Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

date fields for WMI source types

ehoward
Path Finder
‎09-21-2011 07:51 AM

I noticed that my [WinEventLog:Security] does not appear to have the same date fields (date_hour, date_min, date_wday, etc) that are available for my standard Syslog sourcetypes. Is there a way to get is this information natively or do I have to write a regex (which I really don't want to to for performance resaons).

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-01-2015 10:04 AM

It is not a bug; these fields are actually pre-TZ-normalization side-effects from Splunk’s timestamping process. If Splunk does not (have to) parse an event to set its timestamp then the ‘date_’ fields will not exist. Windows event logs, for example, now come in via a modular input that is designed to use the pre-parsed time as it comes from the Windows event log APIs, obviating the need for Splunk to do any timestamp parsing, therefore the ‘date_’ fields are not created, do not exist, and are unavailable for our use. You probably shouldn't use them for anything important because they are not adjusted for any TZ configurations you have applied to your events (which happen after the timestamping process where the 'date_*' fields are created).

You can use this:



eval date_hour = strftime(_time, "%H") | eval date_mday = strftime(_time, "%d") | eval  date_minute = strftime(_time, "%M") | eval  date_month = strftime(_time, "%m") | eval  date_second = strftime(_time, "%S") | eval  date_wday = strftime(_time, "%A") | eval  date_year = strftime(_time, "%y") | eval  date_zone = "UTC"

See more here:
http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields.html
http://answers.splunk.com/answers/221233/why-are-date-fields-are-not-being-extracted-from-w.html
http://answers.splunk.com/answers/30822/date-hour-not-present-in-wineventlogs.html http://answers.splunk.com/answers/92087/default-fields-are-not-visible.html#comment-92199

Reply

Ayn
Legend
‎09-21-2011 08:04 AM

The bad news is that this seems to be a bug with at least the Windows security log. The good news is that there are workarounds for the issue (that do not involve writing regexes). See the similar question and its responses here: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...