change format of token $job.earliesttime$

ajitshukla61116 · ‎06-25-2019

Hi,
I have an alert query which runs after every 30 minutes and has a relative time range of last 30 minutes. There is a mail action triggered on this search in which i have send $job.earliesttime$ and $ job.latesttime$ which gives me the time period of this search but i need to change the format of this time period to utc .
How can i do it.
Please help

jawaharas · ‎09-04-2019

As @niketnilay mentioned,
1. You can use addinfo command to get 'Job search time'.
2. Format the timestamp using strftime as below.

| makeresults 
| eval message="My Email Message"
| addinfo
| eval job_search_time=strftime(info_search_time,"%d-%m-%Y")
| table message,job_search_time

--

And, you can include the custom field in your email subject/body using $result.job_search_time$ field.

ajitshukla61116 · ‎06-26-2019

Convert ctime is not working.Error is ->"Error in 'convert' command: The conversion specifier is invalid. It must be convert_type(key)."

niketn · ‎06-26-2019

@ajitshukla61116 You can pipe the addinfo command to your existing search for alert and get info_min_time and info_max_time as earliest and latest time as epoch. Then you can use strftime() to convert epoch time to your expected string time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ajitshukla61116 · ‎06-26-2019

can you please help me how to do it

sandeepmakkena · ‎06-26-2019

| convert ctime($job.earliesttime$) ctime($ job.latesttime$)

This should work.

ajitshukla61116 · ‎06-26-2019

ctime isnt working ..error is->"Error in 'convert' command: The conversion specifier is invalid. It must be convert_type(key).". please help

change format of token $job.earliesttime$

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash