Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Events to Epoch

dakkmaddy
Engager
‎07-11-2018 01:23 PM

My goal was to filter out Windows Security Events Event Code 4616 for entries that were less than a second. I thought it would be a simple eval, however, the Splunk needed the time in epoch.

I struggled greatly to convert the time with strptime because the fields Previous_Time and New_Time had an unusual special character, see picture.

I ended up finding a thread on rex & sed, which allowed me to keep the normal time characters (numbers, columns and periods) and remove the result. After that, strptime worked great.

My working query is this :

sourcetype="WMI:WinEventLog:Security" EventCode=4616 | rex field=New_Time mode=sed "s/[^0-9_.:]+/ /g" | eval newer = strptime(New_Time, "%Y %m %d %H:%M:%S.%9N") | rex field=Previous_Time mode=sed "s/[^0-9_.:]+/ /g" | eval older = strptime(Previous_Time, "%Y %m %d %H:%M:%S.%9N") | eval diff=older-newer | WHERE diff > 1 OR diff < -1 | table host newer older diff

I think it is overly complicated. If you have a better way, I would love to read it.

alt text

Preview file
1 KB
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...