cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
nando10
Explorer
Member since: ‎11-01-2019
‎06-05-2020
Community Statistics
Posts 7
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎11-01-2019
Activity Feed
View All

Re: How to identity logoffs when there isn't alway...

by in Splunk Enterprise Security
‎11-08-2019 08:47 AM
‎11-08-2019 08:47 AM
Transaction is getting me close but now I am struggling with bucketing only "logon" and "logoff" entry together. Depending on the maxspan value, it may or may not bucket correctly. I've altered my original post with the syntax. ... View more

Re: How to identity logoffs when there isn't alway...

by in Splunk Enterprise Security
‎11-08-2019 08:45 AM
‎11-08-2019 08:45 AM
I've also added more to my original post. ... View more

Re: How to identity logoffs when there isn't alway...

by in Splunk Enterprise Security
‎11-08-2019 08:43 AM
‎11-08-2019 08:43 AM
I am using Account_Name but could use Logon_ID. As far as time, 99% of the time, users aren't logged on past 10/12 hours at a time. ... View more

Re: How to identity logoffs when there isn't alway...

by in Splunk Enterprise Security
‎11-07-2019 04:15 AM
‎11-07-2019 04:15 AM
Yes. I agree there may be better ways. What I have to work with are those two logs, unfortunately. ... View more

Re: How to identity logoffs when there isn't alway...

by in Splunk Enterprise Security
‎11-07-2019 04:13 AM
‎11-07-2019 04:13 AM
@marycordova: sessions is what we are tracking. It is not a normal network and as such, we are trying to make this work. With that people are largely not logged in more than 24 hours. In fact, that occurrence is pretty rare. ... View more

Re: How to identity logoffs when there isn't alway...

by in Splunk Enterprise Security
‎11-07-2019 04:12 AM
‎11-07-2019 04:12 AM
Thanks... I will check it out. ... View more

How to identity logoffs when there isn't always a ...

by in Splunk Enterprise Security
‎11-02-2019 05:20 AM
1 Karma
‎11-02-2019 05:20 AM
1 Karma
I've been working on a problem that has me stumped. I have a 4624 and 4633 event that I want to correspond with each other. The 4624 is used to identify logons while we are using 4663 (with a particular Object Name) as a way to signify logoffs. The problem is that there isn’t always a 4663 generated due to the user having to access an item. What I’d like to do is Identify a 4663 event and then identify the most recent 4624 to tie them together. The common thing that will be used to tie them together is the Account_Name field. The closet thing I have working is below. sourcetype = * ((Message=** AND Accesses= ReadAttributes) OR (Object_Name=)) | transaction Account_Name maxspan=12h | eval start = _time | eval End = _time + duration | eval StartTime=strftime(Start, "%m/%d/%y %H:%M:%S") | eval EndTime=strftime(End,"%m/%d/%y %H:%M:%S") | eval string_dur =tostring(round(duration), "duration") | eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s") | eval Duration=replace(formatted_dur, "^d (0h (0m )?)?","") | table Account_Name, StartTime, EndTime, Duration ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All