Reporting

Date formatted fine in dashboard but incorrectly in emailed report

adigrio
Path Finder

Hi,

I have a report created from one of the Windows Event Logs Analysis App dashboards. The dashboards displays the first and last time for the Windows events in scope of the search and the timestamps are displayed as expected:

alt text

However, a report created from the same search displays the date in Unix format when sent by email. For example, 1513508869 instead of 12/17/17 10:27:26:

alt text

The search command is:

`event_sources` 
| fillnull  
| eval Type=if(Keywords=="Audit Success",Keywords, Type) 
| eval Type=if(Keywords=="Audit Failure",Keywords, Type) 
| search ((Type="Error" OR Type="Warning") OR (Type="Denial" OR Type="Audit Failure")) 
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, SourceName, Type 
| sort -count host, EventCode, SourceName, Type 
| rename EventCode as "EventId" 
| fieldformat First=strftime(First,"%x %X") 
| fieldformat Last=strftime(Last,"%x %X")

event_sources is a macro that specifies where the Windows event logs are indexed.

Is this a bug or a limitation of the emailed reports?

Tags (4)
0 Karma
1 Solution

elliotproebstel
Champion

I suspect that fieldformat is not respected in exporting to reports, much as it's not supported for exporting to CSVs or lookups.

The fieldformat command does not apply to commands that export data, such as the outputcsv and output lookup commands. The export retains the original data format and not the rendered format. If you want the format to apply to exported data, use the eval command instead of the fieldformat command.
https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Fieldformat

As suggested in the docs above, you may need to use eval instead to get the result you're looking for.

View solution in original post

elliotproebstel
Champion

I suspect that fieldformat is not respected in exporting to reports, much as it's not supported for exporting to CSVs or lookups.

The fieldformat command does not apply to commands that export data, such as the outputcsv and output lookup commands. The export retains the original data format and not the rendered format. If you want the format to apply to exported data, use the eval command instead of the fieldformat command.
https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Fieldformat

As suggested in the docs above, you may need to use eval instead to get the result you're looking for.

adigrio
Path Finder

Thanks for the answer, it did the trick. I've adjusted the search as:

`event_sources` 
| fillnull  
| eval Type=if(Keywords=="Audit Success",Keywords, Type) 
| eval Type=if(Keywords=="Audit Failure",Keywords, Type) 
| search ((Type="Error" OR Type="Warning") OR (Type="Denial" OR Type="Audit Failure")) 
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, SourceName, Type 
| eval First=strftime(First,"%x %X") 
| eval Last=strftime(Last,"%x %X")
| sort -count host, EventCode, SourceName, Type 
| rename EventCode as "EventId"
| table host,EventCode,SourceName,Type,First,Last,Sample_Message,count

and the date is shown in the report as expected.

0 Karma

elliotproebstel
Champion

Great! Glad to help.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...