Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

date fields for WMI source types

ehoward
Path Finder
‎09-21-2011 07:51 AM

I noticed that my [WinEventLog:Security] does not appear to have the same date fields (date_hour, date_min, date_wday, etc) that are available for my standard Syslog sourcetypes. Is there a way to get is this information natively or do I have to write a regex (which I really don't want to to for performance resaons).

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-01-2015 10:04 AM

It is not a bug; these fields are actually pre-TZ-normalization side-effects from Splunk’s timestamping process. If Splunk does not (have to) parse an event to set its timestamp then the ‘date_’ fields will not exist. Windows event logs, for example, now come in via a modular input that is designed to use the pre-parsed time as it comes from the Windows event log APIs, obviating the need for Splunk to do any timestamp parsing, therefore the ‘date_’ fields are not created, do not exist, and are unavailable for our use. You probably shouldn't use them for anything important because they are not adjusted for any TZ configurations you have applied to your events (which happen after the timestamping process where the 'date_*' fields are created).

You can use this:



eval date_hour = strftime(_time, "%H") | eval date_mday = strftime(_time, "%d") | eval  date_minute = strftime(_time, "%M") | eval  date_month = strftime(_time, "%m") | eval  date_second = strftime(_time, "%S") | eval  date_wday = strftime(_time, "%A") | eval  date_year = strftime(_time, "%y") | eval  date_zone = "UTC"

See more here:
http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields.html
http://answers.splunk.com/answers/221233/why-are-date-fields-are-not-being-extracted-from-w.html
http://answers.splunk.com/answers/30822/date-hour-not-present-in-wineventlogs.html http://answers.splunk.com/answers/92087/default-fields-are-not-visible.html#comment-92199

Reply

Ayn
Legend
‎09-21-2011 08:04 AM

The bad news is that this seems to be a bug with at least the Windows security log. The good news is that there are workarounds for the issue (that do not involve writing regexes). See the similar question and its responses here: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...