https://community.splunk.com/t5/Getting-Data-In/How-do-you-alert-on-a-date-change-in-Windows-Security-Logs/m-p/380755#M68709 <P>Hello @zmmt,</P> <P>Convert your timestamps to epoch objects using <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions">strptime()</A>.</P> <P>Then you can easily calculate the time difference in seconds:</P> <PRE><CODE>| makeresults count=1 | fields - _time | eval Previous_Time="2018-12-26T09:36:32.959975900Z" | eval New_Time="2018-12-26T09:36:32.959000000Z" | eval Previous_Time_Epoch=strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9N") | eval New_Time_Epoch=strptime(New_Time,"%Y-%m-%dT%H:%M:%S.%9N") | eval diff=abs(New_Time_Epoch-Previous_Time_Epoch) </CODE></PRE> <P>The result for your sample event is:</P> <PRE><CODE> Previous_Time_Epoch New_Time_Epoch diff 1545816992.959975 1545816992.959000 0.000975 </CODE></PRE> <P>And now filter for:</P> <PRE><CODE>| search diff&gt;60 </CODE></PRE> <P>I'm not sure though what the "Z" in your timestamps stands for.</P> Wed, 26 Dec 2018 14:22:00 GMT whrg 2018-12-26T14:22:00Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-alert-on-a-date-change-in-Windows-Security-Logs/m-p/380754#M68708 <P>Hello, </P> <P>I am looking to create an alert when a date change of more than a minute in Windows Security Logs.</P> <P>in my log, I have these two elements (Previous_Time and Nex_Time) that I would like to compare, but I cannot create the filter.</P> <P>Previous Time: ‎2018‎-‎12‎-‎26T09:36:32.959975900Z <BR /> New Time: ‎2018‎-‎12‎-‎26T09:36:32.959000000Z</P> <P>I would like to compare these two variables and trigger an alert if the result is greater than one minute.</P> <P>Any ideas ?</P> Tue, 29 Sep 2020 22:32:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-alert-on-a-date-change-in-Windows-Security-Logs/m-p/380754#M68708 zmmt 2020-09-29T22:32:18Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-alert-on-a-date-change-in-Windows-Security-Logs/m-p/380755#M68709 <P>Hello @zmmt,</P> <P>Convert your timestamps to epoch objects using <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions">strptime()</A>.</P> <P>Then you can easily calculate the time difference in seconds:</P> <PRE><CODE>| makeresults count=1 | fields - _time | eval Previous_Time="2018-12-26T09:36:32.959975900Z" | eval New_Time="2018-12-26T09:36:32.959000000Z" | eval Previous_Time_Epoch=strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9N") | eval New_Time_Epoch=strptime(New_Time,"%Y-%m-%dT%H:%M:%S.%9N") | eval diff=abs(New_Time_Epoch-Previous_Time_Epoch) </CODE></PRE> <P>The result for your sample event is:</P> <PRE><CODE> Previous_Time_Epoch New_Time_Epoch diff 1545816992.959975 1545816992.959000 0.000975 </CODE></PRE> <P>And now filter for:</P> <PRE><CODE>| search diff&gt;60 </CODE></PRE> <P>I'm not sure though what the "Z" in your timestamps stands for.</P> Wed, 26 Dec 2018 14:22:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-alert-on-a-date-change-in-Windows-Security-Logs/m-p/380755#M68709 whrg 2018-12-26T14:22:00Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-alert-on-a-date-change-in-Windows-Security-Logs/m-p/380756#M68710 <P>hi @zmmt,</P> <P>Did you have a chance to check out WHRG's answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. </P> <P>Thanks for posting!</P> Tue, 08 Jan 2019 00:05:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-alert-on-a-date-change-in-Windows-Security-Logs/m-p/380756#M68710 mstjohn_splunk 2019-01-08T00:05:02Z