Getting Data In

How to subtract windows time stamps?

splunk_operator
Engager

In order to detect time changes of more than 20 seconds, I want to look into the Windows event "system time change" EventCode=4616 by computing the delta of the time change, subtract new time from previous time. I do not get a result from converting (mktime, ctime) neither from using strftime or strptime. It simply does not compute or even convert properly. Can anybody help?

Previous Time: ‎2015‎-‎04‎-‎22T12:40:15.083296800Z
New Time: ‎2015‎-‎04‎-‎22T12:40:15.073000000Z

hnorvik
Explorer

Ended up with the same challenge as listed here and none of the suggested replies on this article helped in any way. 

Here is my solution: 

<my search> | rex field=New_Time mode=sed "s/[^ -~]//g" 
| rex field=Previous_Time mode=sed "s/[^ -~]//g"
| eval time_drift = (strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9QZ") - strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9QZ"))
| table _time New_Time time_drift


Problem:
The field with the Windows timestamps includes non-printable character - I thinks it's a x80, but it doesn't really matter.  I use the rex mode=sed to remove anything that is not in the printable range.

[^ -~] matches all non-printable character, and mode=sed will just remove them from the string.

After this replacement, the strptime() function works correctly. 

 

0 Karma

chiennylin
New Member

Hi,
I am trying to subtract the _time as well, but i don't know why my simple eval is not working.
here's my code:

| convert ctime(_time) AS time
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",time,null())
| eval outboundTime=if(Type=="Outbound",time,null())
| eval ResponseTime=strptime(outboundTime,"%Y%m%d %H:%M:%S.%N")-strptime(inboundTime,"%Y%m%d %H:%M:%S.%N")
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

I even tried a simpler approach:
| eval ResponseTime=outboundTime-inboundTime

But this is not working as well.
help!

0 Karma

ashajambagi
Communicator

try this
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",time,null())
| eval outboundTime=if(Type=="Outbound",time,null())
| eval ResponseTime=outboundTime-inboundTime
| convert ctime(_time) AS time
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

0 Karma

chiennylin
New Member

Thanks for the answer, but it's not working.
because the _time is used before hand.
i even tried this:
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",_time,null())
| eval outboundTime=if(Type=="Outbound",_time,null())
| convert ctime(inboundTime) AS inboundTime
| convert ctime(outboundTime) AS outboundTime
| eval ResponseTime=outboundTime-inboundTime
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

but its not working.
it looks like this:

TID starttime endtime ResponseTime
0b44ffc9-8e92-44a0-b487-da9acba0bc52 01/21/2020 00:12:45.168 01/21/2020 00:12:45.362

0d501b27-ad34-4481-bc16-7c029baa8bec 01/21/2020 00:10:56.951 01/21/2020 00:10:57.293

0 Karma

ashajambagi
Communicator

try this
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",_time,null())
| eval outboundTime=if(Type=="Outbound",_time,null())
| eval ResponseTime=outboundTime-inboundTime
| convert ctime(inboundTime) AS inboundTime
| convert ctime(outboundTime) AS outboundTime
|convert ctime(ResponseTime) as ResponseTime
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

0 Karma

Rhin0Crash
Path Finder

Stumbling across this thread nearly 2 and a half years later, not sure if you got the response you needed.

System time change, event code 4616, is a Windows event. Windows being Windows, there's always a strange set of characters in there somewhere. If you run a basic search and table _raw, you'll see part of the wineventlog entry labeled "Previous_time" or "New_Time".

To extract this field normalize it, however, you have to copy the text from the _raw log into the search bar, and it'll show Window's odd little character between the things you can see.
the # symbol in this eval statement is meant to represent the odd character in question

| eval newTimestamp=strftime(round(strptime(New_Time, "#%Y#-#%m#-#%dT%H:%M:%S.%9QZ"),0), "%F - %T)

0 Karma

the_wolverine
Champion
| eval ptime="PREVIOUS TIME" | eval ntime="NEW TIME" | eval diff=ntime-ptime | where diff>20

Or, you could use a transaction which automatically calculates the duration:

index=win EventCode=4616 | transaction EventCode | where duration>20
0 Karma

fdi01
Motivator

try like this :

  ...|eval duree=round(New Time) - round(Previous Time)|table "New Time" " Previous Time" duree | fieldformat duree=strftime(duree, "%H:%M:%S") |...
0 Karma

splunk_operator
Engager

round is not working here in the first place, but thanks for your effort 😉

0 Karma
Get Updates on the Splunk Community!

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Want a chance to win $500 to the Splunk shop? Take our IT Incident Management Survey!

  Top Trends & Best Practices in Incident ManagementSplunk is partnering up with Constellation Research to ...