Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

date fields for WMI source types

ehoward
Path Finder
‎09-21-2011 07:51 AM

I noticed that my [WinEventLog:Security] does not appear to have the same date fields (date_hour, date_min, date_wday, etc) that are available for my standard Syslog sourcetypes. Is there a way to get is this information natively or do I have to write a regex (which I really don't want to to for performance resaons).

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-01-2015 10:04 AM

It is not a bug; these fields are actually pre-TZ-normalization side-effects from Splunk’s timestamping process. If Splunk does not (have to) parse an event to set its timestamp then the ‘date_’ fields will not exist. Windows event logs, for example, now come in via a modular input that is designed to use the pre-parsed time as it comes from the Windows event log APIs, obviating the need for Splunk to do any timestamp parsing, therefore the ‘date_’ fields are not created, do not exist, and are unavailable for our use. You probably shouldn't use them for anything important because they are not adjusted for any TZ configurations you have applied to your events (which happen after the timestamping process where the 'date_*' fields are created).

You can use this:



eval date_hour = strftime(_time, "%H") | eval date_mday = strftime(_time, "%d") | eval  date_minute = strftime(_time, "%M") | eval  date_month = strftime(_time, "%m") | eval  date_second = strftime(_time, "%S") | eval  date_wday = strftime(_time, "%A") | eval  date_year = strftime(_time, "%y") | eval  date_zone = "UTC"

See more here:
http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields.html
http://answers.splunk.com/answers/221233/why-are-date-fields-are-not-being-extracted-from-w.html
http://answers.splunk.com/answers/30822/date-hour-not-present-in-wineventlogs.html http://answers.splunk.com/answers/92087/default-fields-are-not-visible.html#comment-92199

Reply

Ayn
Legend
‎09-21-2011 08:04 AM

The bad news is that this seems to be a bug with at least the Windows security log. The good news is that there are workarounds for the issue (that do not involve writing regexes). See the similar question and its responses here: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...