Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to format $job.earliestTime$ in a report email body or subject?

harfel
Explorer
‎12-03-2019 01:54 PM

I've read through a lot of questions on the subject of adding or formatting a date on an email report and have not found a solution that works for me. I'd like to add a dynamic date value for the earliest date of an interval for which a report runs. The formatting of $job.earliestTime$ is unnecessarily verbose so unless I can simplify it to MM/dd/YYYY I cannot use it.

As alternatives I'm aware of using eval fieldname=strftime(dateField, "%x") to do the formatting and $result.dateField$ to access the value in the email, but that results in an additional column that I don't want to have in my table. Using ..|fields -dateField to remove the column means that $result.dateField$ does not return anything. I'm also aware that modifying
sendemail.py would probably solve this, but I don't have access to it so I'd prefer to avoid going that route.

Is there no way to add a custom formatted date to an email without having to add it as a column in your search results? Or is it not possible to custom format $job.earliestTime$?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 02:22 PM

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 02:22 PM

You can add this to the bottom of your SPL:

... | rename datefield AS _datefield

which will make the field invisible but you can still access it with $result._datefield$!

Reply
Solved! Jump to solution

harfel
Explorer
‎12-04-2019 06:23 AM

Thank you very much!

It looks like fields named with a preceding underscore are automatically hidden from the results? I did a lot o reading and did not come across this helpful piece of info. Hopefully it will be easier now for others to find it.

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...