Hi,
I have to rename _time to "Download DateTime" in my view. I did the same using following in the search command:
eval my_time=_time | convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(my_time) | rename my_time as "Download_DateTime"
After renaming the column, the default sorting (up/down arrows) provided by SimpleResultTable doesn't work correctly. Is this happening because the column is converted to formatted string?
I also tried convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(_time) as "Download DateTime".
Is there a work around for this? Any help will be appreciated.
Thanks in advance,
Suvelee
Yes, it is because you are trying to sort a string. Don't use convert
. Instead, use the fieldformat
command with the strftime()
function.
Thanks for the quick response. I tried using fieldformat comamnd but I got "Search operation 'fieldformat' is unknown. You might not have permission to run this operation."
I am using Splunk 4.1.2 version. Is fieldformat available in this version?