Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

track all active session (RDP) in network by user

givehchin
Path Finder
‎08-24-2019 10:22 PM

hello, I want to track all active session(RDP) in the network and see who login which server, what is the source IP address, and the sum of minutes of the active session
I use this code found in this forum with some tune but it doesn't cover all that I need, it is necessary I know how much time is session active
sry if my English not fluent

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success NOT | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))    | eval User=lower(User) | search NOT User=*$ | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1   | stats  sum(duration) As Duration by User, ComputerName, Source_Network_Address   | eval  Duration(M)=round((Duration/60), 0)    | table  User,Source_Network_Address,Duration(M),ComputerName
0 Karma
Reply

solarboyz1
Builder
‎08-27-2019 10:35 AM

it is necessary I know how much time is session active

From the search you attached:

| eval  Duration(M)=round((Duration/60), 0)    
| table  User,Source_Network_Address,Duration(M),ComputerName

The Duration here is being is the time between the login and logoff events associated with the session.
Although I believe there may be an issues:

| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1

If a user RDPs to multiple system,s, those session could be incorrectly connected as a transaction since you are only using the username as the criteria. I would change that to:

| transaction User, ComputerName maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
0 Karma
Reply

givehchin
Path Finder
‎08-27-2019 08:46 PM

thank you, it is useful
if I want to track active session too, what should do??? I mean the user does not log off cause we want to monitor users behavior

0 Karma
Reply

solarboyz1
Builder
‎08-28-2019 06:34 AM

you would keep evicted (incomplete transactions) and find the incomplete ones with the start event

| transaction User, ComputerName  startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 maxevents=2  keepevicted=true 
| search for closed_txn=0 AND EventCode=4624

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Transaction

0 Karma
Reply

givehchin
Path Finder
‎09-01-2019 12:36 AM

do your self test this????

0 Karma
Reply

somesoni2
Revered Legend
‎08-27-2019 06:53 AM

What problem do you see with current search results? How many events does your search is processing (or could process)?

0 Karma
Reply

givehchin
Path Finder
‎08-30-2019 11:36 PM

I want to see active session, this search show session that disconnect and the user doesn't active anymore, I need to see active session

0 Karma
Reply

givehchin
Path Finder
‎08-27-2019 02:46 AM

no one can help me?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...