Ah! Looks like it was fixed in 2008 R2. So now there are 2 different timestamp formats in the logs.
e.g.
Message=The system time has changed to ?2015?-?12?-?13T13:28:07.492000000Z from ?2015?-?12?-?13T13:18:04.893874600Z.
and
Message=The system time has changed to 2015-12-12T09:09:14.198Z from 2015-12-12T09:09:14.198Z.
So here is my fixed rex (only to the second - decided not to bother with milliseconds):
.*to\D+(?<StartYear>\d+)\D+(?<StartMonth>\d+)\D+(?<StartDay>\d+)T(?<StartTime>[^.]+).* from\D+(?<EndYear>\d+)\D+(?<EndMonth>\d+)\D+(?<EndDay>\d+)T(?<EndTime>[^.]+)
Here is the full search:
source="WinEventLog:System" "system time has changed" | rex field=Message ".*to\D+(?<StartYear>\d+)\D+(?<StartMonth>\d+)\D+(?<StartDay>\d+)T(?<StartTime>[^.]+).* from\D+(?<EndYear>\d+)\D+(?<EndMonth>\d+)\D+(?<EndDay>\d+)T(?<EndTime>[^.]+)" | strcat StartYear "-" StartMonth "-" StartDay "T" StartTime StartTime | strcat EndYear "-" EndMonth "-" EndDay "T" EndTime EndTime | eval StartUnix=strptime(StartTime, "%Y-%m-%dT%H:%M:%S") | eval EndUnix=strptime(EndTime, "%Y-%m-%dT%H:%M:%S") | eval TotalTime=EndUnix - StartUnix | table _time host StartTime EndTime TotalTime
... View more