Archive

Unseen character in wineventlog message

Path Finder

Hi all,

I have a problem when I tried to parse EventID=1 in wineventlog. The message look like this:
03/05/2020 09:01:58 AM
LogName=System
SourceName=Microsoft-Windows-Kernel-General
EventCode=1
EventType=4
Type=Information
ComputerName=H7Y2.nap.net
TaskCategory=5
OpCode=Info
RecordNumber=5763
Keywords=Time
Message=The system time has changed to ‎2020‎-‎03‎-‎04T23:01:58.500000000Z from ‎2020‎-‎03‎-‎03T00:38:07.829890100Z.

Change Reason: System time synchronized with the hardware clock.
Process: '' (PID 4).

When I used regex to parse the time from Message field. There is 1 unseen character before and after each number. Hence the command: | eval time_from = strptime(stime_from, "‎%Y‎-‎%m‎-‎%dT%H:%M:%S.%N") doesn't work because it doesn't have the unseen characters.

Tks
Linh

Tags (1)
0 Karma

Influencer

Hi @louismai,

If you are getting any unseen or special character in field stime_from. It is better to replace all non alphanumeric characters in the field values and then convert to epoch like below.

| eval time_from = strptime(replace(stime_from, "[\W]+", ""), "‎%Y‎‎%m‎‎%dT%H%M%S%N")

Examples:

| makeresults | eval stime_from="‎2020‎-‎03‎-‎04T‎23:01:58‎.500000000Z", time_from = strptime(replace(stime_from, "[\W]+", ""), "%Y%m%dT%H%M%S%NZ")

...

| makeresults | eval stime_from="‎2020‎-‎03‎-‎04T‎23:01:58‎.500000000", time_from = strptime(replace(stime_from, "[\W]+", ""), "%Y%m%dT%H%M%S%N")
0 Karma

Ultra Champion
| makeresults 
| eval _raw="Message=The system time has changed to ‎2020‎-‎03‎-‎04T23:01:58.500000000Z from ‎2020‎-‎03‎-‎03T00:38:07.829890100Z." 
| rex "changed to (?<stime_to>.*Z) from (?<stime_from>.*Z)\." 
| rex mode=sed field=stime_from "s/[^\w\-\:\.]//g" 
| rex mode=sed field=stime_to "s/[^\w\-\:\.]//g" 
| eval time_from = strptime(stime_from." +0000", "%Y-%m-%dT%H:%M:%S.%9QZ %z") 
| eval time_to = strptime(stime_to." +0000", "%Y-%m-%dT%H:%M:%S.%9QZ %z")

There are space-like symbols. What is it?

0 Karma

Builder

You can use the sed to replace the space. I've taken the time from above and created the below example

| makeresults
| eval t = "03/05/2020 09:01:58 AM"
| eval stime = "2020 - 03 - 04T23:01:58.500000000Z"
| eval epoch_time_t = strptime(t, "%d/%m/%Y %H:%M:%S %p")
| eval human_time_t =  strptime(epoch_time, "%d/%m/%Y %H:%M:%S %p")
| rex mode=sed field=stime "s/ //g"
| eval epoch_time_stime = strptime(stime, "%Y-%m-%dT%H:%M:%S")
| eval human_time_stime = strftime(epoch_time_stime, "%d/%m/%Y %H:%M:%S")
0 Karma