I want to see the duration that a user has been logged in to the PC for. Would the transaction command work the best in this situation?
Here is my base search that I am going to go off of:
index=A host=Domain-controller Account_Name=UserA TaskCategory=Logoff OR TaskCategory=Logon | eval k8targetaccount=mvindex(Account_Name, 1) | rename k8targetaccount as Account_Names | table _time Account_Names Source_Network_Address TaskCategory
Yes, the transaction
command will work. You could do something like this
.... | transaction Account_Names startswith="login" endswith="logout" | table Account_Names duration
Having said that, this may or may not not be the most efficient commands for this purpose. For example
... | stats earliest(_time) as login latest(_time) as logout by Account_Names | eval duration = if(logout=login, now()-login, logout-login) | ...
may be faster, but that depends on your data. How many times could a user login/logout in a day etc. To handle multiple login/logout, you could use streamstats
or eventstats
commands. To give the best solution, we will need to see some data
Yes, the transaction
command will work. You could do something like this
.... | transaction Account_Names startswith="login" endswith="logout" | table Account_Names duration
Having said that, this may or may not not be the most efficient commands for this purpose. For example
... | stats earliest(_time) as login latest(_time) as logout by Account_Names | eval duration = if(logout=login, now()-login, logout-login) | ...
may be faster, but that depends on your data. How many times could a user login/logout in a day etc. To handle multiple login/logout, you could use streamstats
or eventstats
commands. To give the best solution, we will need to see some data
the type of data i am dealing whit are AD logs.