Skip to main content

 

Splunk Lantern

Successful VPN logins over time

You might need to know how many successful logins to your VPN there were when doing the following:

Prerequisites 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

Example

Your workforce is fully remote. To ensure network security, you want to report on how many successful logins to your VPN there were over certain time periods each day.

To optimize the search shown below, you should specify a time range. 

  1. Run the following search:
| tstats prestats=t count FROM datamodel=Authentication WHERE index=main OR index=firewall BY _time Authentication.action span=1h
| timechart span=1d count BY Authentication.action
| eval "Success Rate %" = round(success/(success+failure)*100,2)
| rename failure AS "Failure", success AS "Success"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats prestats=t count FROM datamodel=Authentication WHERE (index=main OR index=firewall) BY _time Authentication.action span=1h

Search the main and firewall indexes for authentication actions and group the results in one-hour increments. Set prestats to true so the results can be sent to a chart.

| timechart span=1d count BY Authentication.action Create a chart that shows the count of authentications bucketed into one day increments.
| eval "Success Rate %" = round(success/(success+failure)*100,2) Calculate the percentage of total successful logins, rounded to two decimals.
| rename failure AS "Failure", success AS "Success" Rename the fields as shown for better readability.

Result

This search returns a table and chart of successful VPN logins each day over the specified time frame. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

  • Was this article helpful?