Hello everybody. I need your help. I do not know so well about all the functionality of the Splunk, but I was given the task of monitoring the VPN connection. I've been sitting on this task for a w...
See more...
Hello everybody. I need your help. I do not know so well about all the functionality of the Splunk, but I was given the task of monitoring the VPN connection. I've been sitting on this task for a while now, and I'm almost done. But I cannot decide the last point. As in the picture below, I was able to collect some information. As in the first picture, I was able to subtract the time from the start to the end of each session. But if you start the search as "for the whole day", then there is no information about sessions that have not yet closed and that start at 23:00 and end at 2:00 for example. Search string: sourcetype=cisco:asa message_id=722051 OR message_id=113019 OR message_id=722011 user=zhanali | eval session_info = if((message_id = "113019" OR message_id = "722011"), "session_end", "session_start") | transaction startswith=eval(session_info="session_start") endswith=eval(session_info="session_end") | eval end_time = _time + duration | eval duration1 = tostring(duration, "duration") | stats count as "all session number" list(_time) as "start of sessions" list(end_time) as "end of sessions" list(duration1) as "durations per session" sum(duration) as secund by Username | eval "full time for tuday" = tostring(secund, "duration") | fields - secund | convert ctime("start of sessions") | convert ctime("end of sessions") Result: Here 113019 means disconnect, 722011 reconnect and 722051 session assigned. This means after reconnect again come syslog as session assigned. How can i get and display the previously mentioned time intervals as start - 23:00 and end 00:00, start - 00:00 and end - 2:00? And more about active sessions like session active? Below is the information about the first and last activity: Please, HELP ME!