Greg Vedders
  • About
  • Tags
  • Posts

Logon and Logoff Times for Windows Users (Splunk)

Use Splunk to find the logon and logoff times for Windows Users

posts
December 6, 2020 • 1 min read • 112 words

A common Splunk question I am asked is what is the easiest way to determine the duration for an account logged into Windows. While there are many opportunities for erroneous data because a user may be logging into several services on different machines at the same time, a report can be generated along the following lines:

sourcetype=WinEventLog:Security
(EventCode=4624 OR EventCode=4634)
| eval day=strftime(_time,"%m/%d/%Y")
| stats earliest(_time) AS logon latest(_time) AS logoff by user host day
| eval logon=strftime(logon,"%m/%d/%Y %H.%M.%S"),
       logoff=strftime(logoff,"%m/%d/%Y %H.%M.%S")

To limit the results to a particular machine, you can either adjust the search to include the particular machine you are looking for or conversely exclude common machines from the report.

Share this post
Newer → How to Post to Twitter From PHP

About

Greg Vedders writes about information security, troubleshooting, photography, and the occasional unexpected fix.

Recent Posts

  • Automating CatPosters.us With a Gemini and WordPress Bot
  • Teaching Git: What I Covered in Class
  • Introducing Signage Suite — Self-Hosted Wall Displays in PHP
  • Rebuilding gregvedders.com Without a Hugo Theme
  • Hardening a Public Honeypot Server

Tags

Splunk Microsoft
© Greg Vedders 2026