Splunk Dev

Tracking how long someone has been logged into a workstation in a given day



I'm attempting to figure out how long an employee has been logged into their laptop in a given day. I started with the following, with the * representing the user:

index=* source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name="*"

Then, I added a table pipe:

| table _time Account* Logon*

I get a decent chart that displays their logon activity throughout the day, but I was wondering if there was more efficient way to perform this, say showing logon and logoff activity.

Thank you.

Splunk Employee
Splunk Employee

You could try using the transaction command with startswith and endswith params. Each transactional event will have a new field called duration. You could then do a stats command summing the duration by Account_Name to get the total for the day. People may log in and out many times during the day.

I haven't tested this, but hoping it leads you in the right direction.

index= source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=""
| transaction Account_Name startswith=eval(EventCode=4624) endswith=eval(EventCode=4634)
| stats sum(duration) by Account_Name
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...