Epoch Date format in reporting

Susha — Wed, 15 Sep 2021 06:41:04 GMT

Hi ,

i have 2 queries .

(index=abc OR index=def) category= * OR NOT blocked =0 AND NOT blocked =2
|rex field=index "(?<Local_Market>[^cita]\w.*?)_"
| stats count(Local_Market) as Blocked by Local_Market
| addcoltotals col=t labelfield=Local_Market label="Total"
| append [search (index=abc OR index=def) blocked =0 | rex field=index "(?<Local_Market>\w.*?)_"
| stats count as Detected by Local_Market
| addcoltotals col=t labelfield=Local_Market label="Total"]
| stats values(*) as * by Local_Market
| transpose 0 header_field=Local_Market column_name=Local_Market | addinfo
| eval date=info_min_time
| fieldformat date=strftime(date,"%m-%d-%Y")
| fields - info_*

1> above query is giving me the correct date time ..but when i am scheduling this as report its coming as Epoch time in csv file ..

2> also how can we get date field in first column instead of last column without disturbing the other fields ..

thanks in advance

Re: Epoch Date format in reporting

richgalloway — Wed, 15 Sep 2021 12:42:06 GMT

1> Use eval rather than fieldformat to have the format preserved in the CSV.

2> Use the table command to specify the order of fields.

Re: Epoch Date format in reporting

Susha — Wed, 15 Sep 2021 13:55:33 GMT

@richgalloway table command wont work here i believe .. as we are already using stats command ..please correct me if i am wrong ..

topic Re: Epoch Date format in reporting in Splunk Search

Epoch Date format in reporting

Re: Epoch Date format in reporting

Re: Epoch Date format in reporting