Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search that looks over the last 7 days but displays each day?

Sarmbrister
Path Finder
‎07-28-2017 12:14 PM

I have been asked by Legal to get login logoff time for colleagues with in certain time frames usually very specific weeks at a time. I have developed the below search to pull what I want but my issue is that I want to be able to search the last 7 days and show the login and logout per day. So I want a table to show like Monday user logged in at 8:03 AM and logged out at 4:15 PM then in the next row I want it to show log in logout time for Tuesday and goes on through out the week.

Search:

index=wineventlog user=user sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 action=success 
|convert ctime(_time) AS time 
|stats earliest(eval(if(EventCode=4624, time, null()))) AS Logon ,latest(eval(if(EventCode=4634, time, null()))) AS Logoff by user

How I want it to look

User            Logon                 Logoff
User account    07/28/2017 08:04:48 07/28/2017 15:59:30
User account    07/27/2017 08:04:48 07/27/2017 15:59:30
User account    07/26/2017 08:04:48 07/26/2017 15:59:30
User account    07/25/2017 08:04:48 07/25/2017 15:59:30
User account    07/24/2017 08:04:48 07/24/2017 15:59:30
User account    07/23/2017 08:04:48 07/23/2017 15:59:30
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-28-2017 12:59 PM

Try like this

index=wineventlog user=user sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 action=success 
| eval time=_time
| eval Logon=if(EventCode=4624, time, null())
| eval Logoff=if(EventCode=4634, time, null())
| bucket span=1d _time
| stats min(Logon) as Logon max(Logoff) as Logoff by _time user | table user Logon Logoff 
| convert ctime(Logon) ctime(Logoff)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-28-2017 12:59 PM

Try like this

index=wineventlog user=user sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 action=success 
| eval time=_time
| eval Logon=if(EventCode=4624, time, null())
| eval Logoff=if(EventCode=4634, time, null())
| bucket span=1d _time
| stats min(Logon) as Logon max(Logoff) as Logoff by _time user | table user Logon Logoff 
| convert ctime(Logon) ctime(Logoff)
Reply
Solved! Jump to solution

Sarmbrister
Path Finder
‎07-31-2017 09:34 AM

This is great thank you! I just added in an eval in there to get the duration but thank you for the help.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-31-2017 11:32 AM

@sarmbrister - if your problem is solved, please accept the answer so that the question will show as closed.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-28-2017 02:24 PM

@Sarmbrister - @somesoni2's search is great for what you asked.

I've found that real user login/logout times are not usually so clean. Something more like this will get your Legal the full picture...

index=wineventlog user=user sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 action=success 
| sort 0 user _time 
| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")
| eval Logon=if(EventCode=4624, time, null())
| eval Logoff=if(EventCode=4634, time, null())
| eval timeShort=strftime(_time,"%H:%M:%S")
| eval LogonShort=if(EventCode=4624, timeShort, null())
| eval LogoffShort=if(EventCode=4634, timeShort, null())
| bucket span=1d _time
| stats min(Logon) as firstLogon, max(Logoff) as lastLogoff
       list(LogonShort) as allLogons, list(LogoffShort) by user _time 
| table user firstLogon lastLogoff allLogons allLogoffs

Of course, even this this doesn't account for time zones, shift work, or anything else like that. If you find you need to add that kind of analysis, please post a new question.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...