https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59361#M14619 <P>For some reason, I didn't get an email for this comment. I tried | eval start_time=_time|fieldformat start_time = strftime(start_time,"%m/%d/%Y %k:%M") but this didn't work either. Its giving the same error. Thanks a lot. </P> <P>I can use "sort" to order the results but that will do it one time. I wanted to let the user sort the results using up/down arrows provided by the simpleResultsTable.</P> Mon, 28 Sep 2020 09:50:09 GMT sscandoit 2020-09-28T09:50:09Z https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59357#M14615 <P>Hi,</P> <P>I am using Splunk 4.1.2. I am trying to use fieldformat to format the _time to avoid converting it to string. Following is my search string:</P> <PRE><CODE>index="someindex" sourcetype="log" | fieldformat mytime=strftime(_time,"%m/%d/%Y %k:%M") | table mytime, account_id </CODE></PRE> <P>However I am getting the following error:</P> <BLOCKQUOTE> <P>Search operation 'fieldformat' is<BR /> unknown. You might not have permission<BR /> to run this operation.</P> </BLOCKQUOTE> <P>I think I am missing something here. Appreciate all the help I have got on this forum.</P> <P>Thanks,<BR /> Suvelee</P> Wed, 17 Aug 2011 15:48:50 GMT https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59357#M14615 sscandoit 2011-08-17T15:48:50Z https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59358#M14616 <P>use "convert", try this:</P> <PRE><CODE>index="someindex" sourcetype="log" | convert timeformat="%m/%d/%Y %k:%M" ctime(_time) AS mytime |table mytime, account_id </CODE></PRE> <P>the function "ctime" is for converting epoch time to ascii. Hope it helps!</P> Thu, 18 Aug 2011 05:06:39 GMT https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59358#M14616 bbingham 2011-08-18T05:06:39Z https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59359#M14617 <P>Thanks for the reply. I had used convert before. But it doesn't sort the timestamp in the results table. So to preserve the timestamp I tried using fieldformat.</P> Thu, 18 Aug 2011 19:11:16 GMT https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59359#M14617 sscandoit 2011-08-18T19:11:16Z https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59360#M14618 <P>You can also pipe to "sort" to order it how you'd like, but try this:</P> <P>| eval start_time=_time|fieldformat start_time = strftime(start_time,"%m/%d/%Y %k:%M")</P> Mon, 28 Sep 2020 09:48:48 GMT https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59360#M14618 bbingham 2020-09-28T09:48:48Z https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59361#M14619 <P>For some reason, I didn't get an email for this comment. I tried | eval start_time=_time|fieldformat start_time = strftime(start_time,"%m/%d/%Y %k:%M") but this didn't work either. Its giving the same error. Thanks a lot. </P> <P>I can use "sort" to order the results but that will do it one time. I wanted to let the user sort the results using up/down arrows provided by the simpleResultsTable.</P> Mon, 28 Sep 2020 09:50:09 GMT https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59361#M14619 sscandoit 2020-09-28T09:50:09Z https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59362#M14620 <P>The <CODE>fieldformat</CODE> search command isn't supported until Splunk 4.2.</P> Thu, 19 Jan 2012 17:45:30 GMT https://community.splunk.com/t5/Splunk-Search/fieldformat-command-giving-error/m-p/59362#M14620 Lowell 2012-01-19T17:45:30Z