I have an analysis that reports the last boot time of a device “boot time of operating system”. I need a relevance to tell me if the last boot time was say, between 3:30 and 4:00 am. Once I have that, Im going to create a report alert so I’ll be notified if any devices are rebooted outside of this time range. This is a red flag to us that the device, which is supposed to be up 24/7 (except at 3:30 am). Thanks for any assistance.
I can get you part of the way there.
To get the Date/Time of the last Reboot we use …
Q: Boot time of Operating System
A: Fri, 14 Aug 2015 19:31:10 -0400
To extract the Time element from this you can use something like …
Q: tuple string items 3 of (concatenation ", " of (substrings separated by " " of (substrings after ", " of (Boot Time of Operating System as string))))
A: 19:31:10
But remember that the Time is Zulu time. You need to account for the Time Zone offset.
Thanks very much TimRice, sorry for the delayed response. So now I need to have a relevance if the reboot time is in a range like "if (tuple string items 3 of (concatenation ", " of (substrings separated by " " of (substrings after ", " of (Boot Time of Operating System as string))))) > than “11:00:00” AND < then “12:00:00”. I know this is completely wrong, anyone know how to do this? Thanks very much.
q: boot time of operating system
A: Tue, 25 Aug 2015 14:16:20 -0500
T: 0.028 ms
I: singular time
q: local time zone
A: -0500
T: 0.025 ms
I: singular time zone
q: time (local time zone) of boot time of operating system
A: 14:16:20 -0500
T: 0.041 ms
I: singular time of day with time zone
q: time of time (local time zone) of boot time of operating system
A: 14:16:20
T: 0.039 ms
I: singular time of day
q: "14:16:20" as time_of_day
A: 14:16:20
T: 0.024 ms
I: singular time of day
q: (it > "14:00:00" as time_of_day and it < "15:00:00" as time_of_day) of time of time (local time zone) of boot time of operating system
A: True
T: 0.052 ms
I: singular boolean
q: (it > "15:00:00" as time_of_day and it < "16:00:00" as time_of_day) of time of time (local time zone) of boot time of operating system
A: False
T: 0.059 ms
I: singular boolean
Adapt the times in the last two queries to the ranges for which you’re interested.
1 Like
This worked perfect, thanks JasonWalker!
Hi Jason,
Can you please help me with my issue i want to get information about boot time from windows event logs for previously day in specific time range between 21:00 and 22:00.
Can you help me how to create the appropriate relevance??? Thanks in advance!
Best regards!
You’d need to be careful in how you run that. The Event Log inspectors are expensive in terms of system resource, so you don’t want that to be part of Fixlet or Task Relevance (which is constantly evaluated by the client). You could make it an Analysis Property, provided you configure the property to evaluate no more frequently than once per day.
That said, I’m not very familiar with the Event Log inspectors. For any Inspectors with which I’m not familiar, my first place to look is at https://support.bigfix.com/inspectors/System%20Objects_Any.html#event log
1 Like