Hi
How to search for user logon duration in a aday starting with first 4624 event and last 4634 event in the day?
Try this
index=foo sourcetype=bar eventcode=4624 OR eventcode=4634 accountname=*| stats earliest(eval(if(eventcode=4624, _time, null()))) as logon latest(eval(if(eventcode=4634, _time, null()))) as logoff by accountname | eval duration=logoff-logon
If more than one logins per day, try this
index=foo sourcetype=bar eventcode=4624 OR eventcode=4634 accountname=* | reverse | streamstats count by accountname eventcode | stats earliest(eval(if(eventcode=4624, _time, null()))) as logon latest(eval(if(eventcode=4634, _time, null()))) as logoff by accountname count | eval duration=logon-logoff