Deprecated: 1.58
The format specifiers %a,
%A and
%S have been deprecated and will
be removed in 1.70.
You may use this query function to format a string using
printf style. The formatted string
is put in a new field. The input parameters or fields can be one field or
an array of fields.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | false | _format | The output name of the formatted field. |
field | [string] | true | The fields to format. For multiple fields, enter within square brackets, separated by commas. | |
format | string | true | The formatting codes for formatting the given string or strings. [a] | |
timezone | string | false | The timezone (e.g., Europe/Copenhagen, UTC, America/New_York, +01) when formatting dates and times. | |
Fields can only be used as datetime values if they are milliseconds since the beginning of the epoch (i.e., 1 January 1970 00:00:00 UTC).
Examples
Since there are several fields and types of fields that may be given
with the format() query function, this section
provides several examples of how to use the query function.
As a first example, suppose you want to calculate a numeric value and want to format the results so that it shows only two decimal places. You would do that like this:
source_type=file | avg(field=responsesize) | format("%,.2f", field=_avg)In this example, the query is selected events that contain files, then averaging the value of the field containing the size of the file. This number is then piped to the format() query function. First, it's given a formatting code — how the field value should be formatted. You can see the results shown in the screenshot shown in figure here below.
Figure 291. format() Result using a Gauge Widget
This screenshot presents the results in a Gauge Widget to make it easier to illustrate.
Concatenate two fields with a comma as separator:
format(format="%s,%s", field=[a, b], as="combined") | table(combined)Get the hour of day out of the event @timestamp:
format("%tm", field=@timestamp, as=hour) | table(hour)Create a link with title based on the extracted content:
$extractRepo() | top(repo) | format("[Link](https://example.com/%s)", field=repo, as=link)Format Specifiers
A format specifier is formed like this:
%[argument_index][flags][width][.precision][length]type[modifiers]
Sections in square brackets, for example
[flags], are optional and can be
left out.
Supported Types
The supported type specifiers are the following.
| Type | Output |
|---|---|
| d or i | Signed decimal integer |
| b or B | Boolean (uppercase and lowercase, respectively) |
| o | Unsigned octal |
| x or X | Signed hexadecimal integer (lowercase and uppercase, respectively) |
| f or F | Decimal floating point |
| e or E | Scientific-notation (exponential) floating point |
| g or G | Scientific or decimal floating point |
| t or T | Date/Time (lowercase or uppercase, respectively) |
| c or C | Single character (lowercase or uppercase, respectively) |
| s | String of characters |
| n | Newline character |
| % | The format specifier %% will produce a single % |
Numbers
| Type | Output |
|---|---|
| d or i | Signed decimal integer |
| o | Unsigned octal |
| x or X | Signed hexadecimal integer |
| f or F | Decimal floating point |
| e or E | Scientific-notation (exponential) floating point |
| g or G | Scientific or decimal floating point (depending on input) |
A number is a field that contains only an integer or a real number,
with no grouping, e.g. 1,000 is
not a number. Scientific notation, e.g.,
1.74587E100 is supported.
If a field is not a number following the above description, the output
of format given any of the above
type specifiers is null.
Octal Formatting
Type specifier o, does not
support negative numbers. If the given field is a negative integer,
the output in undefined.
Hexadecimal Formatting
Type specifiers x and
X expect the corresponding
field to be that of a 64-bit signed integer and produce the same
integer in the
Hexadecimal
numeral system stripped of any leading zeros. For instance,
if a field num contains the
value 42, running format("%X",
fields=[num]) produces the field
_format = 2A. Notice that
format() does not add the common denomination
of 0x (from the C programming
language) to the produced output unless given the
# flag. Likewise,
0x can be added explicitly to
the format string as format("0x%X",
fields=[num]) which would then produce the field
_format = 0x2A.
