it would be something like : source=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10) , I dont need to log in the service user , at the moment I have 6 machines connected to splunk and I want an alert to be sent when a user is logged in more than 12 hours . 

Security , system and application 

Can you provide some sample events please?

01/13/2022 02:12:37 PM LogName=Security EventCode=4624 EventType=0 ComputerName=GWD58EF SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=51488031 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: GWD58EF\admin Account Name: admin Account Domain: GWD58EF Logon ID: 0x1FF978045 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: XTHD09A Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Can you split this up into separated events, perhaps putting each in a code block </>

01/14/2022 09:47:17 AM
LogName=Security
EventCode=4624
EventType=0
ComputerName=2R4EHQA
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=166686450
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		2R4EHQA$
	Account Domain:		WGG25TJD3
	Logon ID:		0x3E7

Logon Information:
	Logon Type:		10
	Restricted Admin Mode:	No
	Virtual Account:		No
	Elevated Token:		No

Impersonation Level:		Impersonation

New Logon:
	Security ID:		2R4EHQA\admin
	Account Name:		admin
	Account Domain:		2R4EHQA
	Logon ID:		0x10B4B3F587
	Linked Logon ID:		0x10B4B3F54B
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x914
	Process Name:		C:\Windows\System32\svchost.exe

Network Information:
	Workstation Name:	SV00001-2R4EHQA
	Source Network Address:	192.168.2.11
	Source Port:		0

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

this is a result of search query : source=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10)

And which event tells you they have logged off or disconnected?

thats the thing they didnt logoff , they are still connected . so now -12h 

But presumably you want to ignore those who have logged off? So, how do you find which those are?

I think that this is the hardest part of this case. Maybe this helps you https://superuser.com/questions/1614690/how-to-find-when-a-user-is-started-and-ended-a-session-on-co...

r. Ismo

Not sure , I just started with splunk and have little knowledge . that s why I was asking for help .

Finding things that don't exist is not one of Splunk's strong suits - Splunk is merely a tool to help you analyse your data - knowledge of your data is by far the most important thing to grasp. Having said that, in order to find what is missing, e.g. a log off event, you need to find the log on events and remove all the log on events which do have corresponding log off events, so that you are left with log on events which don't have log off events, bearing in mind that you might well have disconnect events in your data, which might effectively serve the same purpose as log off events (it depends what you have in your data!).

thats the thing . there is no log off event , the user logs on and we can find out that by the query i shared . The question is how to calculate the time of logging +12 hours thats where I needed help . but I think I found some queries in https://gosplunk.com/ that will help me find out a way , thank you 

Try something like this

| eval plus12h=relative_time(_time,"+12h")

I will , Thank you