Logon and Logoff Times for Windows Users (Splunk)
By Greg Vedders
A common Splunk question I am asked is what is the easiest way to determine the duration for an account logged into Windows. While there are many opportunities for erroneous data because a user may be logging into several services on different machines at the same time, a report can be generated along the following lines:
sourcetype=WinEventLog:Security
(EventCode=4624 OR EventCode=4634)
| eval day=strftime(_time,"%m/%d/%Y")
| stats earliest(_time) AS logon latest(_time)
AS logoff by user host day
| eval logon=strftime(logon,"%m/%d/%Y %H.%M.%S"),
logoff=strftime(logoff,"%m/%d/%Y %H.%M.%S")
To limit the results to a particular machine, you can either adjust the search to include the particular machine you are looking for or conversely exclude common machines from the report.