I’m trying to extract the date and time from the Winevent log when an unexpected shutdown has occurred(EventCode=6008)
The message in the event is below:
The previous system shutdown at 7:53:08 AM on 3/2/2016 was unexpected.
I created two extracted fields to capture the shutdown date and time respectively: shutdown date(3/2/2016) and shutdown time(7:53:08). The code below joins the two fields together and inputs them into the strptime function.
This function however doesn’t return a value. However, if I pass a hardcoded value to strptime(“3/2/2016 7:53:08 AM”) it returns an epoch value. Can someone help? thanks.
| Eval combo = shutdown_date + “ “ + shutdown_time | eval otime = strptime(combo, “%m%d%Y%I:M:%S %p”)
First, there seems to be a typo in the time format for strftime, instead of
%M, its just
M. Check if that is correctly used in your search.
Second, check if the field extraction for shutdown_date and shutdown_time is not adding additional spaces in the values, though they won't be visible in the table visualization in Splunk but will mess up your time conversion. If possible share the regular expression used for the extraction.
I added a space after %Y and still do not get results(with a table otime statement. ). With a table otime combo statement the combo displays correctly "3/2/2016 7:53:08 AM" but no values are displayed for otime.
Based on what you said, I tried the following -
| eval timestamp=strptime("3/2/2016 7:53:08 AM", "%m%d%Y%I:M:%S %p") and nothing comes back.
"3/2/2016 7:53:08 AM" doesn't seem to match the "%m%d%Y%I:M:%S %p" part.
Mind the capitalization and the spaces here ....
... base_search ... | eval combo = shutdown_date + " " + shutdown_time | eval otime = strptime(combo, "%m/%d/%Y %I:%M:%S %p") | table otime
This should do it. Maybe try a
table combo to see what the field
combo actually contains.