Tracking how long someone has been logged into a w...

rcastello · ‎12-03-2018

Hello,

I'm attempting to figure out how long an employee has been logged into their laptop in a given day. I started with the following, with the * representing the user:

index=* source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name="*"

Then, I added a table pipe:

| table _time Account* Logon*

I get a decent chart that displays their logon activity throughout the day, but I was wondering if there was more efficient way to perform this, say showing logon and logoff activity.

Thank you.

kmorris_splunk · ‎12-03-2018

You could try using the transaction command with startswith and endswith params. Each transactional event will have a new field called duration. You could then do a stats command summing the duration by Account_Name to get the total for the day. People may log in and out many times during the day.

I haven't tested this, but hoping it leads you in the right direction.

index= source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=""
| transaction Account_Name startswith=eval(EventCode=4624) endswith=eval(EventCode=4634)
| stats sum(duration) by Account_Name

Tracking how long someone has been logged into a workstation in a given day

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices