Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Finding the 1st logon and logoff event times for a single user from March 2017 to present.

JPurdham
Engager
‎08-29-2017 02:04 AM

Hello,

I've been asked to find the 1st login time of a user and the time they logged out over a specific date range. (march 1st 2017 - present)

The environment is a Window's terminal services environment (Windows Server 2008 R2) and is being indexed into Splunk. The index is index= index="wineventlog"

I'd like to see something like this; (if possible)

  • username: user
  • date: 01/MAR/2017
  • Logon: 07:30:00
  • Logoff: 15:30:00

For each day from march 1st to present, I can find the events but can't order them or filter them to show just the 1st login and last logoff of that day.

Appreciate the help,
Jake

Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2017 03:49 AM

Hi JPurdham,
it's not a problem to have the first logon (EventCode=4624) but the problem is that in Windows a logon action generates many (more than 10) logon events (4624, 4672, 4634, ...) and it's difficoult to find the real logoff because there isn't a transaction code to connect events.
You could use username, but if you have more logons of the same user on the same host in the same day you cannot distinguish them.
Anyway, you could run something like this in the time period you need:

index=wineventlog sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634)
| eval day=strftime(_time,"%d/%m/%Y")
| stats earliest(_time) AS earliest latest(_time) AS latest by user host day
| eval earliest=strftime(earliest,"%d/%m/%Y %H.%M.%S"), latest=strftime(latest,"%d/%m/%Y %H.%M.%S")

Bye.
Giuseppe

Reply

benbabich
Explorer
‎01-16-2020 01:14 PM

This worked great for me.
After I Americanized the date format.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-16-2020 11:38 PM

Hi JPurdham,
if this answer solves your problem, please accept and/or upvote it for the other people of the Community.
Ciao and next time.
Giuseppe

0 Karma
Reply

nick405060
Motivator
‎01-17-2019 04:18 PM

Is this still true? I've been asked to do pretty much the exact same thing. Not logon and logoff times each day, but time spent on a specific server/resource

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...