Hi all,
Windows reports everything in really long seconds uptime fields. I want to convert that to days, hours, minutes. Trying to get syntax provided in another post to work (and think I'm close) but now receiving "eval" command: Regex unmatched closing parens message that I can't seem to find.
Here's my search:
index=windows sourcetype=WinEventLog* host!="*.xx.com" EventCode=6013 | rex "(?\d+)\ seconds.$" | convert rmunit(secs) as numSecs | eval stringSec=tostring(numSecs,"duration") | eval stringSecs=replace(stringSecs,"(\d+)\:(\d+)\(\d+)","\1h \2min \3s") | stats avg(duration) AS "Windows AVG Uptime"
Here's a sample of data:
10/9/17
12:01:44.000 PM
10/09/2017 12:01:44 PM
LogName=System
SourceName=EventLog
EventCode=6013
EventType=4
Type=Information
ComputerName=TORBSIVWD01.xx.com
TaskCategory=The operation completed successfully.
OpCode=None
RecordNumber=885007
Keywords=Classic
Message=The system uptime is 2132870 seconds.
All help MUCH appreciated!
Barry
↧