Am trying below query but its not Working:
index=* (sourcetype=WinEventLog:System OR sourcetype=WinEventLog:Security) (EventCode=1102 OR EventCode=13 OR EventCode=1100) EventType=4 dvc="MS-FR4-EXM-008" <1100> | stats max(_time) as maxtime min(_time) as mintime | eval difference=maxtime-mintime | eval difference=strftime(difference,"%d:%H:%M:%S")
First, try this part, and see if you are getting the events, and only the events, that you care about. For instance, on my system, those EventIDs do not have an EventType.
index=* (sourcetype=WinEventLog:System OR sourcetype=WinEventLog:Security) (EventCode=1102 OR EventCode=13 OR EventCode=1100) EventType=4 dvc="MS-FR4-EXM-008"
Second, you can simply use range(_time) to get the difference in seconds between the first and last events that are selected...
| stats range(_time) as duration by dvc
However, I think before you do that, you should probably make sure you are dealing with only a single most-recent instance of your event, and that the events happened in the order you care about. In my system, usually 1102 happens, then 1100. I'm not sure when EventCode 13 might occur in the scenario you are trying to detect, so adjust the code as needed...
| rename COMMENT as "1002 audit log cleared, 1000 logging shut down, 13 enrollment error" | rename COMMENT as "this section sets up individual time fields and copies them to all records for each dvc" | eval Time1100 = if(EventCode=1100,_time,null()) | eval Time1102 = if(EventCode=1102,_time,null()) | eval Time13 = if(EventCode=13,_time,null()) | eventstats max(Time1*) as maxTime1* by dvc | rename COMMENT as "this section drops any records that are not the most recent." | where ((Time1100==maxTime1100) OR (Time1102==maxTime1102) OR (Time13==maxTime13)) | rename COMMENT as "you should drop any records here that are enough out of order so as to be irrelevant." | where (isnull(Time1100) OR (Time1100<=maxTime13)) | where (isnull(Time1102) OR (Time1102<=maxTime13)) | where (isnull(Time13) OR (Time13>=maxTime1100) OR (Time13>=maxTime1102)) | rename COMMENT as "here you calculate duration in seconds then in hours for display." | stats range(_time) as duration, max(Time1*) as maxTime1* by dvc | where duration >15 | eval durationHours = round(duration/3600,2)
The section that drops records needs to be revisited based on knowing your data and your strategy for pulling data. For instance, you might want to ignore any 1100 and 1102 records that are after the last 13 record, so you'd use
eventstats to find the last 13, then filter to drop all prior 13s and all subsequent 1100s and 1102s. THEN you'd use
eventstats again to find the dates of the last 1100 and 1102 and drop all priors.
Maybe transaction command can help you
you can use startswith=EventCode=13 and endswith=EventCode=1100 arguments
also transaction command generates duration field(difference between first and last event) and you can search transactions where duration>=15
Full description of transaction command