Skip to main content
Splunk Lantern

Time elapsed between two related events

The time elapsed between two events on a network or device can be useful when working on the following use cases:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

A command line process executed on your network might have exposed the network to a virus. You want to know how much time has passed between the potential exposure and now.

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search:
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=* 
| table _time host CommandLine
| eval cl_length=len(CommandLine)
| eval daydiff=round((now()-_time) / 86400, 0)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 

Search only Sysmon operational data.

CommandLine=* 

Return logs with a value in the command line field.

| table _time host CommandLine 

Display the results in a table with columns in the order shown.

| eval cl_length=len(CommandLine)

Create a new field called cl_length that shows the length of each command line string the search returns.

| eval daydiff=round((now()-_time) / 86400, 0)

Create a new field called daydiff, which is the difference between now and when the string executed, rounded to the nearest integer value.

This value is represented in seconds. Dividing by 86,400 converts the value to days. 

Result

The difference in time can help you determine what other machines and files on your network have been exposed to the virus if they were connected to the network during the same time. You might also need this time difference for reporting purposes. 

  • Was this article helpful?