Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duration between Logoff and Logon

vishaltv
Path Finder
‎05-16-2019 08:12 AM

Hi team,

Please help me to figure out the issue.
I would like to create a dashboard using my Audit logs to capture my break time.
I'm trying to use time difference between Successful Logoff and Logon, That duration would be my breaktime.
I wrote a SPL, but no results obtained.

Event 1

05/16/2019 03:00:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=IN2119801W3.ey.net
TaskCategory=Logon
OpCode=Info
RecordNumber=240116
Keywords=Audit Success
Message=An account was successfully logged on.

Event 2
05/16/2019 02:30:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=IN2119801W3.ey.net
TaskCategory=Logoff
OpCode=Info
RecordNumber=238613
Keywords=Audit Success
Message=An account was logged off.

Splunk query
index="mymachinelogs" Keywords="Audit Success" TaskCategory=Logoff OR TaskCategory=Logon | transaction TaskCategory startswith="Logoff" endswith="Logon" maxevents=2 | table _time TaskCategory duration

No results found

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vishaltv
Path Finder
‎05-22-2019 01:03 AM

Hi Guys,
I've figured out the issue and fixed it. Now I'm getting the Break Time logs

Step 1 : Import the realtime data from our Event Viewer log of our Machine - wineventlog:security

Settings > Data Inputs> Local event log collection - Add security

Search Query :

index=" * " sourcetype="wineventlog:security" Keywords="Audit Success" (EventCode="4800" OR EventCode="4801") | transaction startswith=(EventCode="4800") endswith=(EventCode="4801") maxspan=*  | eval _timezone = "IST"  | eval
_time_IST = _time - (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " . strftime(_time, "%:z"), "%F %Z")) + (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " .
_timezone, "%F %Z"))  | eval time_in_IST = strftime(_time_IST, "%F %T " . _timezone)  | rename time_in_IST as Time | eval Duration=strftime(duration,"%H:%M:%S") | table Time Durat* | sort - Time

Event Code 4800 & 4801 - are Eventcode for Workstation Logout and Login
Took transaction time between Workstation Logoff to Login as Duration
Converted Time Zone to IST (Optional)
Made Table using Duration vs TimeStamp (IST)

Result :
Time Duration
2019-05-22 12:44:31 IST 00:27:53
2019-05-22 12:37:01 IST 00:06:09
2019-05-22 11:50:26 IST 00:01:03

alt text

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vishaltv
Path Finder
‎05-22-2019 01:03 AM

Hi Guys,
I've figured out the issue and fixed it. Now I'm getting the Break Time logs

Step 1 : Import the realtime data from our Event Viewer log of our Machine - wineventlog:security

Settings > Data Inputs> Local event log collection - Add security

Search Query :

index=" * " sourcetype="wineventlog:security" Keywords="Audit Success" (EventCode="4800" OR EventCode="4801") | transaction startswith=(EventCode="4800") endswith=(EventCode="4801") maxspan=*  | eval _timezone = "IST"  | eval
_time_IST = _time - (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " . strftime(_time, "%:z"), "%F %Z")) + (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " .
_timezone, "%F %Z"))  | eval time_in_IST = strftime(_time_IST, "%F %T " . _timezone)  | rename time_in_IST as Time | eval Duration=strftime(duration,"%H:%M:%S") | table Time Durat* | sort - Time

Event Code 4800 & 4801 - are Eventcode for Workstation Logout and Login
Took transaction time between Workstation Logoff to Login as Duration
Converted Time Zone to IST (Optional)
Made Table using Duration vs TimeStamp (IST)

Result :
Time Duration
2019-05-22 12:44:31 IST 00:27:53
2019-05-22 12:37:01 IST 00:06:09
2019-05-22 11:50:26 IST 00:01:03

alt text

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-22-2019 05:39 AM

@vishaltv If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-16-2019 09:58 AM

You are using TaskCategory as the field to compare for your transaction. This means you will never get Logon and Logoff in the same transaction. You would need to use a field that will have the same value for both the Logon and the Logoff events. You can do your startswith and endswith like this:

startswith=(TaskCategory=Logoff) endswith=(TaskCategory=Logon)
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top