- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: fieldformat not working?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fieldformat not working?
I'm using fieldformat (Splunk 5.0.5, search head in a cluster, if that matters) in order to change how the time is displayed and to preserve proper sorting in tables, however it appears that it does not work correctly at all (sorting still fails).
Here's what I'm doing:
index=windows source="wineventlog:security" "EventCode=644" OR "EventCode=4740" | fieldformat Time=strftime(_time, "%d.%m.%Y %H:%M:%S") | table _time Time host Account_Name
This displays a table that uses both the original _time and Time. The Time variable is properly displayed but sorting by it fails.
If I do this:
index=windows source="wineventlog:security" "EventCode=644" OR "EventCode=4740" | fieldformat _time=strftime(_time, "%d.%m.%Y %H:%M:%S") | table _time host Account_Name
Then time is completely lost and all entries show as 1/1/01 12:00:00.000 AM.
Any clues?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fieldformat creates a representation (usually a string) for a field that is independent of its underlying value. The _time field is an internal field, and it cannot have such a representation.
Your first search gives you a representation for Time but not an underlying value that is sortable; it is simply a string. That is why it doesn't sort properly.
Your second search attempts to assign a string representation to the internal variable _time; this doesn't work.
To get what you want, try
index=windows source="wineventlog:security" EventCode=644 OR EventCode=4740
| eval Time=_time
| fieldformat Time=strftime(Time, "%d.%m.%Y %H:%M:%S")
| table Time host Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=windows source="wineventlog:security" "EventCode=644" OR "EventCode=4740" | eval Time=strftime(_time, "%d.%m.%Y %H:%M:%S")|fields - _time| sort + Time | table Time host Account_Name
Works in Splunk 6, not sure where the sorting fails!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, there was a typo in my answer. I then tested this on my Splunk and it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, this still doesn't work for me. The Time field is empty (no content at all).
If I put fieldformat Time=strftime(_time ...) then sorting doesn't work.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
