Hi all,
I have a problem when I tried to parse EventID=1 in wineventlog. The message look like this:
03/05/2020 09:01:58 AM
LogName=System
SourceName=Microsoft-Windows-Kernel-General
EventCode=1
EventType=4
Type=Information
ComputerName=H7Y2.nap.net
TaskCategory=5
OpCode=Info
RecordNumber=5763
Keywords=Time
Message=The system time has changed to 2020-03-04T23:01:58.500000000Z from 2020-03-03T00:38:07.829890100Z.
Change Reason: System time synchronized with the hardware clock.
Process: '' (PID 4).
When I used regex to parse the time from Message field. There is 1 unseen character before and after each number. Hence the command: | eval time_from = strptime(stime_from, "%Y-%m-%dT%H:%M:%S.%N") doesn't work because it doesn't have the unseen characters.
Tks
Linh
Hi @louismai,
If you are getting any unseen or special character in field stime_from. It is better to replace all non alphanumeric characters in the field values and then convert to epoch like below.
| eval time_from = strptime(replace(stime_from, "[\W]+", ""), "%Y%m%dT%H%M%S%N")
Examples:
| makeresults | eval stime_from="2020-03-04T23:01:58.500000000Z", time_from = strptime(replace(stime_from, "[\W]+", ""), "%Y%m%dT%H%M%S%NZ")
...
| makeresults | eval stime_from="2020-03-04T23:01:58.500000000", time_from = strptime(replace(stime_from, "[\W]+", ""), "%Y%m%dT%H%M%S%N")
| makeresults
| eval _raw="Message=The system time has changed to 2020-03-04T23:01:58.500000000Z from 2020-03-03T00:38:07.829890100Z."
| rex "changed to (?<stime_to>.*Z) from (?<stime_from>.*Z)\."
| rex mode=sed field=stime_from "s/[^\w\-\:\.]//g"
| rex mode=sed field=stime_to "s/[^\w\-\:\.]//g"
| eval time_from = strptime(stime_from." +0000", "%Y-%m-%dT%H:%M:%S.%9QZ %z")
| eval time_to = strptime(stime_to." +0000", "%Y-%m-%dT%H:%M:%S.%9QZ %z")
There are space-like symbols. What is it?
You can use the sed to replace the space. I've taken the time from above and created the below example
| makeresults
| eval t = "03/05/2020 09:01:58 AM"
| eval stime = "2020 - 03 - 04T23:01:58.500000000Z"
| eval epoch_time_t = strptime(t, "%d/%m/%Y %H:%M:%S %p")
| eval human_time_t = strptime(epoch_time, "%d/%m/%Y %H:%M:%S %p")
| rex mode=sed field=stime "s/ //g"
| eval epoch_time_stime = strptime(stime, "%Y-%m-%dT%H:%M:%S")
| eval human_time_stime = strftime(epoch_time_stime, "%d/%m/%Y %H:%M:%S")