Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify this query to set if the time is more than 5 mint then it should trigger an alert.

vkumar69
New Member
‎12-30-2016 11:43 AM

Below is the query which gives if the there is any time change on a windows system. The below query is giving output for the 1-minute time change. I need an alert when there is a time change for more than 5 mins time change or less than 5 mins time change.

index=* EventCode=4616 sourcetype="WinEventLog:Security" Account_Name!="LOCAL SERVICE" 
     host!="IN-L0*"  
| eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") 
| eval m = strftime(_time, "%M") 
| eval Time_change = if (m > "5","greater than 5 mins","lesser than 5 mins") 
| eval oldtime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval t=_time 
| rename t as "eventtime" 
| eval diff=round(((eventtime-oldtime)/60)/60,2) 
| eval Real_Time=New_Time 
| eval Changed_Time=Previous_Time 
| table host, Real_Time, Changed_Time

 HostName                          Real_Time                                              Changed_Time
      xxxx                     ‎2016‎-‎12‎-‎15T18:48:00.964000000Z       ‎2016‎-‎12‎-‎15T18:47:59.864425500Z
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-01-2017 09:47 AM

It seems like you are doing a lot of work here. First, note that _time is stored in Linux epoch time, where 300 = 5 minutes. Next, in the third line of your search, you are extracting the minutes from the time. So if the time is 9:07, m will be 7. I don't think that is what you want.

If you want the difference between the Previous Time and the event time, do this

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = (_time - pTime)/60
| where diff_in_minutes > 5
| eval Event_Time = strftime(_time,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time Event_Time

Then set the alert condition for "number of events > 0".
If you have a field called New_Time that you want to compare to the Previous_Time, you should be able to do this (assuming that New_Time and Previous_Time are in the same format):

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval nTime = strptime(replace(New_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = abs((nTime - pTime)/60)
| where diff_in_minutes > 5
| eval New_Time = strftime(nTime,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time New_Time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vkumar69
New Member
‎01-01-2017 04:06 PM

Thank you lguinn for your help.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-01-2017 09:47 AM

It seems like you are doing a lot of work here. First, note that _time is stored in Linux epoch time, where 300 = 5 minutes. Next, in the third line of your search, you are extracting the minutes from the time. So if the time is 9:07, m will be 7. I don't think that is what you want.

If you want the difference between the Previous Time and the event time, do this

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = (_time - pTime)/60
| where diff_in_minutes > 5
| eval Event_Time = strftime(_time,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time Event_Time

Then set the alert condition for "number of events > 0".
If you have a field called New_Time that you want to compare to the Previous_Time, you should be able to do this (assuming that New_Time and Previous_Time are in the same format):

yoursearchhere
| eval pTime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval nTime = strptime(replace(New_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval diff_in_minutes = abs((nTime - pTime)/60)
| where diff_in_minutes > 5
| eval New_Time = strftime(nTime,"%x %X")
| eval Previous_Time = strftime(pTime,"%x %X")
| table host Previous_Time New_Time
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...