Hexadecimal formatting is closely related to the binary
representation of the integer, which is in
Two's
complement representation. This has the adverse effect that
the hexadecimals produced for negative integers can have a large
amount of leading F
characters. If your input is a signed 32-bit integer, you can
shorten the output of format() down to only
display output corresponding to 32-bits, using the length
specifiers.
Floating Point Formatting
Type specifiers f and
F format the given field as a
real number with the specified precision. See
Supported Precision
for more information.
Type specifiers e and
E formats the given field as a
real number in scientific notation, lowercase and uppercase
respectively. For instance,
176.54 formatted using
%e becomes
1.765400e+02.
For type specifiers g and
G the specified precision
represents the amount of significant figures, instead of the number
of digits after the decimal point. If the integer part of the number
is larger than the specified amount of significant digits,
g and
G behave like
e and
E respectively, otherwise they
behave like f and
F. Notice that the minimum
precision is 6 and the maximum precision is 9.
Booleans (true and false)
| Type | Output |
|---|---|
| b or B | Boolean |
On type specifier b or
B, if the corresponding field is
false, then the result is
false or
FALSE respectively. Otherwise,
the result is true or
TRUE, respectively.
Strings
| Type | Output |
|---|---|
| c or C | Single character (lowercase or uppercase, respectively) |
| s | String of characters |
| n | Newline character |
A string is any sequence of length >=
1 consisting of unicode characters. Any field will match
this description.
On type specifier c, the first
character of the string is output. Type specifier
s outputs the specified field.
Date/Time
| Type | Output |
|---|---|
| t or T | Date/Time (lowercase or uppercase, respectively) |
Fields can only be used as date/time values if they are in
milliseconds since the beginning of the Unix epoch, 1 January 1970
00:00:00 UTC. If the field is anything else, format outputs
null.
All Date/Time type specifiers must be followed by a Date/Time modifier. The following time modifiers are available:
| Modifier | Output |
|---|---|
| H | Hour of the day for the 24-hour clock, formatted as two digits with a leading zero as necessary, that is 00 - 23. |
| I | Hour of the day for the 12-hour clock, formatted as two digits with a leading zero as necessary, that is 01 - 12. |
| k | Hour of the day for the 24-hour clock, that is 0 - 23. |
| l | Hour of the day for the 12-hour clock, that is 1 - 12. |
| M | Minutes within the hour formatted as two digits with a leading zero as necessary, that is 00 -59. |
| S | Seconds within the minute, formatted as two digits with a leading zero as necessary, that is 00 - 60 ('60' is a special value required to support leap seconds). |
| L | Milliseconds within the second formatted as three digits with leading zeros as necessary, that is 000 - 999. |
| N | Nanoseconds within the second, formatted as nine digits with leading zeros as necessary, that is 000000000 - 999999999. |
| p | Locale-specific morning or afternoon marker in lower case, for example 'am' or 'pm'. Use of the conversion prefix 'T' forces this output to upper case. |
| z | RFC 822 style numeric time zone offset from GMT, for example -0800. This value will be adjusted as necessary for Daylight Saving Time. May depend on locale. |
| Z | A string representing the abbreviation for the time zone. This value will be adjusted as necessary for Daylight Saving Time. May depend on locale. |
| s | Seconds since the beginning of the epoch starting at 1 January 1970 00:00:00 UTC, that is Long.MIN_VALUE/1000 to Long.MAX_VALUE/1000, where Long is a 64-bit signed integer. |
| Q | Milliseconds since the beginning of the epoch starting at 1 January 1970 00:00:00 UTC, that is Long.MIN_VALUE to Long.MAX_VALUE, where long is a 64-bit signed integer. |
The following date modifiers are available:
| Modifier | Output |
|---|---|
| Y | Year, formatted as at least four digits with leading zeros as necessary, for example 0092 equals 92 CE for the Gregorian calendar. |
| y | Last two digits of the year, formatted with leading zeros as necessary, that is 00 - 99. |
| j | Day of year, formatted as three digits with leading zeros as necessary, for example 001 - 366 for the Gregorian calendar. |
| m | Month, formatted as two digits with leading zeros as necessary, that is 01 - 13. |
| d | Day of month, formatted as two digits with leading zeros as necessary, that is 01 - 31. |
| e | Day of month, formatted as two digits, that is 1 - 31. |
Furthermore, the following special date/time modifiers are available:
| Modifier | Output |
|---|---|
| R | Time formatted for the 24-hour clock as %tH:%tM. |
| T | Time formatted for the 24-hour clock as %tH:%tM:%tS. |
| r | Time formatted for the 12-hour clock as %tI:%tM:%tS %Tp. The location of the morning or afternoon marker ('%Tp') may be locale-dependent. |
| D | Date formatted as %tm/%td/%ty. |
| F | ISO 8601 complete date formatted as %tY-%tm-%td. |
Other
| Type | Output |
|---|---|
| % |
The format specifier %%
will produce a single %
|
Supported Argument Index Specifiers
The argument index is a decimal integer indicating the position of the
argument in the fields list. The first argument is referenced by
1$, the second by
2$, and so on. Another way to
reference arguments by position is to use the
'<'(\u003c) flag, which
causes the argument for the previous format specifier to be re-used.
