Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do report for Windows logon and logoff per user day-by-day

Nraj87
Explorer
‎08-08-2024 08:43 AM

Is it possible to get each day first login event( EventCode=4634)  as "logon" and Last event of   (EventCode=4634) as Logoff and calculate total duration .

index=win  sourcetype="wineventlog"   EventCode=4624 OR EventCode=4634 NOT 
| eval action=case((EventCode=4624), "LOGON", (EventCode=4634), "LOGOFF", true(), "ERROR")
| bin _time span=1d
| stats count  by _time action user
Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-08-2024 09:29 AM

Try something like this

index=win  sourcetype="wineventlog"   EventCode=4624 OR EventCode=4634 
| bin _time as day span=1d
| stats count min(eval(if(EventCode=4624,_time,null()))) as first_logon max(eval(if(EventCode=4634,_time,null)))) as last_logout by day user
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...