Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
Splunk Lantern

Successful VPN logins over time


Your workforce is fully remote. To ensure network security, you want to report on how many successful logins to your VPN there were over certain time periods each day. 

Required data

Authentication data, normalized to the Authentication data Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.


Run the following search. You can optimize it by specifying a time range​​​​​​​.

| tstats prestats=t count FROM datamodel=Authentication WHERE index=main OR index=firewall BY _time Authentication.action span=1h
| timechart span=1d count BY Authentication.action
| eval "Success Rate %" = round(success/(success+failure)*100,2)
| rename failure AS "Failure", success AS "Success"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats prestats=t count FROM datamodel=Authentication WHERE (index=main OR index=firewall) BY _time Authentication.action span=1h

Search the main and firewall indexes for authentication actions and group the results in one-hour increments. Set prestats to true so the results can be sent to a chart.

| timechart span=1d count BY Authentication.action Create a chart that shows the count of authentications bucketed into one day increments.
| eval "Success Rate %" = round(success/(success+failure)*100,2) Calculate the percentage of total successful logins, rounded to two decimals.
| rename failure AS "Failure", success AS "Success" Rename the fields as shown for better readability.

Next steps

This search returns a table and chart of successful VPN logins each day over the specified time frame. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

Finally, you might be interested in other processes associated with the Securing a work-from-home organization use case.