Building for the Splunk Platform

Tracking how long someone has been logged into a workstation in a given day



I'm attempting to figure out how long an employee has been logged into their laptop in a given day. I started with the following, with the * representing the user:

index=* source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name="*"

Then, I added a table pipe:

| table _time Account* Logon*

I get a decent chart that displays their logon activity throughout the day, but I was wondering if there was more efficient way to perform this, say showing logon and logoff activity.

Thank you.

Splunk Employee
Splunk Employee

You could try using the transaction command with startswith and endswith params. Each transactional event will have a new field called duration. You could then do a stats command summing the duration by Account_Name to get the total for the day. People may log in and out many times during the day.

I haven't tested this, but hoping it leads you in the right direction.

index= source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=""
| transaction Account_Name startswith=eval(EventCode=4624) endswith=eval(EventCode=4634)
| stats sum(duration) by Account_Name
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...