Getting Data In

How to return results only if Previous_Time and New_Time difference is more than 5s?

evallja
Path Finder

Hello everyone,

I have the below fields and I want the search to generate only the results when Previous_Time and New_Time difference is more than 5s:

_time

host

EventCode

EventCodeDescription

Name

Previous_Time

New_Time

Tue Aug 15 09:35:01 2023 hostname 4616 The system time was changed. C:\Program Files (x86)\TrueTime\WinSync\WinSync.exe ‎2023‎-‎08‎-‎15T07:35:01.152758200Z ‎2023‎-‎08‎-‎15T07:35:01.152000000Z

Thank you.

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need to parse the time strings into numeric times, then you can calculate the difference

| eval Previous_Time=strptime(Previous_Time,"%Y-%m-%dT%T.%9N%Z")
| eval New_Time=strptime(New_Time,"%Y-%m-%dT%T.%9N%Z")
| eval diff=abs(Previous_Time - New_Time)
| where diff > 5

evallja
Path Finder

I have tried the eval command before for this case, but just like in this search, it will return blank field values for Previous_Time and New_Time fields.

I even tried to change their names by creating totally new fields but still the same results.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand what the issue is - this code works with the samples you have given, although perhaps the samples are not an accurate representation of your events.

Please can you share anonymised samples of your actual events, preferably in a code block </> to prevent loss of information due to formatting changes.

evallja
Path Finder

The table is copied from the results, the only field value I anonymized is the host value "hostname".

However, if it helps I am also pasting the _raw text changing only the sensitive info to "Anonymized"

 

 

08/15/2023 09:35:01 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4616
EventType=0
Type=Information
ComputerName=Anonymized
TaskCategory=Security State Change
OpCode=Info
RecordNumber=828401024
Keywords=Audit Success
Message=The system time was changed.
 
Subject:
Security ID: Anonymized\Administrator
Account Name: Administrator
Account Domain: Anonymized
Logon ID: 0x1B00AE
 
Process Information:
Process ID: 0x231c
Name: C:\Program Files (x86)\TrueTime\WinSync\WinSync.exe
 
Previous Time: ‎2023‎-‎08‎-‎15T07:35:01.152758200Z
New Time: ‎2023‎-‎08‎-‎15T07:35:01.152000000Z

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Wow! you have some extra characters in there, no wonder the parsing didn't work! Please try this

| eval Previous_Time=strptime(Previous_Time,"<u+200e>%Y<u+200e>-<u+200e>%m<u+200e>-<u+200e>%dT%T.%9N%Z")
| eval New_Time=strptime(New_Time,"<u+200e>%Y<u+200e>-<u+200e>%m<u+200e>-<u+200e>%dT%T.%9N%Z")
| eval diff=abs(Previous_Time - New_Time)

evallja
Path Finder

Still not working... As I already spent too much time on this search I'm going with regex as below:

| rex field=Previous_Time "T(?P<Previous_Time>.([0-9]+(:[0-9]+)+))"

| rex field=New_Time "T(?P<New_Time>.([0-9]+(:[0-9]+)+))"

and then I will use "where" for the other filtering about the exact difference I want to choose (which also shall remain anonymized).

Thank you for your replies and your time!
Best regards.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...