Best Practice: Create a fixed-width column using format()

It's common to use the collect() function with the groupBy() function to obtain other values. However, you'll occasionally encounter a situation where one doesn't line up with the other, e.g. there are only two severity field values but a dozen detectName field values.

For example:

#kind=Primary
| eventType=K8SDetectionEvent
| groupBy(resourceName, function=[collect(["Detection Type", clusterName], limit=10000), count(as="Total Events")], limit=max)

The results will look similar to this:

To align the severity field results with the detectionName field results, you can use format()to add left-aligned, right-padded columns that combine the two values:

#kind=Primary
| eventType=K8SDetectionEvent
//
// The first value is the severity padded to 18 spaces, followed by the detectionName. 
| "Detection Type":=format("%-18s %s", field=[severity, detectionName])
| groupBy(resourceName, function=[collect(["Detection Type", clusterName], limit=10000), count(as="Total Events")], limit=max)
| sort('Total Events", limit=10000)

The line containing format() says "pad the first value until it's 18 characters wide."

Now, you have this:

Knowledge Base

Best Practice: Create a fixed-width column using format()

Enter search term