Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Find a users first logon and last logoff for the day over 30 days

szimmermanftb
New Member
‎06-12-2014 06:22 AM

I am able to get the users first and last logon/logoff event for a single day but I cannot figure out how to get it to work per day over 30 days. This is the search I am using now that works for a single day.

sourcetype=wineventlog:security user=| eval time=strftime(_time, "%m/%d/%y %H:%M:%S") |timechart span=1d earliest(time) as start, latest(time) as stop by user

Anyone have an idea how I can make it show this data for multiple days?

Thanks in advance!

Tags (1)
0 Karma
Reply

chandan
Observer
‎02-17-2021 02:35 AM

Please try this below query guys the best i have got the result as expected

 

| `inactive_accounts(30)` | eval LastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S.%Q") | sort -_time

 

 

0 Karma
Reply

pradeepkumarg
Influencer
‎06-13-2014 11:09 AM

Try using date_mday


| stats earliest(_time) as start, latest(_time) as stop by user, date_mday
0 Karma
Reply

szimmermanftb
New Member
‎06-12-2014 06:37 AM

When I set the time frame for more than 1 day it will only give me the first logon for the first day and the last logoff for the last day.

0 Karma
Reply

somesoni2
Revered Legend
‎06-12-2014 06:34 AM

You query looks correct to me to get logon/logoff time for the user per day. Could you ensure the search timerange is set as 'last 30 days'?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...