Greetings fellow Splunkers,
I was wondering if anyone has figured out what seems the most accurate metric to track when a user logs into windows. not the boot up/Startup time but the time between when a user puts in their password and they are able to interact with the desktop. I am not able to see a particular event. Waiting for GPO to complete is not viable since we stream them in the background. Comparing events between local and AD events might prove useful but we have a significant amount of users that are WFH and they use cached creds until they get on the VPN. Comparing the login between them getting on the VPN would be simpler to get but if they do anything else before they log into the VPN that will throw it off as well.. Appreciate anything thoughts or ideas you fine folks might have.
Thank you!
You can probably get more help from https://community.splunk.com/t5/Splunk-IT-Service-Intelligence/bd-p/it-it-service-intelligence as more people have knowledge about platform- and application-specific datasets there.
I will do that. Thank you!