I'm using fieldformat (Splunk 5.0.5, search head in a cluster, if that matters) in order to change how the time is displayed and to preserve proper sorting in tables, however it appears that it does not work correctly at all (sorting still fails).
Here's what I'm doing:
index=windows source="wineventlog:security" "EventCode=644" OR "EventCode=4740" | fieldformat Time=strftime(_time, "%d.%m.%Y %H:%M:%S") | table _time Time host Account_Name
This displays a table that uses both the original _time and Time. The Time variable is properly displayed but sorting by it fails.
If I do this:
index=windows source="wineventlog:security" "EventCode=644" OR "EventCode=4740" | fieldformat _time=strftime(_time, "%d.%m.%Y %H:%M:%S") | table _time host Account_Name
Then time is completely lost and all entries show as 1/1/01 12:00:00.000 AM.
Any clues?