Reputation: 1
Comparing timestamp in where statement in log parser studio
I am using Log Parser Studio 2.2 for constructing the usage profile for a user on Windows workstation. To find the user's log off time I want to check if a specific event 4798, logged in Security Event logs when a user logs off, coincides with the event 506, created in the System log when system enters standby. To do this I extract the 'Timegenerated' for a 4798 event and then see if that event falls within the time frame for a 506 event (within a 10-15 seconds range).
My problem is that the >= and <= operators aren't working (tested the code) when comparing the timestamps. What am I doing wrong here..could somebody point it out please?
Following is a snippet of my code:
SELECT DISTINCT timegenerated, EventID
USING CASE EventID When 4798 THEN EXTRACT_TOKEN(Strings,8,'|') End AS FilterValue
FROM Security
WHERE EventID = 4798
AND timegenerated >=
(SELECT LowerMark Using To_date(timegenerated) AS LogDate, Sub(To_time(timegenerated),timestamp('00:00:10','hh:mm:ss')) AS Lower, To_timestamp(LogDate,Lower) AS LowerMark FROM System WHERE EventID=506 ORDER BY LowerMark DESC )
AND timegenerated <= (SELECT UpperMark Using To_date(timegenerated) AS LogDate, Add(To_time(timegenerated),timestamp('00:00:15','hh:mm:ss')) AS Upper, To_timestamp(LogDate,Upper) AS UpperMark FROM System WHERE EventID=506 ORDER BY UpperMark DESC )
ORDER BY timegenerated DESC
Upvotes: 0
Views: 469
Answers (0)
Related Questions
- Log Parser - How to query the log in multiple folders?
- Log Parser Studio: Counts of 500 errors and non-errors by month
- Log Parser not working with named column in WHERE statement
- Log Parser recursive file read
- Log Parser Case statement
- Log Parser: HAVING Wildcards
- Log Parser ORDER BY CASE statement
- Using Log Parser Studio and UrlScan Logs
- Logparser 2.2 on Sysevent.evt using strings