I'm looking to show the duration of logons through VDI logs. I convert _time into something better for the Start and Finish Times, but I'm unable to evaluate the difference.
I have tried to convert the Splunk duration fields back to a "human" readable format, but I have not been successful.
EVAL Start_Time=strftime(if(EventType="AGENT_CONNECTED",_time,null()), "%H:%M:%S") | EVAL Finish_Time=strftime(if(EventType="AGENT_ENDED",_time,null()), "%H:%M:%S") | transaction UserDisplayName MachineName startswith="AGENT_CONNECTED" endswith="AGENT_ENDED" | EVAL Duration=Finish_Time-Start_Time | Table UserDisplayName MachineName Start_Time Finish_Time Duration
↧