Getting Data In

Find a users first logon and last logoff for the day over 30 days

szimmermanftb
New Member

I am able to get the users first and last logon/logoff event for a single day but I cannot figure out how to get it to work per day over 30 days. This is the search I am using now that works for a single day.

sourcetype=wineventlog:security user=| eval time=strftime(_time, "%m/%d/%y %H:%M:%S") |timechart span=1d earliest(time) as start, latest(time) as stop by user

Anyone have an idea how I can make it show this data for multiple days?

Thanks in advance!

Tags (1)
0 Karma

chandan
Observer

Please try this below query guys the best i have got the result as expected

 

| `inactive_accounts(30)` | eval LastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S.%Q") | sort -_time

 

 

0 Karma

pradeepkumarg
Influencer

Try using date_mday


| stats earliest(_time) as start, latest(_time) as stop by user, date_mday

0 Karma

szimmermanftb
New Member

When I set the time frame for more than 1 day it will only give me the first logon for the first day and the last logoff for the last day.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You query looks correct to me to get logon/logoff time for the user per day. Could you ensure the search timerange is set as 'last 30 days'?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...