Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

date fields for WMI source types

ehoward
Path Finder
‎09-21-2011 07:51 AM

I noticed that my [WinEventLog:Security] does not appear to have the same date fields (date_hour, date_min, date_wday, etc) that are available for my standard Syslog sourcetypes. Is there a way to get is this information natively or do I have to write a regex (which I really don't want to to for performance resaons).

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-01-2015 10:04 AM

It is not a bug; these fields are actually pre-TZ-normalization side-effects from Splunk’s timestamping process. If Splunk does not (have to) parse an event to set its timestamp then the ‘date_’ fields will not exist. Windows event logs, for example, now come in via a modular input that is designed to use the pre-parsed time as it comes from the Windows event log APIs, obviating the need for Splunk to do any timestamp parsing, therefore the ‘date_’ fields are not created, do not exist, and are unavailable for our use. You probably shouldn't use them for anything important because they are not adjusted for any TZ configurations you have applied to your events (which happen after the timestamping process where the 'date_*' fields are created).

You can use this:



eval date_hour = strftime(_time, "%H") | eval date_mday = strftime(_time, "%d") | eval  date_minute = strftime(_time, "%M") | eval  date_month = strftime(_time, "%m") | eval  date_second = strftime(_time, "%S") | eval  date_wday = strftime(_time, "%A") | eval  date_year = strftime(_time, "%y") | eval  date_zone = "UTC"

See more here:
http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields.html
http://answers.splunk.com/answers/221233/why-are-date-fields-are-not-being-extracted-from-w.html
http://answers.splunk.com/answers/30822/date-hour-not-present-in-wineventlogs.html http://answers.splunk.com/answers/92087/default-fields-are-not-visible.html#comment-92199

Reply

Ayn
Legend
‎09-21-2011 08:04 AM

The bad news is that this seems to be a bug with at least the Windows security log. The good news is that there are workarounds for the issue (that do not involve writing regexes). See the similar question and its responses here: http://splunk-base.splunk.com/answers/30822/date_hour-not-present-in-wineventlogs

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...