Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify this query to set if the time is more than 5 mint then it should trigger an alert.

vkumar69
New Member
‎12-30-2016 11:43 AM

Below is the query which gives if the there is any time change on a windows system. The below query is giving output for the 1-minute time change. I need an alert when there is a time change for more than 5 mins time change or less than 5 mins time change.

index=* EventCode=4616 sourcetype="WinEventLog:Security" Account_Name!="LOCAL SERVICE" 
     host!="IN-L0*"  
| eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") 
| eval m = strftime(_time, "%M") 
| eval Time_change = if (m > "5","greater than 5 mins","lesser than 5 mins") 
| eval oldtime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval t=_time 
| rename t as "eventtime" 
| eval diff=round(((eventtime-oldtime)/60)/60,2) 
| eval Real_Time=New_Time 
| eval Changed_Time=Previous_Time 
| table host, Real_Time, Changed_Time

 HostName                          Real_Time                                              Changed_Time
      xxxx                     ‎2016‎-‎12‎-‎15T18:48:00.964000000Z       ‎2016‎-‎12‎-‎15T18:47:59.864425500Z
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-01-2017 09:47 AM

It seems like you are doing a lot of work here. First, note that _time is stored in Linux epoch time, where 300 = 5 minutes. Next, in the third line of your search, you are extracting the minutes from the time. So if the time is 9:07, m will be 7. I don't think that is what you want.

If you want the difference between the Previous Time and the event time, do this

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = (_time - pTime)/60
| where diff_in_minutes > 5
| eval Event_Time = strftime(_time,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time Event_Time

Then set the alert condition for "number of events > 0".
If you have a field called New_Time that you want to compare to the Previous_Time, you should be able to do this (assuming that New_Time and Previous_Time are in the same format):

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval nTime = strptime(replace(New_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = abs((nTime - pTime)/60)
| where diff_in_minutes > 5
| eval New_Time = strftime(nTime,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time New_Time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vkumar69
New Member
‎01-01-2017 04:06 PM

Thank you lguinn for your help.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-01-2017 09:47 AM

It seems like you are doing a lot of work here. First, note that _time is stored in Linux epoch time, where 300 = 5 minutes. Next, in the third line of your search, you are extracting the minutes from the time. So if the time is 9:07, m will be 7. I don't think that is what you want.

If you want the difference between the Previous Time and the event time, do this

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = (_time - pTime)/60
| where diff_in_minutes > 5
| eval Event_Time = strftime(_time,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time Event_Time

Then set the alert condition for "number of events > 0".
If you have a field called New_Time that you want to compare to the Previous_Time, you should be able to do this (assuming that New_Time and Previous_Time are in the same format):

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval nTime = strptime(replace(New_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = abs((nTime - pTime)/60)
| where diff_in_minutes > 5
| eval New_Time = strftime(nTime,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time New_Time
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...