Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my Event show as 2 years delayed?

Fe-atSplunk
Explorer
‎03-09-2022 01:32 AM

I am looking for “failed login for ADMIN detected” but because the time in Time is two years late it doesn’t alert.

My log sample is:

FeatSplunk_0-1646818088159.png

I also have _time 2020-02-23T23:02:20.000+01:00

My search so far is:

 

index=abc sourcetype=def "Failed login for ADMIN detected"
| rex field=_raw "(?ms)(?=[^c]*(?:cs2=|c.*cs2=))^(?:[^=\\n]*=){5}(?P<DatabaseEventDate>[^ ]+)"
| stats count by duser cs1 cs2 DatabaseEventDate

 

This gives me a new field with the correct time:

DatabaseEventDate 23.02.2022,13:11:39

 

How can I correct the timestamp without changing the props file (since the basics of the search works for another use case)?

Please help!! Thanks in advance

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-09-2022 08:36 AM

Something like this?

index=abc sourcetype=def "Failed login for ADMIN detected"
| rex field=_raw "(?ms)(?=[^c]*(?:cs2=|c.*cs2=))^(?:[^=\\n]*=){5}(?P<DatabaseEventDate>[^ ]+)"
| eval _time=strptime(DatabaseEventDate,"%d.%m.%Y,%H:%M:%S")
| where _time>relative_time(now(),"-1h")
| rename COMMENT as "Modify above line to appropriate relative_time. Also make sure your searche's timerange is big enough to get to this event"
| stats count by duser cs1 cs2 DatabaseEventDate

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-09-2022 08:36 AM

Something like this?

index=abc sourcetype=def "Failed login for ADMIN detected"
| rex field=_raw "(?ms)(?=[^c]*(?:cs2=|c.*cs2=))^(?:[^=\\n]*=){5}(?P<DatabaseEventDate>[^ ]+)"
| eval _time=strptime(DatabaseEventDate,"%d.%m.%Y,%H:%M:%S")
| where _time>relative_time(now(),"-1h")
| rename COMMENT as "Modify above line to appropriate relative_time. Also make sure your searche's timerange is big enough to get to this event"
| stats count by duser cs1 cs2 DatabaseEventDate
Reply
Solved! Jump to solution

Fe-atSplunk
Explorer
‎03-09-2022 09:05 AM

-2Y instead of -1h FYI to anybody else, other than that it worked! The timestamp is now showing up correctly. Thank you so much!!

Tags (2)
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-09-2022 08:11 AM

If you need to search, using time range, based on DatabaseEventDate values, then you'll have to update your parsing logic to use that timestamp value as _time (https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition).

If you don't want to change your timestamp parsing, then you'll to modify search similar to this post: https://community.splunk.com/t5/Splunk-Search/How-to-filter-results-based-on-date-not-time/m-p/35317...

0 Karma
Reply
Solved! Jump to solution

Fe-atSplunk
Explorer
‎03-09-2022 08:27 AM

I'm trying something simple, so to calculate the lag and add that to the one in the timestamp

| eval time=strftime(_time, "%d/%m/%Y %H:%M")
| eval DatabaseEventDateNew=strftime(DatabaseEventDate, "%d/%m/%Y %H:%M")

doesn't work to start with. I'm happy with an eval command that works

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...