Hello! I need to build a Splunk query that displays the earliest log on and and latest log off times for a user in the same table / chart over the span of 60 days - and let's use Event ID 4624 for log on's and Event ID 4634 for log off's. So here is an example, let's say user John Doe first logged in today at 8am and last logged off at 5pm. I would want the following to be displayed:
(Day) (Earliest Logon Time) (Computer Name for Earliest Logon) (Latest Log Off Time) (Computer Name for Latest Log Off)
09/17 8am WindowsPC-25 5pm WindowsPC-25
09/18 8:30am Laptop-25 6pm Laptop-25
09/19
etc...
etc...
↧