Thanks somesoni2: just figured that out as well.

Not sure if this will be helpful. We can track the logon/logoff for a user in a windows machine. The data is stored in Event Log under Security. Splunk can monitor the same. EventCode=4624 is for LOGON and EventCode=4634 for LOGOFF. Once data in indexed, you can search Splunk.

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 | table _time Account* Logon*

adylent: thanks for your excellent response but I'm trying to track specific users within Active Directory or Windows security logs to determine when a user logged in/out.

What you provided above was great information when someone logs into splunk, but trying to use a different syntax for searching within the security logs from the DC's.

Thanks for your help!

Running version 5.0.4, build 172409

I'm the admin in splunk and have domain admin rights

You may need to audit your user role and ensure that you have access to the _internal index (I think by default most users are non-internal indexes).

Which version of splunk are you running?

When I paste the command with "johndoe" It doesn't find any record. Should I perform a search from Splunk App for Active Directory? I believe by default, it is searching for johndoe logging into Splunk.

earliest=-30d index=_internal sourcetype=splunk_web_service user="johndoe" | convert ctime(_time) as time | eval userevent=time.": ".action | stats values(userevent) as UserEvent by user

Appreciate your help! I'll award you points 🙂

Try this (verified in splunk 6):

earliest=-30d index=_internal sourcetype=splunk_web_service user="*" action=login OR action=logoff | table user status action reason message

Replace user="*" with the username you care about

Or could do something like this:

earliest=-30d index=_internal sourcetype=splunk_web_service user="*" | convert ctime(_time) as time | eval userevent=time.": ".action | stats values(userevent) as UserEvent by user