Solved: Re: Date formatted fine in dashboard but incorrect...

adigrio · ‎12-18-2017

Hi,

I have a report created from one of the Windows Event Logs Analysis App dashboards. The dashboards displays the first and last time for the Windows events in scope of the search and the timestamps are displayed as expected:

However, a report created from the same search displays the date in Unix format when sent by email. For example, 1513508869 instead of 12/17/17 10:27:26:

The search command is:

`event_sources` 
| fillnull  
| eval Type=if(Keywords=="Audit Success",Keywords, Type) 
| eval Type=if(Keywords=="Audit Failure",Keywords, Type) 
| search ((Type="Error" OR Type="Warning") OR (Type="Denial" OR Type="Audit Failure")) 
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, SourceName, Type 
| sort -count host, EventCode, SourceName, Type 
| rename EventCode as "EventId" 
| fieldformat First=strftime(First,"%x %X") 
| fieldformat Last=strftime(Last,"%x %X")

event_sources is a macro that specifies where the Windows event logs are indexed.

Is this a bug or a limitation of the emailed reports?

elliotproebstel · ‎12-18-2017

I suspect that fieldformat is not respected in exporting to reports, much as it's not supported for exporting to CSVs or lookups.

The fieldformat command does not apply to commands that export data, such as the outputcsv and output lookup commands. The export retains the original data format and not the rendered format. If you want the format to apply to exported data, use the eval command instead of the fieldformat command.
https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Fieldformat

As suggested in the docs above, you may need to use eval instead to get the result you're looking for.

View solution in original post

elliotproebstel · ‎12-18-2017

I suspect that fieldformat is not respected in exporting to reports, much as it's not supported for exporting to CSVs or lookups.

The fieldformat command does not apply to commands that export data, such as the outputcsv and output lookup commands. The export retains the original data format and not the rendered format. If you want the format to apply to exported data, use the eval command instead of the fieldformat command.
https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Fieldformat

As suggested in the docs above, you may need to use eval instead to get the result you're looking for.

adigrio · ‎12-18-2017

Thanks for the answer, it did the trick. I've adjusted the search as:

`event_sources` 
| fillnull  
| eval Type=if(Keywords=="Audit Success",Keywords, Type) 
| eval Type=if(Keywords=="Audit Failure",Keywords, Type) 
| search ((Type="Error" OR Type="Warning") OR (Type="Denial" OR Type="Audit Failure")) 
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, SourceName, Type 
| eval First=strftime(First,"%x %X") 
| eval Last=strftime(Last,"%x %X")
| sort -count host, EventCode, SourceName, Type 
| rename EventCode as "EventId"
| table host,EventCode,SourceName,Type,First,Last,Sample_Message,count

and the date is shown in the report as expected.

elliotproebstel · ‎12-18-2017

Great! Glad to help.

Date formatted fine in dashboard but incorrectly in emailed report

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes