Reporting

Is it possible to format $job.earliestTime$ in a report email body or subject?

harfel
Explorer

I've read through a lot of questions on the subject of adding or formatting a date on an email report and have not found a solution that works for me. I'd like to add a dynamic date value for the earliest date of an interval for which a report runs. The formatting of $job.earliestTime$ is unnecessarily verbose so unless I can simplify it to MM/dd/YYYY I cannot use it.

As alternatives I'm aware of using eval fieldname=strftime(dateField, "%x") to do the formatting and $result.dateField$ to access the value in the email, but that results in an additional column that I don't want to have in my table. Using ..|fields -dateField to remove the column means that $result.dateField$ does not return anything. I'm also aware that modifying
sendemail.py would probably solve this, but I don't have access to it so I'd prefer to avoid going that route.

Is there no way to add a custom formatted date to an email without having to add it as a column in your search results? Or is it not possible to custom format $job.earliestTime$?

1 Solution

woodcock
Esteemed Legend

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

View solution in original post

woodcock
Esteemed Legend

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

harfel
Explorer

Thank you very much!

It looks like fields named with a preceding underscore are automatically hidden from the results? I did a lot o reading and did not come across this helpful piece of info. Hopefully it will be easier now for others to find it.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...