Reporting

Date formatted fine in dashboard but incorrectly in emailed report

adigrio
Path Finder

Hi,

I have a report created from one of the Windows Event Logs Analysis App dashboards. The dashboards displays the first and last time for the Windows events in scope of the search and the timestamps are displayed as expected:

alt text

However, a report created from the same search displays the date in Unix format when sent by email. For example, 1513508869 instead of 12/17/17 10:27:26:

alt text

The search command is:

`event_sources` 
| fillnull  
| eval Type=if(Keywords=="Audit Success",Keywords, Type) 
| eval Type=if(Keywords=="Audit Failure",Keywords, Type) 
| search ((Type="Error" OR Type="Warning") OR (Type="Denial" OR Type="Audit Failure")) 
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, SourceName, Type 
| sort -count host, EventCode, SourceName, Type 
| rename EventCode as "EventId" 
| fieldformat First=strftime(First,"%x %X") 
| fieldformat Last=strftime(Last,"%x %X")

event_sources is a macro that specifies where the Windows event logs are indexed.

Is this a bug or a limitation of the emailed reports?

Tags (4)
0 Karma
1 Solution

elliotproebstel
Champion

I suspect that fieldformat is not respected in exporting to reports, much as it's not supported for exporting to CSVs or lookups.

The fieldformat command does not apply to commands that export data, such as the outputcsv and output lookup commands. The export retains the original data format and not the rendered format. If you want the format to apply to exported data, use the eval command instead of the fieldformat command.
https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Fieldformat

As suggested in the docs above, you may need to use eval instead to get the result you're looking for.

View solution in original post

elliotproebstel
Champion

I suspect that fieldformat is not respected in exporting to reports, much as it's not supported for exporting to CSVs or lookups.

The fieldformat command does not apply to commands that export data, such as the outputcsv and output lookup commands. The export retains the original data format and not the rendered format. If you want the format to apply to exported data, use the eval command instead of the fieldformat command.
https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Fieldformat

As suggested in the docs above, you may need to use eval instead to get the result you're looking for.

adigrio
Path Finder

Thanks for the answer, it did the trick. I've adjusted the search as:

`event_sources` 
| fillnull  
| eval Type=if(Keywords=="Audit Success",Keywords, Type) 
| eval Type=if(Keywords=="Audit Failure",Keywords, Type) 
| search ((Type="Error" OR Type="Warning") OR (Type="Denial" OR Type="Audit Failure")) 
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, SourceName, Type 
| eval First=strftime(First,"%x %X") 
| eval Last=strftime(Last,"%x %X")
| sort -count host, EventCode, SourceName, Type 
| rename EventCode as "EventId"
| table host,EventCode,SourceName,Type,First,Last,Sample_Message,count

and the date is shown in the report as expected.

0 Karma

elliotproebstel
Champion

Great! Glad to help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...