Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to format $job.earliestTime$ in a report email body or subject?

harfel
Explorer
‎12-03-2019 01:54 PM

I've read through a lot of questions on the subject of adding or formatting a date on an email report and have not found a solution that works for me. I'd like to add a dynamic date value for the earliest date of an interval for which a report runs. The formatting of $job.earliestTime$ is unnecessarily verbose so unless I can simplify it to MM/dd/YYYY I cannot use it.

As alternatives I'm aware of using eval fieldname=strftime(dateField, "%x") to do the formatting and $result.dateField$ to access the value in the email, but that results in an additional column that I don't want to have in my table. Using ..|fields -dateField to remove the column means that $result.dateField$ does not return anything. I'm also aware that modifying
sendemail.py would probably solve this, but I don't have access to it so I'd prefer to avoid going that route.

Is there no way to add a custom formatted date to an email without having to add it as a column in your search results? Or is it not possible to custom format $job.earliestTime$?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 02:22 PM

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 02:22 PM

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

Reply
Solved! Jump to solution

harfel
Explorer
‎12-04-2019 06:23 AM

Thank you very much!

It looks like fields named with a preceding underscore are automatically hidden from the results? I did a lot o reading and did not come across this helpful piece of info. Hopefully it will be easier now for others to find it.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...