Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

date fields for WMI source types

ehoward
Path Finder
‎09-21-2011 07:51 AM

I noticed that my [WinEventLog:Security] does not appear to have the same date fields (date_hour, date_min, date_wday, etc) that are available for my standard Syslog sourcetypes. Is there a way to get is this information natively or do I have to write a regex (which I really don't want to to for performance resaons).

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-01-2015 10:04 AM

It is not a bug; these fields are actually pre-TZ-normalization side-effects from Splunk’s timestamping process. If Splunk does not (have to) parse an event to set its timestamp then the ‘date_’ fields will not exist. Windows event logs, for example, now come in via a modular input that is designed to use the pre-parsed time as it comes from the Windows event log APIs, obviating the need for Splunk to do any timestamp parsing, therefore the ‘date_’ fields are not created, do not exist, and are unavailable for our use. You probably shouldn't use them for anything important because they are not adjusted for any TZ configurations you have applied to your events (which happen after the timestamping process where the 'date_*' fields are created).

You can use this:



eval date_hour = strftime(_time, "%H") | eval date_mday = strftime(_time, "%d") | eval  date_minute = strftime(_time, "%M") | eval  date_month = strftime(_time, "%m") | eval  date_second = strftime(_time, "%S") | eval  date_wday = strftime(_time, "%A") | eval  date_year = strftime(_time, "%y") | eval  date_zone = "UTC"

See more here:
http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields.html
http://answers.splunk.com/answers/221233/why-are-date-fields-are-not-being-extracted-from-w.html
http://answers.splunk.com/answers/30822/date-hour-not-present-in-wineventlogs.html http://answers.splunk.com/answers/92087/default-fields-are-not-visible.html#comment-92199

Reply

Ayn
Legend
‎09-21-2011 08:04 AM

The bad news is that this seems to be a bug with at least the Windows security log. The good news is that there are workarounds for the issue (that do not involve writing regexes). See the similar question and its responses here: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...