Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to format $job.earliestTime$ in a report email body or subject?

harfel
Explorer
‎12-03-2019 01:54 PM

I've read through a lot of questions on the subject of adding or formatting a date on an email report and have not found a solution that works for me. I'd like to add a dynamic date value for the earliest date of an interval for which a report runs. The formatting of $job.earliestTime$ is unnecessarily verbose so unless I can simplify it to MM/dd/YYYY I cannot use it.

As alternatives I'm aware of using eval fieldname=strftime(dateField, "%x") to do the formatting and $result.dateField$ to access the value in the email, but that results in an additional column that I don't want to have in my table. Using ..|fields -dateField to remove the column means that $result.dateField$ does not return anything. I'm also aware that modifying
sendemail.py would probably solve this, but I don't have access to it so I'd prefer to avoid going that route.

Is there no way to add a custom formatted date to an email without having to add it as a column in your search results? Or is it not possible to custom format $job.earliestTime$?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 02:22 PM

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 02:22 PM

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

Reply
Solved! Jump to solution

harfel
Explorer
‎12-04-2019 06:23 AM

Thank you very much!

It looks like fields named with a preceding underscore are automatically hidden from the results? I did a lot o reading and did not come across this helpful piece of info. Hopefully it will be easier now for others to find it.

Reply
Get Updates on the Splunk Community!

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...

We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it ...