You may use this query function to format a string using
printf style. The formatted string is put in a new
field. The input parameters or fields can be one field or an array of
fields.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | false | _format | The output name of the formatted field. |
field | [string] | true | The fields to format. For multiple fields, enter within square brackets, separated by commas. | |
format | string | true | The formatting codes for formatting the given string or strings. | |
timezone | string | false | The timezone (e.g., Europe/Copenhagen, UTC, America/New_York, +01) when formatting dates and times. |
When you provide only one parameter, the implied parameter is
format.
Fields can only be used as datetime values if they are milliseconds since the beginning of the epoch (i.e., 1 January 1970 00:00:00 UTC).
Examples
Since there are several fields and types of fields that may be given
with the format() query function, this section
provides several examples of how to use the query function.
As a first example, suppose you want to calculate a numeric value and want to format the results so that it shows only two decimal places. You would do that like this:
source_type=file | avg(field=responsesize) | format("%,.2f", field=_avg)In this example, the query is selected events that contain files, then averaging the value of the field containing the size of the file. This number is then piped to the format() query function. First, it's given a formatting code — how the field value should be formatted. You can see the results shown in the screenshot shown in figure here below.
Figure 255. format() Result using a Gauge Widget
This screenshot presents the results in a Gauge Widget to make it easier to illustrate.
Concatenate two fields with a comma as separator:
format(format="%s,%s", field=[a, b], as="combined") | table(combined)
Get the hour of day out of the event
@timestamp:
format("%tm", field=@timestamp, as=hour) | table(hour)Create a link with title based on the extracted content:
$extractRepo() | top(repo) | format("[Link](https://example.com/%s)", field=repo, as=link)