The following Splunk query will display successful windows logins and overlay an average on visualizations. source=”WinEventLog:Security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as “Successful Logons”
Average Duration of a Session within an IIS Web Environment
This query will report back the average duration of a session within an IIS web environment. The time format will be HH:MM:SS sourcetype=”iis” | stats range(_time) as duration by JSESSIONID | stats avg(duration) as AVG | fieldformat AVG=tostring(AVG,”duration”) | eval AVG=round(AVG, 0)