Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is fieldformat for time not being honored in email alert when using metadata?

RVDowning
Contributor
‎03-05-2015 09:53 AM

I have the following search:

| metadata type=hosts  | eval since=now()-lastTime 
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| fieldformat First Time=strftime('First Time', "%c")
| fieldformat Last Event=strftime('Last Event', "%c")
| fieldformat Last Update=strftime('Last Update', "%c")

which formats the times correctly when executed in a search, but does not format the times at all when in the body of an alert email:

In alert:
First Time  Last Event  Last Update   host         since    totalCount   type
1423978950  1425327716  1425327717  Hostname1   243484   13437      hosts
1423257448  1425414744  1425414744  Hostname2    156456   2049       hosts
1423978463  1423978495  1423978835  Hostname3    1592705  14           hosts

In search: 

Sun Feb 15 00:42:30 2015    Mon Mar 2 15:21:56 2015 Mon Mar 2 15:21:57 2015 Hostname1   249510  13437   hosts
Fri Feb 6 16:17:28 2015 Tue Mar 3 15:32:24 2015 Tue Mar 3 15:32:24 2015 Hostname2   162482  2049    hosts
Sun Feb 15 00:34:23 2015    Sun Feb 15 00:34:55 2015    Sun Feb 15 00:40:35 2015    Hostname3   1598731 14          hosts

Any idea how to format the times in an alert email?

Reply
1 Solution
Solved! Jump to solution
Solution

vr2312
Contributor
‎04-13-2015 11:56 AM

Use the EVAL Command instead of Field Format.

| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")

View solution in original post

Reply
Solved! Jump to solution
Solution

vr2312
Contributor
‎04-13-2015 11:56 AM

Use the EVAL Command instead of Field Format.

| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")

Reply
Solved! Jump to solution

jamesdaily
Explorer
‎09-29-2016 11:25 AM

Hmm, strftime doesn't sort dates properly, though. Can fieldformat be used somehow to achieve the same visible text but maintain date sorting?

0 Karma
Reply
Solved! Jump to solution

jnoga
Explorer
‎11-02-2015 11:05 AM

Worked for me too! Nice work

0 Karma
Reply
Solved! Jump to solution

vr2312
Contributor
‎05-23-2016 12:45 PM

Thank you 🙂

0 Karma
Reply
Solved! Jump to solution

RVDowning
Contributor
‎04-16-2015 06:13 AM

Yep, that did it. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...