Splunk Search

Can the transaction command be used to search the duration a user has been logged in to a PC?

sbattista09
Contributor

I want to see the duration that a user has been logged in to the PC for. Would the transaction command work the best in this situation?

Here is my base search that I am going to go off of:

index=A host=Domain-controller  Account_Name=UserA TaskCategory=Logoff OR TaskCategory=Logon | eval k8targetaccount=mvindex(Account_Name, 1) | rename k8targetaccount as Account_Names  | table  _time Account_Names Source_Network_Address TaskCategory
0 Karma
1 Solution

sundareshr
Legend

Yes, the transaction command will work. You could do something like this

.... | transaction Account_Names startswith="login" endswith="logout" |  table Account_Names  duration

Having said that, this may or may not not be the most efficient commands for this purpose. For example

... | stats earliest(_time) as login latest(_time) as logout by Account_Names | eval duration = if(logout=login, now()-login, logout-login) | ...

may be faster, but that depends on your data. How many times could a user login/logout in a day etc. To handle multiple login/logout, you could use streamstats or eventstats commands. To give the best solution, we will need to see some data

View solution in original post

sundareshr
Legend

Yes, the transaction command will work. You could do something like this

.... | transaction Account_Names startswith="login" endswith="logout" |  table Account_Names  duration

Having said that, this may or may not not be the most efficient commands for this purpose. For example

... | stats earliest(_time) as login latest(_time) as logout by Account_Names | eval duration = if(logout=login, now()-login, logout-login) | ...

may be faster, but that depends on your data. How many times could a user login/logout in a day etc. To handle multiple login/logout, you could use streamstats or eventstats commands. To give the best solution, we will need to see some data

sbattista09
Contributor

the type of data i am dealing whit are AD logs.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...