How to report to see how much time a user spends o...

vpatsalos · ‎05-15-2018

I have a search that captures when a user logs in and logs out of his PC:

index=win* (EventCode=4800 OR EventCode=4801) Account_Name=Batman
The results show the below consecutive events: (from top to bottom)

EventCode=4801  The workstation was unlocked. 
EventCode=4800 The workstation was locked.

EventCode=4801  The workstation was unlocked.
EventCode=4800 The workstation was locked.

EventCode=4801  The workstation was unlocked.
EventCode=4800 The workstation was locked.

Basically, I want to run a report each day (last 24 hours) where I can subtract the _time of first, second, third pair of events (duration) and then add the duration values together so it will show how long a user has not been on the computer.

Current search I have, finds the difference of the consecutive events. In the results I see the right time difference values but it also include wrong data as well which I cannot remove.

| delta _time p=1| rename delta(_time) AS timeDeltaS | eval timeDeltaS=abs(timeDeltaS) | eval "Duration"=tostring(timeDeltaS,"duration") | table Account_Name,_time, "Duration"

somesoni2 · ‎05-15-2018

Give this a try

index=win* (EventCode=4800 OR EventCode=4801) Account_Name=Batman
| streamstats current=f window=1 values(EventCode) as prevEC values(_time) as prev_time by Account_Name
| where EventCode=4800 AND prevEC=4801
| eval Duration=tostring(prev_time-_time,"duration)
| table Account_Name _time Duration

How to report to see how much time a user spends on a PC?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

How to report to see how much time a user spends on a PC?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!