topic Re: How to subtract windows time stamps? in Getting Data In

How to subtract windows time stamps?

splunk_operator — Wed, 22 Apr 2015 12:49:58 GMT

In order to detect time changes of more than 20 seconds, I want to look into the Windows event "system time change" EventCode=4616 by computing the delta of the time change, subtract new time from previous time. I do not get a result from converting (mktime, ctime) neither from using strftime or strptime. It simply does not compute or even convert properly. Can anybody help?

Previous Time: ‎2015‎-‎04‎-‎22T12:40:15.083296800Z
New Time: ‎2015‎-‎04‎-‎22T12:40:15.073000000Z

Re: How to subtract windows time stamps?

fdi01 — Wed, 22 Apr 2015 14:51:57 GMT

try like this :

  ...|eval duree=round(New Time) - round(Previous Time)|table "New Time" " Previous Time" duree | fieldformat duree=strftime(duree, "%H:%M:%S") |...

Re: How to subtract windows time stamps?

splunk_operator — Wed, 22 Apr 2015 15:08:31 GMT

round is not working here in the first place, but thanks for your effort 😉

Re: How to subtract windows time stamps?

the_wolverine — Wed, 22 Apr 2015 16:13:18 GMT

| eval ptime="PREVIOUS TIME" | eval ntime="NEW TIME" | eval diff=ntime-ptime | where diff>20

Or, you could use a transaction which automatically calculates the duration:

index=win EventCode=4616 | transaction EventCode | where duration>20

Re: How to subtract windows time stamps?

Rhin0Crash — Tue, 29 Sep 2020 16:26:10 GMT

Stumbling across this thread nearly 2 and a half years later, not sure if you got the response you needed.

System time change, event code 4616, is a Windows event. Windows being Windows, there's always a strange set of characters in there somewhere. If you run a basic search and table _raw, you'll see part of the wineventlog entry labeled "Previous_time" or "New_Time".

To extract this field normalize it, however, you have to copy the text from the _raw log into the search bar, and it'll show Window's odd little character between the things you can see.
the # symbol in this eval statement is meant to represent the odd character in question

| eval newTimestamp=strftime(round(strptime(New_Time, "#%Y#-#%m#-#%dT%H:%M:%S.%9QZ"),0), "%F - %T)

Re: How to subtract windows time stamps?

chiennylin — Wed, 30 Sep 2020 03:45:41 GMT

Hi,
I am trying to subtract the _time as well, but i don't know why my simple eval is not working.
here's my code:

| convert ctime(_time) AS time
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",time,null())
| eval outboundTime=if(Type=="Outbound",time,null())
| eval ResponseTime=strptime(outboundTime,"%Y%m%d %H:%M:%S.%N")-strptime(inboundTime,"%Y%m%d %H:%M:%S.%N")
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

I even tried a simpler approach:
| eval ResponseTime=outboundTime-inboundTime

But this is not working as well.
help!

Re: How to subtract windows time stamps?

ashajambagi — Mon, 20 Jan 2020 10:04:28 GMT

try this
| eval TID=if(Type=="Inbound",obj_type,corrID) | eval inboundTime=if(Type=="Inbound",time,null()) | eval outboundTime=if(Type=="Outbound",time,null()) | eval ResponseTime=outboundTime-inboundTime | convert ctime(_time) AS time | stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

Re: How to subtract windows time stamps?

chiennylin — Wed, 30 Sep 2020 03:46:42 GMT

Thanks for the answer, but it's not working.
because the _time is used before hand.
i even tried this:
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",_time,null())
| eval outboundTime=if(Type=="Outbound",_time,null())
| convert ctime(inboundTime) AS inboundTime
| convert ctime(outboundTime) AS outboundTime
| eval ResponseTime=outboundTime-inboundTime
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

but its not working.
it looks like this:

TID starttime endtime ResponseTime
0b44ffc9-8e92-44a0-b487-da9acba0bc52 01/21/2020 00:12:45.168 01/21/2020 00:12:45.362

0d501b27-ad34-4481-bc16-7c029baa8bec 01/21/2020 00:10:56.951 01/21/2020 00:10:57.293

Re: How to subtract windows time stamps?

ashajambagi — Tue, 21 Jan 2020 04:55:31 GMT

try this
| eval TID=if(Type=="Inbound",obj_type,corrID) | eval inboundTime=if(Type=="Inbound",_time,null()) | eval outboundTime=if(Type=="Outbound",_time,null()) | eval ResponseTime=outboundTime-inboundTime | convert ctime(inboundTime) AS inboundTime | convert ctime(outboundTime) AS outboundTime |convert ctime(ResponseTime) as ResponseTime | stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

Re: How to subtract windows time stamps?

hnorvik — Tue, 17 Nov 2020 23:23:59 GMT

Ended up with the same challenge as listed here and none of the suggested replies on this article helped in any way.

Here is my solution:

<my search> | rex field=New_Time mode=sed "s/[^ -~]//g"
| rex field=Previous_Time mode=sed "s/[^ -~]//g"
| eval time_drift = (strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9QZ") - strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9QZ"))
| table _time New_Time time_drift

Problem:
The field with the Windows timestamps includes non-printable character - I thinks it's a x80, but it doesn't really matter. I use the rex mode=sed to remove anything that is not in the printable range.

[^ -~] matches all non-printable character, and mode=sed will just remove them from the string.

After this replacement, the strptime() function works correctly.