Alerting

Why is fieldformat for time not being honored in email alert when using metadata?

RVDowning
Contributor

I have the following search:

| metadata type=hosts  | eval since=now()-lastTime 
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| fieldformat First Time=strftime('First Time', "%c")
| fieldformat Last Event=strftime('Last Event', "%c")
| fieldformat Last Update=strftime('Last Update', "%c")

which formats the times correctly when executed in a search, but does not format the times at all when in the body of an alert email:

In alert:
First Time  Last Event  Last Update   host         since    totalCount   type
1423978950  1425327716  1425327717  Hostname1   243484   13437      hosts
1423257448  1425414744  1425414744  Hostname2    156456   2049       hosts
1423978463  1423978495  1423978835  Hostname3    1592705  14           hosts

In search:

Sun Feb 15 00:42:30 2015    Mon Mar 2 15:21:56 2015 Mon Mar 2 15:21:57 2015 Hostname1   249510  13437   hosts
Fri Feb 6 16:17:28 2015 Tue Mar 3 15:32:24 2015 Tue Mar 3 15:32:24 2015 Hostname2   162482  2049    hosts
Sun Feb 15 00:34:23 2015    Sun Feb 15 00:34:55 2015    Sun Feb 15 00:40:35 2015    Hostname3   1598731 14          hosts

Any idea how to format the times in an alert email?

1 Solution

vr2312
Contributor

Use the EVAL Command instead of Field Format.

| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")

View solution in original post

vr2312
Contributor

Use the EVAL Command instead of Field Format.

| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")

jamesdaily
Explorer

Hmm, strftime doesn't sort dates properly, though. Can fieldformat be used somehow to achieve the same visible text but maintain date sorting?

0 Karma

jnoga
Explorer

Worked for me too! Nice work

0 Karma

vr2312
Contributor

Thank you 🙂

0 Karma

RVDowning
Contributor

Yep, that did it. Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...