Splunk Search

How to put working hours from each user by day in a time chart

rens78
New Member

My search so far:

index=notimportant EventID=4624 [ inputlookup users.csv | fields TargetUserName ]  | chart eval(latest(_time) - earliest(_time)) as total by TargetUserName | fieldformat total=strftime(total, "%H:%M")

What I'm doing is:

Get the earliest event from the result and the latest event from the result (the results are Microsoft login events). Subtracting the logout time from the login time so I get the working times.

Problems:

  • I cannot display times in a time/timechart (when I remove the ":" characters the chart works).

  • When I change the type from chart --> timechart the entry's in the timechart are displayed by the long number notations (not human readable, I forgot the name of this notation).

All I want is the working hours from each user by day, thanks!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Try this ...

index=notimportant EventID=4624 [ inputlookup users.csv | fields TargetUserName ] 
| bin _time as myday span=1d
| stats min(_time) as mintime max(_time) as maxtime by TargetUserName myday
| eval TotalHours = round((maxtime-mintime)/3600,2)
| rename mintime as _time
| timechart span=1d  sum(TotalHours) as TotalHours by TargetUserName
0 Karma

rens78
New Member

Awsome!!!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...