Splunk Search

Eval Epoch Duration Time into Human Readable Format

Engager

I am using the following query to show the duration of a accounts logon and logoff. The results come back in epoch time, and if I make changes to time using eval strftime, it negates the duration.

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon

If I add

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | eval time=strftime(_time,"%x %r") | stats earliest(eval(if(EventCode=4624, time, null()))) as Logon latesteval(eval(if(EventCode=4634, time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon

it converts the Logon and Logoff, but the duration field comes up blank. I am assuming its due to duration not being able to compute the modified time format.

Tags (1)
1 Solution

Esteemed Legend

Like this:

index="indexhere" AND (EventCode="4624" OR EventCode="4634") AND AccountName="*"
| stats min(_time) AS Logon max(_time) AS Logoff range(_time) AS duration BY AccountName
| fieldformat Logon = strftime(Logon, "%x %r")
| fieldformat Logoff = strftime(Logoff, "%x %r")
| fieldformat duration = tostring(duration, "duration")

View solution in original post

0 Karma

Esteemed Legend

Like this:

index="indexhere" AND (EventCode="4624" OR EventCode="4634") AND AccountName="*"
| stats min(_time) AS Logon max(_time) AS Logoff range(_time) AS duration BY AccountName
| fieldformat Logon = strftime(Logon, "%x %r")
| fieldformat Logoff = strftime(Logoff, "%x %r")
| fieldformat duration = tostring(duration, "duration")

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@migullmills

Yes, _time gives numeric values (epoch time ) in Logon and Logoff so you can do mathematical operation. like | eval duration=Logoff-Logon.

| eval time=strftime(_time,"%x %r").

strftime gives you human readable string so mathematical operation will return null here.

So here I suggest you to use first search,

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" 
| stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName 
| eval duration=Logoff-Logon

If you want duration field in human readable format then try by adding below search block.

|eval myduration=tostring(duration,"duration")

Thanks

0 Karma