Logon and Logoff Times for Windows Users (Splunk)
A common Splunk question I am asked is what is the easiest way to determine the duration for an account logged into Windows. While there are many opportunities for erroneous data because a user may be logging into several services on different machines at the same time, a report can be generated along the following lines:
sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634) | eval day=strftime(_time,"%m/%d/%Y") | stats earliest(_time) AS logon latest(_time) AS logoff by user host day | eval logon=strftime(logon,"%m/%d/%Y %H.
read on