Building for the Splunk Platform

Tracking how long someone has been logged into a workstation in a given day



I'm attempting to figure out how long an employee has been logged into their laptop in a given day. I started with the following, with the * representing the user:

index=* source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name="*"

Then, I added a table pipe:

| table _time Account* Logon*

I get a decent chart that displays their logon activity throughout the day, but I was wondering if there was more efficient way to perform this, say showing logon and logoff activity.

Thank you.

Splunk Employee
Splunk Employee

You could try using the transaction command with startswith and endswith params. Each transactional event will have a new field called duration. You could then do a stats command summing the duration by Account_Name to get the total for the day. People may log in and out many times during the day.

I haven't tested this, but hoping it leads you in the right direction.

index= source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=""
| transaction Account_Name startswith=eval(EventCode=4624) endswith=eval(EventCode=4634)
| stats sum(duration) by Account_Name
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...