fieldformat

It's a pretty popular search command and it is used in all sorts of situations. Below are some really cool searches that use fieldformat along with other search commands.

Splunk Server's Time

* | head 1 | eval tnow = now() | fieldformat tnow=strftime(tnow, "%c %Z") | table tnow

purpose:

shows the time according to the splunk server

requirements:

comments:

Time between events

<search>
| sort _time 
| streamstats current=f global=f window=1 last(_time) as last_ts 
| eval time_since_last = _time - last_ts 
| fieldformat time_since_last = tostring(time_since_last, "duration")

purpose:

add a field to each event which is the time between this event and the previous one. duration between events

requirements:

any data. the only field requirement in this search is _time

comments:

More than a day between events

<search>
| sort _time
| streamstats current=f global=f window=1 last(_time) as last_ts
| eval time_since_last = _time - last_ts
| fieldformat time_since_last = tostring(time_since_last, "duration")
| where time_since_last > 60*60*24

purpose:

find situations where there is more than a day between two events

requirements:

any events. the only field dependency is _time

comments: