I too cannot get this to work for me. It creates a table with the users and Logontimes, but the Logofftime is always blank and duration always equals zero. I've been tinkering with it all day but cannot get it to fully work. It seems so close though!
I feel like the way it is defining duration and Logofftime is cyclical and self-referential...

To be specific, I am needing to tracking logon/logoff times for a specific workstation. I've installed the Splunk forwarder and configured it to forward the Security log to our index. Here is the code I am using:

index=MyIndex host="MyMachineName" sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=*
  | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
  | eval User=lower(User)| search NOT (User=*$ OR User=system)
  | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
  | eval Logofftime=Logontime+duration
  | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
  | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
  | eval Duration=round((duration/60), 0) 
  | table Logontime, Logofftime, and Duration User host 
  | sort User host

And as a result, I'm getting a table which has:
Logontime column with a series of logon times
Logofftime column which is always blank
Duration column which is filled with zeros
User column which has a list of users (one for each logontime)
host column which has the machine name repeated (this is here because eventually I want to monitor five machines total)

it seems so close... if I could just get it to fill in the logoff and duration columns, my boss would be so happy. But I can't seem to figure it out any further than this... can anyone provide assistance? Thanks.

The search is referencing Logontime before it is being defined.

This
| eval Logofftime=Logontime+duration

should be
| eval Logofftime=_time+duration

Hope this helps.

Thanks. Changing this has filled in the "Logofftime" column, but the logon and logoff times are the same. I think this is because duration still equals zero. Getting closer...

I saw both those that are 0 in length and others with longer times being displayed in my search

Hi guys, did anyone get this to display the proper logoff times? I'm running into the same dilemna where the logoff time is the same as the logon time.

Here is what I did to get it to work properly
index=* host=* sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| table host, user, Logontime, Logofftime, duration
| sort user, host, -duration
| rename duration AS "Duration (seconds)"

@GoneSplunking: Glad to hear this is working for you. However, this doesn't work for me. Still plugging away at this. Thanks though

I made a slight change for readability on my part. Does any part of the query work?

Hi,
How are you getting logontime field which was used in line 5. This is not working.