I have the following search:
| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| fieldformat First Time=strftime('First Time', "%c")
| fieldformat Last Event=strftime('Last Event', "%c")
| fieldformat Last Update=strftime('Last Update', "%c")
which formats the times correctly when executed in a search, but does not format the times at all when in the body of an alert email:
In alert:
First Time Last Event Last Update host since totalCount type
1423978950 1425327716 1425327717 Hostname1 243484 13437 hosts
1423257448 1425414744 1425414744 Hostname2 156456 2049 hosts
1423978463 1423978495 1423978835 Hostname3 1592705 14 hosts
In search:
Sun Feb 15 00:42:30 2015 Mon Mar 2 15:21:56 2015 Mon Mar 2 15:21:57 2015 Hostname1 249510 13437 hosts
Fri Feb 6 16:17:28 2015 Tue Mar 3 15:32:24 2015 Tue Mar 3 15:32:24 2015 Hostname2 162482 2049 hosts
Sun Feb 15 00:34:23 2015 Sun Feb 15 00:34:55 2015 Sun Feb 15 00:40:35 2015 Hostname3 1598731 14 hosts
Any idea how to format the times in an alert email?
Use the EVAL Command instead of Field Format.
| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")
Use the EVAL Command instead of Field Format.
| metadata type=hosts | eval since=now()-lastTime
| rename firstTime as "First Time", lastTime as "Last Event", recentTime as "Last Update"
| eval First Time=strftime('First Time', "%c")
| eval Last Event=strftime('Last Event', "%c")
| eval Last Update=strftime('Last Update', "%c")
Hmm, strftime doesn't sort dates properly, though. Can fieldformat be used somehow to achieve the same visible text but maintain date sorting?
Worked for me too! Nice work
Thank you 🙂
Yep, that did it. Thanks!