Below is the query which gives if the there is any time change on a windows system. The below query is giving output for the 1-minute time change. I need an alert when there is a time change for more than 5 mins time change or less than 5 mins time change.
index=* EventCode=4616 sourcetype="WinEventLog:Security" Account_Name!="LOCAL SERVICE"
host!="IN-L0*"
| eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S")
| eval m = strftime(_time, "%M")
| eval Time_change = if (m > "5","greater than 5 mins","lesser than 5 mins")
| eval oldtime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N")
| eval t=_time
| rename t as "eventtime"
| eval diff=round(((eventtime-oldtime)/60)/60,2)
| eval Real_Time=New_Time
| eval Changed_Time=Previous_Time
| table host, Real_Time, Changed_Time
HostName Real_Time Changed_Time
xxxx 2016-12-15T18:48:00.964000000Z 2016-12-15T18:47:59.864425500Z
... View more