Splunk Enterprise Security

Windows Events to Epoch

dakkmaddy
New Member

My goal was to filter out Windows Security Events Event Code 4616 for entries that were less than a second. I thought it would be a simple eval, however, the Splunk needed the time in epoch.

I struggled greatly to convert the time with strptime because the fields Previous_Time and New_Time had an unusual special character, see picture.

I ended up finding a thread on rex & sed, which allowed me to keep the normal time characters (numbers, columns and periods) and remove the result. After that, strptime worked great.

My working query is this :

sourcetype="WMI:WinEventLog:Security" EventCode=4616 | rex field=New_Time mode=sed "s/[^0-9_.:]+/ /g" | eval newer = strptime(New_Time, "%Y %m %d %H:%M:%S.%9N") | rex field=Previous_Time mode=sed "s/[^0-9_.:]+/ /g" | eval older = strptime(Previous_Time, "%Y %m %d %H:%M:%S.%9N") | eval diff=older-newer | WHERE diff > 1 OR diff < -1 | table host newer older diff

I think it is overly complicated. If you have a better way, I would love to read it.

alt text

0 Karma