Find a users first logon and last logoff for the d...

szimmermanftb · ‎06-12-2014

I am able to get the users first and last logon/logoff event for a single day but I cannot figure out how to get it to work per day over 30 days. This is the search I am using now that works for a single day.

sourcetype=wineventlog:security user=| eval time=strftime(_time, "%m/%d/%y %H:%M:%S") |timechart span=1d earliest(time) as start, latest(time) as stop by user

Anyone have an idea how I can make it show this data for multiple days?

Thanks in advance!

chandan · ‎02-17-2021

Please try this below query guys the best i have got the result as expected

| `inactive_accounts(30)` | eval LastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S.%Q") | sort -_time

pradeepkumarg · ‎06-13-2014

Try using date_mday


| stats earliest(_time) as start, latest(_time) as stop by user, date_mday

szimmermanftb · ‎06-12-2014

When I set the time frame for more than 1 day it will only give me the first logon for the first day and the last logoff for the last day.

somesoni2 · ‎06-12-2014

You query looks correct to me to get logon/logoff time for the user per day. Could you ensure the search timerange is set as 'last 30 days'?

Find a users first logon and last logoff for the day over 30 days

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk