Dear All,
I am using the Splunk App for Windows and I am trying to get a chart out looking something like:
ComputerName, User_Logon_Name, Duration(s)
PC1, Corp\Jim, 300
PC1, Corp\Jane, 248
PC2, Home\Admin, 9988
PC3, Corp\Graham, 474
I have almost gotten there with this search:
source="WinEventLog:Security" (EventCode=4778 OR EventCode=4779 OR EventCode=4624 OR EventCode=4634) (Logon_Type="2" OR Logon_Type="10" OR Logon_Type="7" OR Logon_Type="11") | eval User_Logon_Name=Account_Domain."\\".Account_Name | transaction ComputerName Logon_ID Account_Domain Account_Name startswith=(TaskCategory=Logon) endswith=(TaskCategory=Logoff) | chart sum(duration) over ComputerName
But I cannot get the User_Logon_Name into the chart command.
Does anyone know how I can do this? It seems a simple operation, but it is foxing me.
Thanks in advance,
BlueSocket
Try this
source="WinEventLog:Security" (EventCode=4778 OR EventCode=4779 OR EventCode=4624 OR EventCode=4634) (Logon_Type="2" OR Logon_Type="10" OR Logon_Type="7" OR Logon_Type="11") | eval User_Logon_Name=Account_Domain."\\".Account_Name | transaction ComputerName Logon_ID User_Logon_Name startswith=(TaskCategory=Logon) endswith=(TaskCategory=Logoff) | stats sum(duration) as Duration by ComputerName,User_Logon_Name
Try this
source="WinEventLog:Security" (EventCode=4778 OR EventCode=4779 OR EventCode=4624 OR EventCode=4634) (Logon_Type="2" OR Logon_Type="10" OR Logon_Type="7" OR Logon_Type="11") | eval User_Logon_Name=Account_Domain."\\".Account_Name | transaction ComputerName Logon_ID User_Logon_Name startswith=(TaskCategory=Logon) endswith=(TaskCategory=Logoff) | stats sum(duration) as Duration by ComputerName,User_Logon_Name