Splunk Search

Duration between Logoff and Logon

vishaltv
Path Finder

Hi team,

Please help me to figure out the issue.
I would like to create a dashboard using my Audit logs to capture my break time.
I'm trying to use time difference between Successful Logoff and Logon, That duration would be my breaktime.
I wrote a SPL, but no results obtained.

Event 1

05/16/2019 03:00:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=IN2119801W3.ey.net
TaskCategory=Logon
OpCode=Info
RecordNumber=240116
Keywords=Audit Success
Message=An account was successfully logged on.

Event 2
05/16/2019 02:30:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=IN2119801W3.ey.net
TaskCategory=Logoff
OpCode=Info
RecordNumber=238613
Keywords=Audit Success
Message=An account was logged off.

Splunk query
index="mymachinelogs" Keywords="Audit Success" TaskCategory=Logoff OR TaskCategory=Logon | transaction TaskCategory startswith="Logoff" endswith="Logon" maxevents=2 | table _time TaskCategory duration

No results found

Thanks in advance!

0 Karma
1 Solution

vishaltv
Path Finder

Hi Guys,
I've figured out the issue and fixed it. Now I'm getting the Break Time logs

Step 1 : Import the realtime data from our Event Viewer log of our Machine - wineventlog:security

Settings > Data Inputs> Local event log collection - Add security

Search Query :

index=" * " sourcetype="wineventlog:security" Keywords="Audit Success" (EventCode="4800" OR EventCode="4801") | transaction startswith=(EventCode="4800") endswith=(EventCode="4801") maxspan=*  | eval _timezone = "IST"  | eval
_time_IST = _time - (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " . strftime(_time, "%:z"), "%F %Z")) + (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " .
_timezone, "%F %Z"))  | eval time_in_IST = strftime(_time_IST, "%F %T " . _timezone)  | rename time_in_IST as Time | eval Duration=strftime(duration,"%H:%M:%S") | table Time Durat* | sort - Time

Event Code 4800 & 4801 - are Eventcode for Workstation Logout and Login
Took transaction time between Workstation Logoff to Login as Duration
Converted Time Zone to IST (Optional)
Made Table using Duration vs TimeStamp (IST)

Result :
Time Duration
2019-05-22 12:44:31 IST 00:27:53
2019-05-22 12:37:01 IST 00:06:09
2019-05-22 11:50:26 IST 00:01:03

alt text

View solution in original post

0 Karma

vishaltv
Path Finder

Hi Guys,
I've figured out the issue and fixed it. Now I'm getting the Break Time logs

Step 1 : Import the realtime data from our Event Viewer log of our Machine - wineventlog:security

Settings > Data Inputs> Local event log collection - Add security

Search Query :

index=" * " sourcetype="wineventlog:security" Keywords="Audit Success" (EventCode="4800" OR EventCode="4801") | transaction startswith=(EventCode="4800") endswith=(EventCode="4801") maxspan=*  | eval _timezone = "IST"  | eval
_time_IST = _time - (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " . strftime(_time, "%:z"), "%F %Z")) + (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " .
_timezone, "%F %Z"))  | eval time_in_IST = strftime(_time_IST, "%F %T " . _timezone)  | rename time_in_IST as Time | eval Duration=strftime(duration,"%H:%M:%S") | table Time Durat* | sort - Time

Event Code 4800 & 4801 - are Eventcode for Workstation Logout and Login
Took transaction time between Workstation Logoff to Login as Duration
Converted Time Zone to IST (Optional)
Made Table using Duration vs TimeStamp (IST)

Result :
Time Duration
2019-05-22 12:44:31 IST 00:27:53
2019-05-22 12:37:01 IST 00:06:09
2019-05-22 11:50:26 IST 00:01:03

alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@vishaltv If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

kmorris_splunk
Splunk Employee
Splunk Employee

You are using TaskCategory as the field to compare for your transaction. This means you will never get Logon and Logoff in the same transaction. You would need to use a field that will have the same value for both the Logon and the Logoff events. You can do your startswith and endswith like this:

startswith=(TaskCategory=Logoff) endswith=(TaskCategory=Logon)
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...