cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
bschaefer
Splunk Employee
Member since: ‎11-14-2012
‎07-31-2020
Community Statistics
Posts 2
Solutions 1
Karma Given 1
Karma Received 3
Member Since ‎11-14-2012
Topics I've Started
No posts to display.
View All

Re: How to exclude one or more cluster peers from ...

by Splunk Employee in Getting Data In
‎10-30-2015 07:35 AM
‎10-30-2015 07:35 AM
I have a few requests for being able to have site 1 replicate to site 2 while site 2 replicates nothing ("cold" DR). ... View more

Re: How can I use windows events to monitor logon ...

by Splunk Employee in Monitoring Splunk
‎03-13-2014 11:23 AM
3 Karma
‎03-13-2014 11:23 AM
3 Karma
There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box. That being said, the following search should get you started in the right direction: source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) |eval User=lower(User)| search NOT User=*$ | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 |stats sum(duration) As Duration by User, ComputerName |eval Duration(M)=round((Duration/60), 0) |table User,Duration(M),ComputerName ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-31-2020 02:06 PM
Karma from
Karma given to
View All