Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Logon Duration

itsmevic
Communicator
‎01-05-2021 02:39 PM

I'd like to get the logon/logoff duration times of just one user, what would be the best SPL to go with to determine this?  Any help is greatly appreciated! 

Labels (1)
Labels
0 Karma
Reply

itsmevic
Communicator
‎01-05-2021 03:02 PM

I found the answer below and it works great.  I just need to now convert the seconds to minutes.

index=* host=* user="username" sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| table host, src_nt_host, user, Logontime, Logofftime, duration
| sort user, host, -duration
| rename duration AS "Duration (seconds)"

 

Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-05-2021 03:21 PM

@itsmevic 

Be aware that the transaction command may not always give you expected results, particularly if you're dealing with large data sets, as there are memory constraints. You are using maxspan=-1, which means that for every logon that has no logoff, Splunk has to keep that initial logon data in memory until it finds a logoff. It may not be an issue in this case, but worth noting. 

There are often easy alternatives to avoid using transaction that do not have the same constraints. See the 'Using stats instead of transaction' section here.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Search/Abouttransactions

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-05-2021 03:13 PM
You could try eval/fieldformat duration = tostring(duration, “duration”)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-05-2021 02:55 PM

You need to give an example of your data, saying how time, user and logon/logoff state can be identified to get a good answer

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...