How do I edit my search to display Windows Active ...

kpavan · ‎02-01-2016

Hi All,

Need help on a Splunk search for Windows Active Directory users logon_time, logoff_time and duration in a single page. I used this search below, but not getting what expected.

index="wineventlog" source="wineventlog:security" (EventCode=4624 OR EventCode=4634) earliest=-4h | eval Date=strftime(_time, "%Y/%m/%d") | transaction src_ip user startswith=EventCode=4624 endswith=EventCode=4634 | where duration > 60  | search NOT src_ip="::1"| eval duration = duration/60 | eval duration=round(duration,2) | table  src_ip, user, duration, Date,TaskCategory | rename  duration as "Session_Duration_Minutes"  | sort  - date

Please help me on the search.

Thanks in advance!

javiergn · ‎02-01-2016

Field names are case sensitive so unless it is a typo in your query above try using Date instead of date with your final sort:

index="wineventlog" source="wineventlog:security" (EventCode=4624 OR EventCode=4634) earliest=-4h 
| eval Date=strftime(_time, "%Y/%m/%d") 
| transaction src_ip user startswith=EventCode=4624 endswith=EventCode=4634 
| where duration > 60 
| search NOT src_ip="::1"
| eval duration = duration/60 
| eval duration=round(duration,2) 
| table src_ip, user, duration, Date,TaskCategory 
| rename duration as "Session_Duration_Minutes" 
| sort - Date

kpavan · ‎02-01-2016

Hi javiergn,

Actually am getting the result, but i need like user logon time and logoff time with duration, but from my search am getting as src_ip user, Session_Duration_Minutes,Date,TaskCategory

src_ip user Session_Duration_Minutes Date TaskCategory
x.x.x.x AD$ 14.88 2016/02/01 LogoffLogon
x.x.x.x AD$ 1.58 2016/02/01 LogoffLogon

But I need like
src_ip user Session_Duration_Minutes Logon_Time Logoff_time

Thanks!

How do I edit my search to display Windows Active Directory users' logon_time, logoff_time, and duration in a single page?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life