Splunk Search

How do I calculate the duration between Login and Logout of user?

jtabilas
Loves-to-Learn Everything

Hi guys! I want see the avg duration of activity of user on Splunk, but i didn't find the field of logout. 1.png

 
Labels (1)
0 Karma

dural_yyz
Communicator

To find login and logout sessions here is the search you want.

index=_audit sourcetype=audittrail action IN ("login attempt" logout)

For some reason the field extractions for action only work on my DMC and not my search heads so be cautious and edit the search where needed.  This tracks by user which is really easy.

 

However since most users will not actually log out and rather the behavior is to close the browser window the session will timeout.  You can map the log in session which is a field in the above login action.  The session timeout does not map a username value though.

index=_audit sourcetype=audittrail action=expired_session_token info=expired

There will be one log for each search head in your cluster.  So if you have a 5 search head cluster you will see a single login action but then 5 session timeout values. 

gcusello
SplunkTrust
SplunkTrust

Hi @jtabilas ,

for my knowldege, Splunk records only the login and log fail events.

Ciao.

Giuseppe

0 Karma

jtabilas
Loves-to-Learn Everything

Can i monitor the session of user?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jtabilas ,

you could see the _audit logs and consider closed a session when there's an inactivity perior greater than e.g. 5 minutes or the session timeout you configured.

then you can consider the last event in _audit as logout.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...