Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Console Lock Duration

WinEventLog:Security

Description

Submitted by SplunkNinja

The following code works only in windows 2008 and newer operating systems:
2 0 
sourcetype=WinEventLog:Security (EventCode=4800 OR EventCode=4801) | eval Date=strftime(_time, "%Y/%m/%d") | transaction host Account_Name startswith=EventCode=4800 endswith=EventCode=4801 | eval duration = duration/60 | eval duration=round(duration,2)| table host, Account_Name, duration, Date |rename duration as "Console Lock Duration in Minutes" | sort - date

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom