Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unseen character in wineventlog message

louismai
Path Finder
‎03-05-2020 02:57 PM

Hi all,

I have a problem when I tried to parse EventID=1 in wineventlog. The message look like this:
03/05/2020 09:01:58 AM
LogName=System
SourceName=Microsoft-Windows-Kernel-General
EventCode=1
EventType=4
Type=Information
ComputerName=H7Y2.nap.net
TaskCategory=5
OpCode=Info
RecordNumber=5763
Keywords=Time
Message=The system time has changed to ‎2020‎-‎03‎-‎04T23:01:58.500000000Z from ‎2020‎-‎03‎-‎03T00:38:07.829890100Z.

Change Reason: System time synchronized with the hardware clock.
Process: '' (PID 4).

When I used regex to parse the time from Message field. There is 1 unseen character before and after each number. Hence the command: | eval time_from = strptime(stime_from, "‎%Y‎-‎%m‎-‎%dT%H:%M:%S.%N") doesn't work because it doesn't have the unseen characters.

Tks
Linh

Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-07-2020 11:12 PM

Hi @louismai,

If you are getting any unseen or special character in field stime_from. It is better to replace all non alphanumeric characters in the field values and then convert to epoch like below.

| eval time_from = strptime(replace(stime_from, "[\W]+", ""), "‎%Y‎‎%m‎‎%dT%H%M%S%N")

Examples:

| makeresults | eval stime_from="‎2020‎-‎03‎-‎04T‎23:01:58‎.500000000Z", time_from = strptime(replace(stime_from, "[\W]+", ""), "%Y%m%dT%H%M%S%NZ")

...

| makeresults | eval stime_from="‎2020‎-‎03‎-‎04T‎23:01:58‎.500000000", time_from = strptime(replace(stime_from, "[\W]+", ""), "%Y%m%dT%H%M%S%N")
0 Karma
Reply

to4kawa
Ultra Champion
‎03-07-2020 04:34 PM 
| makeresults 
| eval _raw="Message=The system time has changed to ‎2020‎-‎03‎-‎04T23:01:58.500000000Z from ‎2020‎-‎03‎-‎03T00:38:07.829890100Z." 
| rex "changed to (?<stime_to>.*Z) from (?<stime_from>.*Z)\." 
| rex mode=sed field=stime_from "s/[^\w\-\:\.]//g" 
| rex mode=sed field=stime_to "s/[^\w\-\:\.]//g" 
| eval time_from = strptime(stime_from." +0000", "%Y-%m-%dT%H:%M:%S.%9QZ %z") 
| eval time_to = strptime(stime_to." +0000", "%Y-%m-%dT%H:%M:%S.%9QZ %z")

There are space-like symbols. What is it?

0 Karma
Reply

anmolpatel
Builder
‎03-05-2020 04:56 PM

You can use the sed to replace the space. I've taken the time from above and created the below example

| makeresults
| eval t = "03/05/2020 09:01:58 AM"
| eval stime = "2020 - 03 - 04T23:01:58.500000000Z"
| eval epoch_time_t = strptime(t, "%d/%m/%Y %H:%M:%S %p")
| eval human_time_t =  strptime(epoch_time, "%d/%m/%Y %H:%M:%S %p")
| rex mode=sed field=stime "s/ //g"
| eval epoch_time_stime = strptime(stime, "%Y-%m-%dT%H:%M:%S")
| eval human_time_stime = strftime(epoch_time_stime, "%d/%m/%Y %H:%M:%S")
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...