https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449200#M7909 <P>ctime isnt working ..error is-&gt;"Error in 'convert' command: The conversion specifier is invalid. It must be convert_type(key).". please help</P> Thu, 27 Jun 2019 05:14:34 GMT ajitshukla61116 2019-06-27T05:14:34Z https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449195#M7904 <P>Hi,<BR /> I have an alert query which runs after every 30 minutes and has a relative time range of last 30 minutes. There is a mail action triggered on this search in which i have send $job.earliesttime$ and $ job.latesttime$ which gives me the time period of this search but i need to change the format of this time period to utc .<BR /> How can i do it.<BR /> Please help</P> Wed, 26 Jun 2019 05:55:16 GMT https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449195#M7904 ajitshukla61116 2019-06-26T05:55:16Z https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449196#M7905 <P>| convert ctime($job.earliesttime$) ctime($ job.latesttime$)</P> <P>This should work.</P> Wed, 26 Jun 2019 14:41:41 GMT https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449196#M7905 sandeepmakkena 2019-06-26T14:41:41Z https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449197#M7906 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170986">@ajitshukla61116</a> You can pipe the <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo" target="_blank">addinfo</A> command to your existing search for alert and get info_min_time and info_max_time as earliest and latest time as epoch. Then you can use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strftime.28X.2CY.29" target="_blank">strftime()</A> to convert epoch time to your expected string time.</P> Wed, 30 Sep 2020 01:03:50 GMT https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449197#M7906 niketn 2020-09-30T01:03:50Z https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449198#M7907 <P>Convert ctime is not working.Error is -&gt;"Error in 'convert' command: The conversion specifier is invalid. It must be convert_type(key)."</P> Thu, 27 Jun 2019 04:45:30 GMT https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449198#M7907 ajitshukla61116 2019-06-27T04:45:30Z https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449199#M7908 <P>can you please help me how to do it</P> Thu, 27 Jun 2019 05:08:08 GMT https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449199#M7908 ajitshukla61116 2019-06-27T05:08:08Z https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449200#M7909 <P>ctime isnt working ..error is-&gt;"Error in 'convert' command: The conversion specifier is invalid. It must be convert_type(key).". please help</P> Thu, 27 Jun 2019 05:14:34 GMT https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449200#M7909 ajitshukla61116 2019-06-27T05:14:34Z https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449201#M7910 <P>As @niketnilay mentioned, <BR /> 1. You can use <CODE>addinfo</CODE> command to get '<EM>Job search time</EM>'. <BR /> 2. Format the timestamp using <CODE>strftime</CODE> as below.</P> <PRE><CODE>| makeresults | eval message="My Email Message" | addinfo | eval job_search_time=strftime(info_search_time,"%d-%m-%Y") | table message,job_search_time </CODE></PRE> <P>--</P> <P>And, you can include the custom field in your email subject/body using <CODE>$result.job_search_time$</CODE> field.</P> Thu, 05 Sep 2019 01:02:26 GMT https://community.splunk.com/t5/Alerting/change-format-of-token-job-earliesttime/m-p/449201#M7910 jawaharas 2019-09-05T01:02:26Z