Alerting

Why is fieldformat for time not being honored in email alert when using metadata?

Contributor

I have the following search:

| metadata type=hosts  | eval since=now()-lastTime 
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| fieldformat First Time=strftime('First Time', "%c")
| fieldformat Last Event=strftime('Last Event', "%c")
| fieldformat Last Update=strftime('Last Update', "%c")

which formats the times correctly when executed in a search, but does not format the times at all when in the body of an alert email:

In alert:
First Time  Last Event  Last Update   host         since    totalCount   type
1423978950  1425327716  1425327717  Hostname1   243484   13437      hosts
1423257448  1425414744  1425414744  Hostname2    156456   2049       hosts
1423978463  1423978495  1423978835  Hostname3    1592705  14           hosts

In search:

Sun Feb 15 00:42:30 2015    Mon Mar 2 15:21:56 2015 Mon Mar 2 15:21:57 2015 Hostname1   249510  13437   hosts
Fri Feb 6 16:17:28 2015 Tue Mar 3 15:32:24 2015 Tue Mar 3 15:32:24 2015 Hostname2   162482  2049    hosts
Sun Feb 15 00:34:23 2015    Sun Feb 15 00:34:55 2015    Sun Feb 15 00:40:35 2015    Hostname3   1598731 14          hosts

Any idea how to format the times in an alert email?

1 Solution

Contributor

Use the EVAL Command instead of Field Format.

| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")

View solution in original post

Contributor

Use the EVAL Command instead of Field Format.

| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")

View solution in original post

Explorer

Hmm, strftime doesn't sort dates properly, though. Can fieldformat be used somehow to achieve the same visible text but maintain date sorting?

0 Karma

Explorer

Worked for me too! Nice work

0 Karma

Contributor

Thank you 🙂

0 Karma

Contributor

Yep, that did it. Thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!