Here is my contribution to this topic, since it now almost 2024. index="wineventlog" source="WinEventLog:Security" (EventCode=4624 AND Logon_Type=2) OR EventCode=4647 Account_Name=* action=success ComputerName=* earliest=-1d@d latest=@d
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)
| search NOT User IN (*$, system)
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4647" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| eval Duration=round(duration/60/60, 2)
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| table User ComputerName Logontime Logofftime Duration EventCode Logon_Type
| sort user, host, -Duration
| rename duration AS "Duration (hours)" For my use case I was looking for interactive sessions or sessions initiated by the user. The log off event is 4647. The previous days events are being collected using the earliest and latest settings. I converted my time to hours with two decimal places. Lastly, I excluded the system account. Thanks to all those who contributed to the previous solutions they were really helpful.
... View more