Mainly saving you the headache of handling hidden characters which made field extraction harder than it needed to be. source=”*WinEventLog:System” EventCode=6008 “unexpected” | rex “shutdown\s+at\s+(?<time>.*)\s+on\s+[^\d]?(?<month>\d+)\/[^\d]?(?<day>\d+)\/[^\d]?(?<year>\d+)\s+was” | eval shutdownTime = strptime(year.”-“.month.”-“.day.” “.time,”%Y-%m-%d %M:%H:%S %p”) | eval downTimeDays = round((_time-shutdownTime)/86400,2) | eval shutdownTime = strftime(shutdownTime,”%c”) | table _time, host, shutdownTime, downTimeDays
