Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

change format of token $job.earliesttime$

ajitshukla61116
Path Finder
‎06-25-2019 10:55 PM

Hi,
I have an alert query which runs after every 30 minutes and has a relative time range of last 30 minutes. There is a mail action triggered on this search in which i have send $job.earliesttime$ and $ job.latesttime$ which gives me the time period of this search but i need to change the format of this time period to utc .
How can i do it.
Please help

0 Karma
Reply

jawaharas
Motivator
‎09-04-2019 06:02 PM

As @niketnilay mentioned,
1. You can use addinfo command to get 'Job search time'.
2. Format the timestamp using strftime as below.

| makeresults 
| eval message="My Email Message"
| addinfo
| eval job_search_time=strftime(info_search_time,"%d-%m-%Y")
| table message,job_search_time

--

And, you can include the custom field in your email subject/body using $result.job_search_time$ field.

0 Karma
Reply

ajitshukla61116
Path Finder
‎06-26-2019 09:45 PM

Convert ctime is not working.Error is ->"Error in 'convert' command: The conversion specifier is invalid. It must be convert_type(key)."

0 Karma
Reply

niketn
Legend
‎06-26-2019 08:50 AM

@ajitshukla61116 You can pipe the addinfo command to your existing search for alert and get info_min_time and info_max_time as earliest and latest time as epoch. Then you can use strftime() to convert epoch time to your expected string time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

ajitshukla61116
Path Finder
‎06-26-2019 10:08 PM

can you please help me how to do it

0 Karma
Reply

sandeepmakkena
Contributor
‎06-26-2019 07:41 AM

| convert ctime($job.earliesttime$) ctime($ job.latesttime$)

This should work.

0 Karma
Reply

ajitshukla61116
Path Finder
‎06-26-2019 10:14 PM

ctime isnt working ..error is->"Error in 'convert' command: The conversion specifier is invalid. It must be convert_type(key).". please help

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...