For example, the following two statements produce identical strings:
format("Event date: %1$Tm/%1$Te/%1$TY", fields=[@timestamp], timezone="Europe/Copenhagen")
format("Event date: %1$Tm/%<Te/%<TY", fields=[@timestamp], timezone="Europe/Copenhagen")If no argument index is specified, the first format specifier refers to the first argument of the fields list, the second format specifier refers to the second argument and so on.
Supported Flags
| Flags | Description |
|---|---|
| -sign | Left-justify within the given field width; Right justification is the default. |
| +sign | Forces preceding the result with a plus or minus sign (+ or -) even for positive numbers. By default, only negative numbers are preceded with a -sign. |
| (space) | If no sign is written, a blank space is inserted before the value. |
| # | Used with o, b, x or X type specifiers the value is preceded with 0, 0b, 0x or 0X respectively for values different than zero. Used with f or F it forces the written output to contain a decimal point even if no more digits follow. By default, if no digits follow, no decimal point is written. |
| 0 | Left-pads the number with zeros (0) instead of spaces when padding is specified (see width sub-specifier). |
| , | Groups the output in thousands, for instance 10000 becomes 10,000. |
Supported Width
| Width | Description |
|---|---|
| (number) | Minimum number of characters to be printed. If the value to be printed is shorter than this number, the result is padded with blank spaces. The value is not truncated even if the result is larger. |
Supported Precision
| Precision | Description |
|---|---|
| .number | For integer specifiers (d, i, o, u, x, X): precision specifies the minimum number of digits to be written. If the value to be written is shorter than this number, the result is padded with leading zeros. The value is not truncated even if the result is longer. A precision of 0 means that no character is written for the value 0. For f and F specifiers: this is the number of digits to be printed after the decimal point. By default, this is 6, maximum is 9. For 'g' and 'G' specifiers: this is number of significant digits with which to display the number. For s: this is the maximum number of characters to be printed. By default all characters are printed until the ending null character is encountered. If the period is specified without an explicit value for precision, 0 is assumed. |
Supported Length
The length argument specifies the length with which to interpret the given fields' data type.
In general, format() interprets any number that
is not a floating point number to be that of a 64-bit signed integer
and formats any such integer with leading zeros removed. For instance,
converting 42 to hexadecimal with the format string
0x%X produces the string
0x2A and not one with 62 leading
zeros. However, conversions of negative numbers to hexadecimal are
represented using
Two's
complement which entails a large number of leading
F characters. For example, the
number -1 is by default
represented using all 64-bits, hence the above format string produces
0xFFFFFFFFFFFFFFFF. This can for
example be brought down to
0xFFFFFFFF by specifying the
h length argument.
| Length | Description |
|---|---|
| (none) | Signed 64-bit integer |
| h | Signed 32-bit integer |