Below is the query which gives if the there is any time change on a windows system. The below query is giving output for the 1-minute time change. I need an alert when there is a time change for more than 5 mins time change or less than 5 mins time change.
index=* EventCode=4616 sourcetype="WinEventLog:Security" Account_Name!="LOCAL SERVICE"
host!="IN-L0*"
| eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S")
| eval m = strftime(_time, "%M")
| eval Time_change = if (m > "5","greater than 5 mins","lesser than 5 mins")
| eval oldtime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval t=_time
| rename t as "eventtime"
| eval diff=round(((eventtime-oldtime)/60)/60,2)
| eval Real_Time=New_Time
| eval Changed_Time=Previous_Time
| table host, Real_Time, Changed_Time
HostName Real_Time Changed_Time
xxxx 2016-12-15T18:48:00.964000000Z 2016-12-15T18:47:59.864425500Z
It seems like you are doing a lot of work here. First, note that _time is stored in Linux epoch time, where 300 = 5 minutes. Next, in the third line of your search, you are extracting the minutes from the time. So if the time is 9:07, m will be 7. I don't think that is what you want.
If you want the difference between the Previous Time and the event time, do this
yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = (_time - pTime)/60
| where diff_in_minutes > 5
| eval Event_Time = strftime(_time,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time Event_Time
Then set the alert condition for "number of events > 0".
If you have a field called New_Time that you want to compare to the Previous_Time, you should be able to do this (assuming that New_Time and Previous_Time are in the same format):
yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval nTime = strptime(replace(New_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = abs((nTime - pTime)/60)
| where diff_in_minutes > 5
| eval New_Time = strftime(nTime,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time New_Time
Thank you lguinn for your help.
It seems like you are doing a lot of work here. First, note that _time is stored in Linux epoch time, where 300 = 5 minutes. Next, in the third line of your search, you are extracting the minutes from the time. So if the time is 9:07, m will be 7. I don't think that is what you want.
If you want the difference between the Previous Time and the event time, do this
yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = (_time - pTime)/60
| where diff_in_minutes > 5
| eval Event_Time = strftime(_time,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time Event_Time
Then set the alert condition for "number of events > 0".
If you have a field called New_Time that you want to compare to the Previous_Time, you should be able to do this (assuming that New_Time and Previous_Time are in the same format):
yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval nTime = strptime(replace(New_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = abs((nTime - pTime)/60)
| where diff_in_minutes > 5
| eval New_Time = strftime(nTime,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time New_Time