我需要制作一个连接到我的Cisco ASA的并发 VPN 用户的时间表,如下图所示:
另一个时间表截图在这里: https ://drive.google.com/file/d/1dW8nyG3dz3GbPiXuiXZofuhccoHpEHSP/view ?usp=sharing
在 splunk 中,这里发布的精彩查询使这成为可能: https ://community.splunk.com/t5/Splunk-Search/Concurrent-Active-VPN-Sessions-on-a-Timechart/mp/493141#M137524
如果我必须使用相同的逻辑来达到预期的结果,我只需要您的帮助将上述 splunk 查询的以下部分转换为 KQL:
| sort 0 _time
| eval time2=_time
| bin span=20m time2
| eval time2=if(status="disconnected",NULL,time2)
| eval _time=coalesce(time2,_time)
| streamstats count(eval(status="assigned")) as session by user
| stats values(eval(if(status="assigned",round(_time),NULL))) as start values(eval(if(status="disconnected",round(_time),NULL))) as end by user session
| eval timerange=mvrange(start,end,1200)
| mvexpand timerange
| rename timerange as _time
| timechart span=20m count(user)
预期输出(来自 splunk):https ://drive.google.com/file/d/11F5p_zOGlgenIqVsToXiPlL2UplSIRNa/view?usp=sharing
示例数据(来自 Sentinel,已解析): https ://drive.google.com/file/d/1wzansi1MfCnUylNHSeUHiw8POIxzS4q_/view?usp=sharing
是的,我们不得不从 splunk 切换到 Azure Sentinel。(不要问为什么。)