|
My email alerts coming out of the system for simple timecharts and stats have _time in epoch format. Is there a master configuration that will convert these to default to a standard datetime format. |
|
_time is in epoch time and cannot be changed. You can however, for reporting reasons, convert it to local time as desired by using: Then if you notice, you will have a new field called LOCALTIME which should be what you wanted... |
|
Practically speaking, Genti has your answer: make a new field, optionally hide the _time field (with |fields). I think there's an Enhancement Request here for formatting in email alerts. I'd appreciate if you could toss an email to support about it. Product management really grooves on stuff like, if you're willing. Not elaborate, but a thumbnail sketch.
Personally I wonder if this relates to general email formatting/presentation needs. Some questions I'd think to ask as an engineer: Is this needed for CSV, or table, or html output? All? None? Will typing a strftime string into a conf file get the job done? Appreciate the answers. I will submit a enhancement request. I had a heck of a time with this one but probably just due to my lack of experience. I was producing an email alert that compared todays values to last weeks values (following the advice in http://answers.splunk.com/questions/2712/line-chart-comparing-yesterdays-result-with-todays-result-in-dashboard). However, I could never get the time right until I converted this to a table and played around with time format function quite a bit. Everything in the UI looked good but the email converted back to Epoch.
(27 Jan '11, 16:44)
geoffn
|
