Splunk Search

How to report to see how much time a user spends on a PC?

vpatsalos
New Member

I have a search that captures when a user logs in and logs out of his PC:

index=win* (EventCode=4800 OR EventCode=4801) Account_Name=Batman
The results show the below consecutive events: (from top to bottom)

EventCode=4801  The workstation was unlocked. 
EventCode=4800 The workstation was locked.

EventCode=4801  The workstation was unlocked.
EventCode=4800 The workstation was locked.

EventCode=4801  The workstation was unlocked.
EventCode=4800 The workstation was locked.

Basically, I want to run a report each day (last 24 hours) where I can subtract the _time of first, second, third pair of events (duration) and then add the duration values together so it will show how long a user has not been on the computer.

Current search I have, finds the difference of the consecutive events. In the results I see the right time difference values but it also include wrong data as well which I cannot remove.

| delta _time p=1| rename delta(_time) AS timeDeltaS | eval timeDeltaS=abs(timeDeltaS) | eval "Duration"=tostring(timeDeltaS,"duration") | table Account_Name,_time, "Duration"
0 Karma

somesoni2
Revered Legend

Give this a try

index=win* (EventCode=4800 OR EventCode=4801) Account_Name=Batman
| streamstats current=f window=1 values(EventCode) as prevEC values(_time) as prev_time by Account_Name
| where EventCode=4800 AND prevEC=4801
| eval Duration=tostring(prev_time-_time,"duration)
| table Account_Name _time Duration
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...