Splunk Search

How do I edit my search to get this field into my chart?

Communicator

Dear All,

I am using the Splunk App for Windows and I am trying to get a chart out looking something like:

ComputerName, User_Logon_Name, Duration(s)
PC1, Corp\Jim, 300
PC1, Corp\Jane, 248
PC2, Home\Admin, 9988
PC3, Corp\Graham, 474

I have almost gotten there with this search:

source="WinEventLog:Security" (EventCode=4778 OR EventCode=4779 OR EventCode=4624 OR EventCode=4634)  (Logon_Type="2" OR Logon_Type="10" OR Logon_Type="7" OR Logon_Type="11") | eval User_Logon_Name=Account_Domain."\\".Account_Name | transaction ComputerName Logon_ID Account_Domain Account_Name startswith=(TaskCategory=Logon) endswith=(TaskCategory=Logoff) | chart sum(duration) over ComputerName

But I cannot get the User_Logon_Name into the chart command.

Does anyone know how I can do this? It seems a simple operation, but it is foxing me.

Thanks in advance,

BlueSocket

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

 source="WinEventLog:Security" (EventCode=4778 OR EventCode=4779 OR EventCode=4624 OR EventCode=4634)  (Logon_Type="2" OR Logon_Type="10" OR Logon_Type="7" OR Logon_Type="11") | eval User_Logon_Name=Account_Domain."\\".Account_Name | transaction ComputerName Logon_ID User_Logon_Name startswith=(TaskCategory=Logon) endswith=(TaskCategory=Logoff)  | stats sum(duration) as Duration by ComputerName,User_Logon_Name

View solution in original post

SplunkTrust
SplunkTrust

Try this

 source="WinEventLog:Security" (EventCode=4778 OR EventCode=4779 OR EventCode=4624 OR EventCode=4634)  (Logon_Type="2" OR Logon_Type="10" OR Logon_Type="7" OR Logon_Type="11") | eval User_Logon_Name=Account_Domain."\\".Account_Name | transaction ComputerName Logon_ID User_Logon_Name startswith=(TaskCategory=Logon) endswith=(TaskCategory=Logoff)  | stats sum(duration) as Duration by ComputerName,User_Logon_Name

View solution in original post