Splunk Search
Highlighted

How to edit my search that retrieves the start and end time of user from Active Directory logs?

Builder

Hi

How to get the start time and end time of the user from AD logs,

The result which I need is

user   "logon time"   "logofftime"  duration date
....

....

The search I tried but, it's not working as expected

index=wineventlog sourcetype="WinEventLog:Security" | eval time=_time     | stats values(min(time)) as "Logon Time", values(max(time)) as "Logoff Time" by user   | convert  timeformat="%m/%d/%y %H:%M:%S" ctime(*) 
0 Karma
Highlighted

Re: How to edit my search that retrieves the start and end time of user from Active Directory logs?

Splunk Employee
Splunk Employee

Hi Kiran,

I think you should use the earliest and latest commands instead of min and max.
Please try this search:

index=wineventlog sourcetype="WinEventLog:Security" | stats earliest(_time) as logon, latest(_time) as logoff by clientip | eval duration=tostring(logoff-logon,"duration") | eval logon = strftime(logon,"%D %T") | eval logoff = strftime(logoff,"%D %T")

Hope this helps. Thanks!
Hunter

0 Karma
Highlighted

Re: How to edit my search that retrieves the start and end time of user from Active Directory logs?

Path Finder

If u r spanning Per day wise use min(time) for first time ad authentication and max(time) for recent/last time authenticated time.

0 Karma