Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to format $job.earliestTime$ in a report email body or subject?

harfel
Explorer
‎12-03-2019 01:54 PM

I've read through a lot of questions on the subject of adding or formatting a date on an email report and have not found a solution that works for me. I'd like to add a dynamic date value for the earliest date of an interval for which a report runs. The formatting of $job.earliestTime$ is unnecessarily verbose so unless I can simplify it to MM/dd/YYYY I cannot use it.

As alternatives I'm aware of using eval fieldname=strftime(dateField, "%x") to do the formatting and $result.dateField$ to access the value in the email, but that results in an additional column that I don't want to have in my table. Using ..|fields -dateField to remove the column means that $result.dateField$ does not return anything. I'm also aware that modifying
sendemail.py would probably solve this, but I don't have access to it so I'd prefer to avoid going that route.

Is there no way to add a custom formatted date to an email without having to add it as a column in your search results? Or is it not possible to custom format $job.earliestTime$?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 02:22 PM

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 02:22 PM

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

Reply
Solved! Jump to solution

harfel
Explorer
‎12-04-2019 06:23 AM

Thank you very much!

It looks like fields named with a preceding underscore are automatically hidden from the results? I did a lot o reading and did not come across this helpful piece of info. Hopefully it will be easier now for others to find it.

Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top