Splunk Search

How to modify this query to set if the time is more than 5 mint then it should trigger an alert.

vkumar69
New Member

Below is the query which gives if the there is any time change on a windows system. The below query is giving output for the 1-minute time change. I need an alert when there is a time change for more than 5 mins time change or less than 5 mins time change.

index=* EventCode=4616 sourcetype="WinEventLog:Security" Account_Name!="LOCAL SERVICE" 
     host!="IN-L0*"  
| eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") 
| eval m = strftime(_time, "%M") 
| eval Time_change = if (m > "5","greater than 5 mins","lesser than 5 mins") 
| eval oldtime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval t=_time 
| rename t as "eventtime" 
| eval diff=round(((eventtime-oldtime)/60)/60,2) 
| eval Real_Time=New_Time 
| eval Changed_Time=Previous_Time 
| table host, Real_Time, Changed_Time

 HostName                          Real_Time                                              Changed_Time
      xxxx                     ‎2016‎-‎12‎-‎15T18:48:00.964000000Z       ‎2016‎-‎12‎-‎15T18:47:59.864425500Z
Tags (1)
0 Karma
1 Solution

lguinn2
Legend

It seems like you are doing a lot of work here. First, note that _time is stored in Linux epoch time, where 300 = 5 minutes. Next, in the third line of your search, you are extracting the minutes from the time. So if the time is 9:07, m will be 7. I don't think that is what you want.

If you want the difference between the Previous Time and the event time, do this

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = (_time - pTime)/60
| where diff_in_minutes > 5
| eval Event_Time = strftime(_time,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time Event_Time

Then set the alert condition for "number of events > 0".
If you have a field called New_Time that you want to compare to the Previous_Time, you should be able to do this (assuming that New_Time and Previous_Time are in the same format):

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval nTime = strptime(replace(New_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = abs((nTime - pTime)/60)
| where diff_in_minutes > 5
| eval New_Time = strftime(nTime,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time New_Time

View solution in original post

0 Karma

vkumar69
New Member

Thank you lguinn for your help.

0 Karma

lguinn2
Legend

It seems like you are doing a lot of work here. First, note that _time is stored in Linux epoch time, where 300 = 5 minutes. Next, in the third line of your search, you are extracting the minutes from the time. So if the time is 9:07, m will be 7. I don't think that is what you want.

If you want the difference between the Previous Time and the event time, do this

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = (_time - pTime)/60
| where diff_in_minutes > 5
| eval Event_Time = strftime(_time,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time Event_Time

Then set the alert condition for "number of events > 0".
If you have a field called New_Time that you want to compare to the Previous_Time, you should be able to do this (assuming that New_Time and Previous_Time are in the same format):

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval nTime = strptime(replace(New_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = abs((nTime - pTime)/60)
| where diff_in_minutes > 5
| eval New_Time = strftime(nTime,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time New_Time
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...