Solved: Eval Diff in Time Format issues

hartfoml · ‎12-05-2013

I have firewall logs like this:

Dec 5 14:43:14 SF3D-DC SF: [1:12345:1] "Event Name" [Impact: Currently Not Vulnerable] From "My.Server.local" at Thu Dec 5 14:43:08 2013 UTC

the first time 14:43:14 in the string is the writeTime that the event was put in the IDS database.

The second time 14:43:08 is the eventTime that is the time that the IDS sensor detected the event.

I woulds like to do this:

sourcetype=IDS | eval timeDiff=writeTime - eventTime | stats avg(timeDiff)

This looks like ti should work but I think I am hanging on the strptime. since the time is already formated in the extraction should I still need to convert it to time?

kristian_kolb · ‎03-24-2014

To expand on the explanation given by somesoni2 (assuming that the first timestamp (writeTime) is extracted into the _time field, i.e. the splunk timestamp for the event);

sourcetype=IDS | rex "at\s(?<eventTime>(\S+\s){5}\S+)$" | eval eventTime = strptime(eventTime, "%a %b %e %H:%M:%S %Y %Z") | eval timeDiff = _time - eventTime | stats avg(timeDiff) as avg_diff

This will give you the average timeDiff in seconds (avg_diff = 6). If you want to you make avg_diff "look nicer", you add this to the end;

| eval avg_diff = tostring(avg_diff, "duration")

Now, avg_diff = 00:00:06

Hope this helps,

K

View solution in original post

kristian_kolb · ‎03-24-2014

To expand on the explanation given by somesoni2 (assuming that the first timestamp (writeTime) is extracted into the _time field, i.e. the splunk timestamp for the event);

sourcetype=IDS | rex "at\s(?<eventTime>(\S+\s){5}\S+)$" | eval eventTime = strptime(eventTime, "%a %b %e %H:%M:%S %Y %Z") | eval timeDiff = _time - eventTime | stats avg(timeDiff) as avg_diff

This will give you the average timeDiff in seconds (avg_diff = 6). If you want to you make avg_diff "look nicer", you add this to the end;

| eval avg_diff = tostring(avg_diff, "duration")

Now, avg_diff = 00:00:06

Hope this helps,

K

hartfoml · ‎03-25-2014

Thanks this will work.

I ended up using the numerical value to get the chart like this

sourcetype=IDS | eval eventTime = strptime(eventTime, "%H:%M:%S") | eval writeTime = strptime(writeTime, "%H:%M:%S") | eval timeDiff = writeTime - eventTime | timechart span=15m avg(timeDiff) as avg_diff

I can use this to see trends and set alert values

Thanks again for your help

somesoni2 · ‎03-25-2014

Timechart converts values into columns hence the eval avg_diff will not work (not column name present with that name). Your can try this workaround for it.

Since the value of avg_diff will be string, you won't be able to see any chart visualization but will work for table.

hartfoml · ‎03-25-2014

Kristian, thanks so much this was the answer but if I could ask you one thing. I have extracts for the time's in the data so this is my search.
sourcetype=IDS | eval eventTime = strptime(eventTime, "%H:%M:%S") | eval writeTime = strptime(writeTime, "%H:%M:%S") | eval timeDiff = writeTime - eventTime | stats avg(timeDiff) as avg_diff | eval avg_diff = tostring(avg_diff, "duration")
My question is [I can't seem to use (timechart span=15m) in place of stats?

kristian_kolb · ‎03-24-2014

oops... just realized that this question was rather old. Well, hope that you solved your problem already, or if you didn't - that this helped a bit... 🙂

/K

somesoni2 · ‎12-05-2013

The field extraction is making writeTime and eventTime as string, so a "-" operation will not work directly. You need to convert it to epoch time for such calculations.

Eval Diff in Time Format issues

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!