How to put working hours from each user by day in ...

rens78 · ‎08-10-2017

My search so far:

index=notimportant EventID=4624 [ inputlookup users.csv | fields TargetUserName ]  | chart eval(latest(_time) - earliest(_time)) as total by TargetUserName | fieldformat total=strftime(total, "%H:%M")

What I'm doing is:

Get the earliest event from the result and the latest event from the result (the results are Microsoft login events). Subtracting the logout time from the login time so I get the working times.

Problems:

I cannot display times in a time/timechart (when I remove the ":" characters the chart works).
When I change the type from chart --> timechart the entry's in the timechart are displayed by the long number notations (not human readable, I forgot the name of this notation).

All I want is the working hours from each user by day, thanks!

DalJeanis · ‎08-10-2017

Try this ...

index=notimportant EventID=4624 [ inputlookup users.csv | fields TargetUserName ] 
| bin _time as myday span=1d
| stats min(_time) as mintime max(_time) as maxtime by TargetUserName myday
| eval TotalHours = round((maxtime-mintime)/3600,2)
| rename mintime as _time
| timechart span=1d  sum(TotalHours) as TotalHours by TargetUserName

rens78 · ‎08-14-2017

Awsome!!!!

How to put working hours from each user by day in a time chart

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

How to put working hours from each user by day in a time chart

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I