Skip to main content
 
Splunk Lantern

Number of active VPN sessions

 

Your workforce is fully remote. To ensure network security, you want to report on how many active VPN sessions there are on your network at certain times of the day.  

Required data

VPN data, normalized to the Network Sessions data Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.

Procedure

Run the following search. You can optimize it by specifying a time range.

| tstats count(All_Sessions.user) FROM datamodel=Network_Sessions WHERE `rw_vpn_indexes` nodename=All_Sessions.VPN

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count(All_Sessions.user) FROM datamodel=Network_Sessions WHERE `rw_vpn_indexes` nodename=All_Sessions.VPN

Search the All_sessions data set for users in a VPN network session event.

Next steps

This search returns a simple count of all active VPN sessions during the time you specify. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

Finally, you might be interested in other processes associated with the Securing a work-from-home organization use case.