Getting Data In

How to subtract windows time stamps?

In order to detect time changes of more than 20 seconds, I want to look into the Windows event "system time change" EventCode=4616 by computing the delta of the time change, subtract new time from previous time. I do not get a result from converting (mktime, ctime) neither from using strftime or strptime. It simply does not compute or even convert properly. Can anybody help?

Previous Time: ‎2015‎-‎04‎-‎22T12:40:15.083296800Z
New Time: ‎2015‎-‎04‎-‎22T12:40:15.073000000Z

Explorer

Ended up with the same challenge as listed here and none of the suggested replies on this article helped in any way. 

Here is my solution: 

<my search> | rex field=New_Time mode=sed "s/[^ -~]//g" 
| rex field=Previous_Time mode=sed "s/[^ -~]//g"
| eval time_drift = (strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9QZ") - strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9QZ"))
| table _time New_Time time_drift


Problem:
The field with the Windows timestamps includes non-printable character - I thinks it's a x80, but it doesn't really matter.  I use the rex mode=sed to remove anything that is not in the printable range.

[^ -~] matches all non-printable character, and mode=sed will just remove them from the string.

After this replacement, the strptime() function works correctly. 

 

0 Karma

New Member

Hi,
I am trying to subtract the _time as well, but i don't know why my simple eval is not working.
here's my code:

| convert ctime(_time) AS time
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",time,null())
| eval outboundTime=if(Type=="Outbound",time,null())
| eval ResponseTime=strptime(outboundTime,"%Y%m%d %H:%M:%S.%N")-strptime(inboundTime,"%Y%m%d %H:%M:%S.%N")
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

I even tried a simpler approach:
| eval ResponseTime=outboundTime-inboundTime

But this is not working as well.
help!

0 Karma

Communicator

try this
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",time,null())
| eval outboundTime=if(Type=="Outbound",time,null())
| eval ResponseTime=outboundTime-inboundTime
| convert ctime(_time) AS time
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

0 Karma

New Member

Thanks for the answer, but it's not working.
because the _time is used before hand.
i even tried this:
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",_time,null())
| eval outboundTime=if(Type=="Outbound",_time,null())
| convert ctime(inboundTime) AS inboundTime
| convert ctime(outboundTime) AS outboundTime
| eval ResponseTime=outboundTime-inboundTime
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

but its not working.
it looks like this:

TID starttime endtime ResponseTime
0b44ffc9-8e92-44a0-b487-da9acba0bc52 01/21/2020 00:12:45.168 01/21/2020 00:12:45.362

0d501b27-ad34-4481-bc16-7c029baa8bec 01/21/2020 00:10:56.951 01/21/2020 00:10:57.293

0 Karma

Communicator

try this
| eval TID=if(Type=="Inbound",obj_type,corrID)
| eval inboundTime=if(Type=="Inbound",_time,null())
| eval outboundTime=if(Type=="Outbound",_time,null())
| eval ResponseTime=outboundTime-inboundTime
| convert ctime(inboundTime) AS inboundTime
| convert ctime(outboundTime) AS outboundTime
|convert ctime(ResponseTime) as ResponseTime
| stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

0 Karma

Path Finder

Stumbling across this thread nearly 2 and a half years later, not sure if you got the response you needed.

System time change, event code 4616, is a Windows event. Windows being Windows, there's always a strange set of characters in there somewhere. If you run a basic search and table _raw, you'll see part of the wineventlog entry labeled "Previous_time" or "New_Time".

To extract this field normalize it, however, you have to copy the text from the _raw log into the search bar, and it'll show Window's odd little character between the things you can see.
the # symbol in this eval statement is meant to represent the odd character in question

| eval newTimestamp=strftime(round(strptime(New_Time, "#%Y#-#%m#-#%dT%H:%M:%S.%9QZ"),0), "%F - %T)

0 Karma

Champion
| eval ptime="PREVIOUS TIME" | eval ntime="NEW TIME" | eval diff=ntime-ptime | where diff>20

Or, you could use a transaction which automatically calculates the duration:

index=win EventCode=4616 | transaction EventCode | where duration>20
0 Karma

Motivator

try like this :

  ...|eval duree=round(New Time) - round(Previous Time)|table "New Time" " Previous Time" duree | fieldformat duree=strftime(duree, "%H:%M:%S") |...
0 Karma

round is not working here in the first place, but thanks for your effort 😉

0 Karma