Splunk Search

Report on how log a user was logged on?

neiowe
Path Finder

I am trying to generate a report that show how long users stayed logged on. I can do a search and find the users and event codes I am interested in but is there a way of comparing event times and generating a timeframe between events? In other words, is the a way to subtract the time that event code 4624 happened from event code 4634 for Account_Name=XXXX?

Using Splunk 6.3 on Lynx getting events from Wineventlog_security.

somesoni2
Revered Legend

Try something like this

index=YourIndex source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 | transaction Account_Name startswith=EventCode=4624 endswith=EventCode=4634  maxevents=2 | table _time Account_Name duration 
0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...