My search so far:
index=notimportant EventID=4624 [ inputlookup users.csv | fields TargetUserName ] | chart eval(latest(_time) - earliest(_time)) as total by TargetUserName | fieldformat total=strftime(total, "%H:%M")
What I'm doing is:
Get the earliest event from the result and the latest event from the result (the results are Microsoft login events). Subtracting the logout time from the login time so I get the working times.
Problems:
I cannot display times in a time/timechart (when I remove the ":" characters the chart works).
When I change the type from chart --> timechart the entry's in the timechart are displayed by the long number notations (not human readable, I forgot the name of this notation).
All I want is the working hours from each user by day, thanks!
... View more