Skip to main content

 

Splunk Lantern

Number of active VPN sessions

You might need to know how many active VPN sessions there are on your network when doing the following:

Prerequisites 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

Example

Your workforce is fully remote. To ensure network security, you want to report on how many active VPN sessions there are on your network at certain times of the day.

To optimize the search shown below, you should specify a time range. 

  1. Run the following search:
| tstats count(All_Sessions.user) FROM datamodel=Network_Sessions WHERE `rw_vpn_indexes` nodename=All_Sessions.VPN

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count(All_Sessions.user) FROM datamodel=Network_Sessions WHERE `rw_vpn_indexes` nodename=All_Sessions.VPN

Search the All_sessions data set for users in a VPN network session event.

Result

This search returns a simple count of all active VPN sessions during the time you specify. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

  • Was this article helpful?