type","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone",description,dest,"dest_dns",duration,dvc,eventtype,group,host,"ids_type",index,linecount,"log_level","message_id",msg,object,"object_type",product,punct,rule,"severity_level",source,sourcetype,"splunk_server","splunk_server_group",src,"src_dns","src_ip",tag,"tag::eventtype",timeendpos,timestartpos,transport,user,vendor,"vendor_class","vendor_definition"
"Windows 4.x.x","x.x.x.x",user1,"4.x.x",,722055,user1,"Default","Aug 31 12:10:37 x.x.x.x %ASA-6-722055: Group <Default> User <user1> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:37.000-0400",,AAA,,,,,12,31,10,august,37,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user1> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user1,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user2,"4.x.x",,722055,user2,"Default","Aug 31 12:10:36 x.x.x.x %ASA-6-722055: Group <Default> User <user2> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:36.000-0400",,AAA,,,,,12,31,10,august,36,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user2> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user2,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user3,"4.x.x",,722055,user3,"Default","Aug 31 12:10:30 x.x.x.x %ASA-6-722055: Group <Default> User <user3> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:30.000-0400",,AAA,,,,,12,31,10,august,30,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user3> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user3,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user4,"4.y.y",,722055,user4,"Default","Aug 31 12:10:27 x.x.x.x %ASA-6-722055: Group <Default> User <user4> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y","2020-08-31T08:10:27.000-0400",,AAA,,,,,12,31,10,august,27,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user4> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user4,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user5,"4.x.x",,722055,user5,"Default","Aug 31 12:10:17 x.x.x.x %ASA-6-722055: Group <Default> User <user5> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:17.000-0400",,AAA,,,,,12,31,10,august,17,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user5> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user5,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user6,"4.y.y",,722055,user6,"Default","Aug 31 12:10:14 x.x.x.x %ASA-6-722055: Group <Default> User <user6> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y","2020-08-31T08:10:14.000-0400",,AAA,,,,,12,31,10,august,14,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user6> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user6,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user7,"4.x.x",,722055,user7,"Default","Aug 31 12:10:11 x.x.x.x %ASA-6-722055: Group <Default> User <user7> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:11.000-0400",,AAA,,,,,12,31,10,august,11,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user7> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user7,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user8,"4.x.x",,722055,user8,"Default","Aug 31 12:10:03 x.x.x.x %ASA-6-722055: Group <Default> User <user8> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:03.000-0400",,AAA,,,,,12,31,10,august,3,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user8> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user8,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user9,"4.x.x",,722055,user9,"Default","Aug 31 12:10:01 x.x.x.x %ASA-6-722055: Group <Default> User <user9> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:01.000-0400",,AAA,,,,,12,31,10,august,1,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user9> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user9,Cisco,svc,"SSL VPN Client"
"Windows 4.x.x","x.x.x.x",user10,"4.x.x",,722055,user10,"Default","Aug 31 12:10:00 x.x.x.x %ASA-6-722055: Group <Default> User <user10> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x","2020-08-31T08:10:00.000-0400",,AAA,,,,,12,31,10,august,0,monday,2020,0,"Informational messages only",,,,"x.x.x.x","cisco_vpn",,"x.x.x.x",network,network,1,6,722055,"Group <Default> User <user10> IP <x.x.x.x> Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x",,,ASA,"__::_..._%--:__<>__<>__<...>__:_______..",,informational,"/data/splunk/SSD/logs/network/x.x.x.x/2020-08-31-network.log","cisco:asa","splunk-host2",,"x.x.x.x",,"x.x.x.x","network
session
vpn","network
session
vpn",15,0,,user10,Cisco,svc,"SSL VPN Client"
Hi
based on your examples (I just take some of lines and changed those little).
index=_internal
| head 1
| eval _raw ="time,src,ASA_Version, GP, User, dst, CT
Aug 31 2020 12:10:37, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user1>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x
Aug 31 2020 12:10:36, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user2>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.x.x
Aug 30 2020 12:10:27, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user4>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y
Aug 31 2020 12:10:14, x.x.x.x, %ASA-6-722055:, Group <Default>, User <user6>, IP <x.x.x.x>, Client Type: Cisco AnyConnect VPN Agent for Windows 4.y.y"
| multikv forceheader=1
| rex field=CT "Windows (?<CT_Version>\d+\.\w+\.\w+)"
| eval _time = strptime(time, "%b %d %Y %T")
| rename COMMENT as "Above prepare sample, below creates result"
| timechart span=1d count by CT_Version
r. Ismo
Another stats clause would get you the counts by version
...
| stats count by version
You could set up a summary index adding to it on a daily basis, then build your chart based on the values in this index