@PickleRick & @ITWhisperer thank you both for the replies, I understand there are other topics in the forum but all rely as you mentioned on a login/logout field, which is not present in my raw data...
See more...
@PickleRick & @ITWhisperer thank you both for the replies, I understand there are other topics in the forum but all rely as you mentioned on a login/logout field, which is not present in my raw data, this is why I am calculating based on if there are events. Sample of raw data: Jun 24 15:01:20 10.50.8.100 1 2024-06-24T15:01:20+03:00 pafw01.company.com.sa - - - - 1,2024/06/24 15:01:19,007959000163983,TRAFFIC,end,2561,2024/06/24 15:01:19,192.168.44.43,10.130.11.2,0.0.0.0,0.0.0.0,GP-Access-Organization-Services-Applications,company\user1,,ssl,vsys1,GP-VPN,Trust,tunnel.21,ethernet1/4,splunk-forwarding,2024/06/24 15:01:19,1269402,1,61723,443,0,0,0x47a,tcp,allow,33254,13498,19756,210,2024/06/24 14:36:36,1454,White-List,,7352086992805546250,0x0,192.168.0.0-192.168.255.255,10.0.0.0-10.255.255.255,,105,105,tcp-rst-from-client,0,0,0,0,,pafw01,from-policy,,,0,,0,,N/A,0,0,0,0,09a8fe83-e848-4cbb-bdff-0d35a4ce96b2,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-06-24T15:01:20.681+03:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0