Alerting

Why is fieldformat for time not being honored in email alert when using metadata?

RVDowning
Contributor

I have the following search:

| metadata type=hosts  | eval since=now()-lastTime 
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| fieldformat First Time=strftime('First Time', "%c")
| fieldformat Last Event=strftime('Last Event', "%c")
| fieldformat Last Update=strftime('Last Update', "%c")

which formats the times correctly when executed in a search, but does not format the times at all when in the body of an alert email:

In alert:
First Time  Last Event  Last Update   host         since    totalCount   type
1423978950  1425327716  1425327717  Hostname1   243484   13437      hosts
1423257448  1425414744  1425414744  Hostname2    156456   2049       hosts
1423978463  1423978495  1423978835  Hostname3    1592705  14           hosts

In search:

Sun Feb 15 00:42:30 2015    Mon Mar 2 15:21:56 2015 Mon Mar 2 15:21:57 2015 Hostname1   249510  13437   hosts
Fri Feb 6 16:17:28 2015 Tue Mar 3 15:32:24 2015 Tue Mar 3 15:32:24 2015 Hostname2   162482  2049    hosts
Sun Feb 15 00:34:23 2015    Sun Feb 15 00:34:55 2015    Sun Feb 15 00:40:35 2015    Hostname3   1598731 14          hosts

Any idea how to format the times in an alert email?

1 Solution

vr2312
Contributor

Use the EVAL Command instead of Field Format.

| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")

View solution in original post

vr2312
Contributor

Use the EVAL Command instead of Field Format.

| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")

jamesdaily
Explorer

Hmm, strftime doesn't sort dates properly, though. Can fieldformat be used somehow to achieve the same visible text but maintain date sorting?

0 Karma

jnoga
Explorer

Worked for me too! Nice work

0 Karma

vr2312
Contributor

Thank you 🙂

0 Karma

RVDowning
Contributor

Yep, that did it. Thanks!

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...