topic Re: Eval Diff in Time Format issues in Splunk Search

Eval Diff in Time Format issues

hartfoml — Thu, 05 Dec 2013 18:31:08 GMT

I have firewall logs like this:

Dec 5 14:43:14 SF3D-DC SF: [1:12345:1] "Event Name" [Impact: Currently Not Vulnerable] From "My.Server.local" at Thu Dec 5 14:43:08 2013 UTC

the first time 14:43:14 in the string is the writeTime that the event was put in the IDS database.

The second time 14:43:08 is the eventTime that is the time that the IDS sensor detected the event.

I woulds like to do this:

sourcetype=IDS | eval timeDiff=writeTime - eventTime | stats avg(timeDiff)

This looks like ti should work but I think I am hanging on the strptime. since the time is already formated in the extraction should I still need to convert it to time?

Re: Eval Diff in Time Format issues

somesoni2 — Thu, 05 Dec 2013 19:17:12 GMT

The field extraction is making writeTime and eventTime as string, so a "-" operation will not work directly. You need to convert it to epoch time for such calculations.

Re: Eval Diff in Time Format issues

kristian_kolb — Mon, 28 Sep 2020 16:13:19 GMT

To expand on the explanation given by somesoni2 (assuming that the first timestamp (writeTime) is extracted into the _time field, i.e. the splunk timestamp for the event);

sourcetype=IDS | rex "at\s(?<eventTime>(\S+\s){5}\S+)$" | eval eventTime = strptime(eventTime, "%a %b %e %H:%M:%S %Y %Z") | eval timeDiff = _time - eventTime | stats avg(timeDiff) as avg_diff

This will give you the average timeDiff in seconds (avg_diff = 6). If you want to you make avg_diff "look nicer", you add this to the end;

| eval avg_diff = tostring(avg_diff, "duration")

Now, avg_diff = 00:00:06

Hope this helps,

Re: Eval Diff in Time Format issues

kristian_kolb — Tue, 25 Mar 2014 01:17:44 GMT

oops... just realized that this question was rather old. Well, hope that you solved your problem already, or if you didn't - that this helped a bit... 🙂

Re: Eval Diff in Time Format issues

hartfoml — Tue, 25 Mar 2014 12:42:18 GMT

Kristian, thanks so much this was the answer but if I could ask you one thing. I have extracts for the time's in the data so this is my search.
sourcetype=IDS | eval eventTime = strptime(eventTime, "%H:%M:%S") | eval writeTime = strptime(writeTime, "%H:%M:%S") | eval timeDiff = writeTime - eventTime | stats avg(timeDiff) as avg_diff | eval avg_diff = tostring(avg_diff, "duration")
My question is [I can't seem to use (timechart span=15m) in place of stats?

Re: Eval Diff in Time Format issues

somesoni2 — Mon, 28 Sep 2020 16:13:37 GMT

Timechart converts values into columns hence the eval avg_diff will not work (not column name present with that name). Your can try this workaround for it.

Since the value of avg_diff will be string, you won't be able to see any chart visualization but will work for table.

Re: Eval Diff in Time Format issues

hartfoml — Tue, 25 Mar 2014 17:57:00 GMT

Thanks this will work.

I ended up using the numerical value to get the chart like this

sourcetype=IDS | eval eventTime = strptime(eventTime, "%H:%M:%S") | eval writeTime = strptime(writeTime, "%H:%M:%S") | eval timeDiff = writeTime - eventTime | timechart span=15m avg(timeDiff) as avg_diff

I can use this to see trends and set alert values

Thanks again for your help