How to report to see how much time a user spends o...

vpatsalos · ‎05-15-2018

I have a search that captures when a user logs in and logs out of his PC:

index=win* (EventCode=4800 OR EventCode=4801) Account_Name=Batman
The results show the below consecutive events: (from top to bottom)

EventCode=4801  The workstation was unlocked. 
EventCode=4800 The workstation was locked.

EventCode=4801  The workstation was unlocked.
EventCode=4800 The workstation was locked.

EventCode=4801  The workstation was unlocked.
EventCode=4800 The workstation was locked.

Basically, I want to run a report each day (last 24 hours) where I can subtract the _time of first, second, third pair of events (duration) and then add the duration values together so it will show how long a user has not been on the computer.

Current search I have, finds the difference of the consecutive events. In the results I see the right time difference values but it also include wrong data as well which I cannot remove.

| delta _time p=1| rename delta(_time) AS timeDeltaS | eval timeDeltaS=abs(timeDeltaS) | eval "Duration"=tostring(timeDeltaS,"duration") | table Account_Name,_time, "Duration"

somesoni2 · ‎05-15-2018

Give this a try

index=win* (EventCode=4800 OR EventCode=4801) Account_Name=Batman
| streamstats current=f window=1 values(EventCode) as prevEC values(_time) as prev_time by Account_Name
| where EventCode=4800 AND prevEC=4801
| eval Duration=tostring(prev_time-_time,"duration)
| table Account_Name _time Duration

How to report to see how much time a user spends on a PC?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation