Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Report on how log a user was logged on?

neiowe
Path Finder
‎10-08-2015 07:46 AM

I am trying to generate a report that show how long users stayed logged on. I can do a search and find the users and event codes I am interested in but is there a way of comparing event times and generating a timeframe between events? In other words, is the a way to subtract the time that event code 4624 happened from event code 4634 for Account_Name=XXXX?

Using Splunk 6.3 on Lynx getting events from Wineventlog_security.

Reply

somesoni2
Revered Legend
‎10-08-2015 12:49 PM

Try something like this

index=YourIndex source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 | transaction Account_Name startswith=EventCode=4624 endswith=EventCode=4634  maxevents=2 | table _time Account_Name duration
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...