Hi All,
Need help on a Splunk search for Windows Active Directory users logon_time, logoff_time and duration in a single page. I used this search below, but not getting what expected.
index="wineventlog" source="wineventlog:security" (EventCode=4624 OR EventCode=4634) earliest=-4h | eval Date=strftime(_time, "%Y/%m/%d") | transaction src_ip user startswith=EventCode=4624 endswith=EventCode=4634 | where duration > 60 | search NOT src_ip="::1"| eval duration = duration/60 | eval duration=round(duration,2) | table src_ip, user, duration, Date,TaskCategory | rename duration as "Session_Duration_Minutes" | sort - date
Please help me on the search.
Thanks in advance!
Field names are case sensitive so unless it is a typo in your query above try using Date instead of date with your final sort:
index="wineventlog" source="wineventlog:security" (EventCode=4624 OR EventCode=4634) earliest=-4h
| eval Date=strftime(_time, "%Y/%m/%d")
| transaction src_ip user startswith=EventCode=4624 endswith=EventCode=4634
| where duration > 60
| search NOT src_ip="::1"
| eval duration = duration/60
| eval duration=round(duration,2)
| table src_ip, user, duration, Date,TaskCategory
| rename duration as "Session_Duration_Minutes"
| sort - Date
Hi javiergn,
Actually am getting the result, but i need like user logon time and logoff time with duration, but from my search am getting as src_ip user, Session_Duration_Minutes,Date,TaskCategory
src_ip user Session_Duration_Minutes Date TaskCategory
x.x.x.x AD$ 14.88 2016/02/01 LogoffLogon
x.x.x.x AD$ 1.58 2016/02/01 LogoffLogon
But I need like
src_ip user Session_Duration_Minutes Logon_Time Logoff_time
Thanks!