Updated macros as per the review comments

cyences_app_for_splunk/default/data/ui/views/cs_windows_cert_store.xml

@@ -3,14 +3,14 @@
   <search id="base_local_certs">
     <query> `cs_windows_cert_store_idx` sourcetype="windows:certstore:local" 
 | dedup host SerialNumber 
-| eval NotAfter = `cs_windows_cert_time_format(NotAfter)`
-| eval NotBefore = `cs_windows_cert_time_format(NotBefore)`
+| `cs_windows_cert_time_format(NotAfter)`
+| `cs_windows_cert_time_format(NotBefore)`
 | eval interval_start=relative_time(now(),"-1m") 
 | eval interval_end=relative_time(now(),"+$expiry_day$d") 
 | where interval_start&lt;NotAfter AND NotAfter&lt;interval_end 
 | rename host as Host 
-| fieldformat NotAfter=strftime(NotAfter, "%+") 
-| fieldformat NotBefore=strftime(NotBefore, "%+") 
+| `cs_human_readable_time_format(NotAfter)` 
+| `cs_human_readable_time_format(NotBefore)` 
 | table Host Subject DnsNameList Issuer NotBefore NotAfter FriendlyName SerialNumber PSPath PSParentPath PSParentPath_FriendlyName 
 | fillnull value="-" PSParentPath_FriendlyName</query>
     <earliest>$time_range.earliest$</earliest>
@@ -19,15 +19,15 @@
   <search id="base_ca_certs">
     <query>`cs_windows_cert_store_idx` sourcetype="windows:certstore:ca:issued" 
 | dedup Issued_Request_ID 
-| eval Certificate_Expiration_Date = `cs_windows_cert_time_format(Certificate_Expiration_Date)`
-| eval Certificate_Effective_Date = `cs_windows_cert_time_format(Certificate_Effective_Date)`
+| `cs_windows_cert_time_format(Certificate_Expiration_Date)`
+| `cs_windows_cert_time_format(Certificate_Effective_Date)`
 | eval interval_start=relative_time(now(),"-1m") 
 | eval interval_end=relative_time(now(),"+$issued_expiry$d") 
 | where interval_start&lt;Certificate_Expiration_Date AND Certificate_Expiration_Date&lt;interval_end 
 | join Certificate_Template type=left [`cs_windows_cert_name_mapping`]
 | eval Certificate_Template=if(isnull(Certificate_Name),Certificate_Template,Certificate_Name."(".Certificate_Template.")") 
-| fieldformat Certificate_Effective_Date=strftime(Certificate_Effective_Date, "%+") 
-| fieldformat Certificate_Expiration_Date=strftime(Certificate_Expiration_Date, "%+") 
+| `cs_human_readable_time_format(Certificate_Expiration_Date)`
+| `cs_human_readable_time_format(Certificate_Effective_Date)`
 | table Issued_Common_Name Issued_Request_ID Certificate_Effective_Date Certificate_Expiration_Date Certificate_Template Requester_Name Request_Disposition_Message Serial_Number</query>
     <earliest>$time_range.earliest$</earliest>
     <latest>$time_range.latest$</latest>
@@ -47,19 +47,16 @@
       <table>
         <search>
           <query>`cs_wineventlog_security` EventCode=4887 
-| rename _time as Timestamp host as Host name as Name
-| eval Timestamp = strftime(Timestamp, "%+") 
+| rename host as Host name as Name
+| `cs_human_readable_time_format(_time, Timestamp)`
 | table Timestamp Host EventCode Name Requester Subject</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
           <sampleRatio>1</sampleRatio>
         </search>
-        <option name="count">100</option>
-        <option name="dataOverlayMode">none</option>
+        <option name="count">10</option>
         <option name="drilldown">none</option>
-        <option name="percentagesRow">false</option>
         <option name="rowNumbers">true</option>
-        <option name="totalsRow">false</option>
         <option name="wrap">true</option>
       </table>
     </panel>

cyences_app_for_splunk/default/macros.conf

@@ -695,7 +695,7 @@ iseval = 0
 
 [cs_windows_cert_time_format(1)]
 args = fieldname
-definition = coalesce(strptime('$fieldname$', "%d-%m-%Y %H:%M:%S"), strptime('$fieldname$', "%m/%d/%Y %l:%M:%S %p"))
+definition = eval "$fieldname$" = coalesce(strptime('$fieldname$', "%d-%m-%Y %H:%M:%S"), strptime('$fieldname$', "%m/%d/%Y %l:%M:%S %p"))
 iseval = 0
 
 # Sysmon