Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you search, by day, for the first and the last user to log in and log off in a Windows event?

yassy
Explorer
‎12-12-2018 06:07 AM

Good morning, I'm doing a search to bring users and their first log in of the day and their last log off.
I made the following query, but I can not get the first line of the 4624 and the last one of the 4636 in the same line.

alt text

Preview file
47 KB
0 Karma
Reply

renjith_nair
Legend
‎12-12-2018 07:30 PM

@yassy ,

Give this a try

    index="your index" day="your day field"
    |stats earliest(eval(if(EventCode="4624",_time,null()))) as PrimerLogin,
              last(eval(if(EventCode="4634 ",_time,null()))) as UltimoLogoff by User,day
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

yassy
Explorer
‎12-13-2018 06:48 AM

Tks finally i resolve it with this search

index=wineventlog (EventCode="4624" ) Account_Name!=AdminSp Account_Name!=AdminCitrix
| regex Account_Name!=".*\$"
| eval Day=strftime(_time,"%d/%m/%Y")
| eval User=mvindex(Account_Name,1)
| eval Time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats earliest(Time) as PrimerLogin by User,Day

| join User,Day
[search
index=wineventlog (EventCode="4634" ) Account_Name!=AdminSp Account_Name!=AdminCitrix
| regex Account_Name!=".*\$"
| eval Day=strftime(_time,"%d/%m/%Y")
| eval User=Account_Name
| eval Time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats latest(Time) as UltimoLogoff by User,Day
]
| stats values(PrimerLogin) as PrimerLogin,values(UltimoLogoff) as UltimoLogoff by User,Day

0 Karma
Reply

renjith_nair
Legend
‎12-14-2018 07:29 PM

@yassy , avoid join if possible. Wasn't the earlier search provided working?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...