Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to subtract windows time stamps?

splunk_operator
Engager
‎04-22-2015 05:49 AM

In order to detect time changes of more than 20 seconds, I want to look into the Windows event "system time change" EventCode=4616 by computing the delta of the time change, subtract new time from previous time. I do not get a result from converting (mktime, ctime) neither from using strftime or strptime. It simply does not compute or even convert properly. Can anybody help?

Previous Time: ‎2015‎-‎04‎-‎22T12:40:15.083296800Z
New Time: ‎2015‎-‎04‎-‎22T12:40:15.073000000Z

Reply

hnorvik
Explorer
‎11-17-2020 03:23 PM

Ended up with the same challenge as listed here and none of the suggested replies on this article helped in any way. 

Here is my solution: 

<my search> | rex field=New_Time mode=sed "s/[^ -~]//g" 
| rex field=Previous_Time mode=sed "s/[^ -~]//g"
| eval time_drift = (strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9QZ") - strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9QZ"))
| table _time New_Time time_drift


Problem:
The field with the Windows timestamps includes non-printable character - I thinks it's a x80, but it doesn't really matter.  I use the rex mode=sed to remove anything that is not in the printable range.

[^ -~] matches all non-printable character, and mode=sed will just remove them from the string.

After this replacement, the strptime() function works correctly. 

 

0 Karma
Reply

chiennylin
New Member
‎01-19-2020 06:59 PM

Hi,
I am trying to subtract the _time as well, but i don't know why my simple eval is not working.
here's my code:

| convert ctime(_time) AS time
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",time,null())
| eval outboundTime=if(Type=="Outbound",time,null())
| eval ResponseTime=strptime(outboundTime,"%Y%m%d %H:%M:%S.%N")-strptime(inboundTime,"%Y%m%d %H:%M:%S.%N")
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

I even tried a simpler approach:
| eval ResponseTime=outboundTime-inboundTime

But this is not working as well.
help!

0 Karma
Reply

ashajambagi
Communicator
‎01-20-2020 02:04 AM

try this
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",time,null())
| eval outboundTime=if(Type=="Outbound",time,null())
| eval ResponseTime=outboundTime-inboundTime
| convert ctime(_time) AS time
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

0 Karma
Reply

chiennylin
New Member
‎01-20-2020 04:27 PM

Thanks for the answer, but it's not working.
because the _time is used before hand.
i even tried this:
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",_time,null())
| eval outboundTime=if(Type=="Outbound",_time,null())
| convert ctime(inboundTime) AS inboundTime
| convert ctime(outboundTime) AS outboundTime
| eval ResponseTime=outboundTime-inboundTime
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

but its not working.
it looks like this:

TID starttime endtime ResponseTime
0b44ffc9-8e92-44a0-b487-da9acba0bc52 01/21/2020 00:12:45.168 01/21/2020 00:12:45.362

0d501b27-ad34-4481-bc16-7c029baa8bec 01/21/2020 00:10:56.951 01/21/2020 00:10:57.293

0 Karma
Reply

ashajambagi
Communicator
‎01-20-2020 08:55 PM

try this
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",_time,null())
| eval outboundTime=if(Type=="Outbound",_time,null())
| eval ResponseTime=outboundTime-inboundTime
| convert ctime(inboundTime) AS inboundTime
| convert ctime(outboundTime) AS outboundTime
|convert ctime(ResponseTime) as ResponseTime
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

0 Karma
Reply

Rhin0Crash
Path Finder
‎10-27-2017 08:36 AM

Stumbling across this thread nearly 2 and a half years later, not sure if you got the response you needed.

System time change, event code 4616, is a Windows event. Windows being Windows, there's always a strange set of characters in there somewhere. If you run a basic search and table _raw, you'll see part of the wineventlog entry labeled "Previous_time" or "New_Time".

To extract this field normalize it, however, you have to copy the text from the _raw log into the search bar, and it'll show Window's odd little character between the things you can see.
the # symbol in this eval statement is meant to represent the odd character in question

| eval newTimestamp=strftime(round(strptime(New_Time, "#%Y#-#%m#-#%dT%H:%M:%S.%9QZ"),0), "%F - %T)

0 Karma
Reply

the_wolverine
Champion
‎04-22-2015 09:13 AM 
| eval ptime="PREVIOUS TIME" | eval ntime="NEW TIME" | eval diff=ntime-ptime | where diff>20

Or, you could use a transaction which automatically calculates the duration:

index=win EventCode=4616 | transaction EventCode | where duration>20
0 Karma
Reply

fdi01
Motivator
‎04-22-2015 07:51 AM

try like this :

  ...|eval duree=round(New Time) - round(Previous Time)|table "New Time" " Previous Time" duree | fieldformat duree=strftime(duree, "%H:%M:%S") |...
0 Karma
Reply

splunk_operator
Engager
‎04-22-2015 08:08 AM

round is not working here in the first place, but thanks for your effort 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...