Skip to main content


Splunk Lantern

Number of active VPN sessions

You might need to know how many active VPN sessions there are on your network when doing the following:


To succeed in implementing this use case, you need the following dependencies, resources, and information.


Your workforce is fully remote. To ensure network security, you want to report on how many active VPN sessions there are on your network at certain times of the day.

To optimize the search shown below, you should specify a time range. 

  1. Run the following search:
| tstats count(All_Sessions.user) FROM datamodel=Network_Sessions WHERE `rw_vpn_indexes` nodename=All_Sessions.VPN

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count(All_Sessions.user) FROM datamodel=Network_Sessions WHERE `rw_vpn_indexes` nodename=All_Sessions.VPN

Search the All_sessions data set for users in a VPN network session event.


This search returns a simple count of all active VPN sessions during the time you specify. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

  • Was this article helpful?