Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Track User Login/Logout exclude first 2 hours of the day (midnight-2am)

wingfieldj
Explorer
Thursday

index=endpoint_ms_winevents sourcetype=XmlWinEventLog user=TESTER EventID=4624 OR EventID=4634
| stats earliest_time(_time) AS Login, latest_time(_time) AS Shutdown by user src_ip
| convert ctime(Login) ctime(Shutdown)
| table Login Shutdown src_ip user
| sort Login

1) Having to run this one day at a time...with DATE and Time Range set 02:00:00
using earliest=@d+2h  always calculates for today...
           Not able to use earliest set over a range of days...

2) Windows Eventlog are chatty for login/logout; searches over 3m events a day. Any other filtering you suggest?

Output needed is user, Login, Logout and src_ip    ...(on VPN or at office)

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
Friday

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

wingfieldj
Explorer
Thursday

Appreciate the quick assistance
Adding the Where statement and change the Date to Date Range has no results..in Fast mode or Verbose.

wingfieldj_0-1765470236204.png

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
Thursday

Have you confirmed the date_hour field is present in the events and that it has values 0-23?  If it is not present or doesn't have the expected values then it will have to be extracted manually, like this:

index=endpoint_ms_winevents sourcetype=XmlWinEventLog user=TESTER EventID=4624 OR EventID=4634 earliest=-7d@d latest=now
| eval date_hour=strftime(_time, "%H")
| where date_hour >= 2
| stats earliest_time(_time) AS Login, latest_time(_time) AS Shutdown by user src_ip
| convert ctime(Login) ctime(Shutdown)
| table Login Shutdown src_ip user
| sort Login
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
Thursday

1) Assuming the date_hour field is automatically extracted from the event (it usually is), you should be able to use that to filter out events occurring between midnight and 2am.

index=endpoint_ms_winevents sourcetype=XmlWinEventLog user=TESTER EventID=4624 OR EventID=4634 earliest=-7d@d latest=now
| where date_hour >= 2
| stats earliest_time(_time) AS Login, latest_time(_time) AS Shutdown by user src_ip
| convert ctime(Login) ctime(Shutdown)
| table Login Shutdown src_ip user
| sort Login

2) Filter out events where the username ends with '$'. Those are computer processes signing in rather than individuals.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
Thursday

I don't rely on date_hour. This field can be not present. This field can contain value you would not expect there (even more so if your environment works across timezones).

Reply
Solved! Jump to solution

wingfieldj
Explorer
Friday

the eval was definitely the magic...thanks to both

| eval date_hour=strftime(_time, "%H")
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
Friday

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...