Building for the Splunk Platform

Tracking how long someone has been logged into a workstation in a given day

rcastello
Explorer

Hello,

I'm attempting to figure out how long an employee has been logged into their laptop in a given day. I started with the following, with the * representing the user:

index=* source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name="*"

Then, I added a table pipe:

| table _time Account* Logon*

I get a decent chart that displays their logon activity throughout the day, but I was wondering if there was more efficient way to perform this, say showing logon and logoff activity.

Thank you.

kmorris_splunk
Splunk Employee
Splunk Employee

You could try using the transaction command with startswith and endswith params. Each transactional event will have a new field called duration. You could then do a stats command summing the duration by Account_Name to get the total for the day. People may log in and out many times during the day.

I haven't tested this, but hoping it leads you in the right direction.

index= source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=""
| transaction Account_Name startswith=eval(EventCode=4624) endswith=eval(EventCode=4634)
| stats sum(duration) by Account_Name
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...