Deployment Monitor and fieldformat

moreda · ‎12-24-2012

The searches (or macros) which last term is:

… | fieldformat "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p")

show the expected format in the table view. Although, I have a problem when the results are included in an alert email as the field "Last Connected" shows a UNIX time formatted timestamp.

As a workaround to have human readable timestamps in alert emails I'm using:

… | eval "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p")

instead of the original term.

I guess there's a good reason to use fieldformat instead of eval, but I didn't find a better way to solve my problem. Any ideas about this?

Thank you.

mkinsley_splunk · ‎01-14-2013

fieldformat allows us to keep the underlying value , only affecting how it is displayed. This is very useful for things like sorting timestamps or for example sorting by day of the week.

eval changes the underlying value . In the above it would permanently convert the integer epoch time to a string.

I think you found the ideal solution for this problem.

moreda · ‎01-14-2013

Yes, yes, I knew about the difference (and it's nice to confirm it). My question was more about the usage in this specific case.
Thank you 🙂

Deployment Monitor and fieldformat

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Deployment Monitor and fieldformat

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine