Mainly saving you the headache of handling hidden characters which made field extraction harder than it needed to be.

source="*WinEventLog:System" EventCode=6008 "unexpected"
| rex "shutdown\s+at\s+(?<time>.*)\s+on\s+[^\d]?(?<month>\d+)\/[^\d]?(?<day>\d+)\/[^\d]?(?<year>\d+)\s+was"
| eval shutdownTime = strptime(year."-".month."-".day." ".time,"%Y-%m-%d %M:%H:%S %p")
| eval downTimeDays = round((_time-shutdownTime)/86400,2)
| eval shutdownTime = strftime(shutdownTime,"%c")
| table _time, host, shutdownTime, downTimeDays