topic Re: Logon Duration in Splunk Enterprise

Logon Duration

itsmevic — Tue, 05 Jan 2021 22:39:11 GMT

I'd like to get the logon/logoff duration times of just one user, what would be the best SPL to go with to determine this? Any help is greatly appreciated!

Re: Logon Duration

bowesmana — Tue, 05 Jan 2021 22:55:33 GMT

You need to give an example of your data, saying how time, user and logon/logoff state can be identified to get a good answer

Re: Logon Duration

itsmevic — Tue, 05 Jan 2021 23:02:09 GMT

I found the answer below and it works great. I just need to now convert the seconds to minutes.

index=* host=* user="username" sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634 | transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 | eval Logontime=if(EventCode="4624",_time,null()) | eval Logofftime=Logontime+duration | convert ctime(Logontime) as Logontime | convert ctime(Logofftime) as Logofftime | table host, src_nt_host, user, Logontime, Logofftime, duration | sort user, host, -duration | rename duration AS "Duration (seconds)"

Re: Logon Duration

isoutamo — Tue, 05 Jan 2021 23:13:44 GMT

You could try eval/fieldformat duration = tostring(duration, “duration”)

Re: Logon Duration

bowesmana — Tue, 05 Jan 2021 23:21:12 GMT

@itsmevic

Be aware that the transaction command may not always give you expected results, particularly if you're dealing with large data sets, as there are memory constraints. You are using maxspan=-1, which means that for every logon that has no logoff, Splunk has to keep that initial logon data in memory until it finds a logoff. It may not be an issue in this case, but worth noting.

There are often easy alternatives to avoid using transaction that do not have the same constraints. See the 'Using stats instead of transaction' section here.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Search/Abouttransactions