format() Query Function

Format a string using printf-style. The formatted string is put in a new field named by the as parameter (default is _format). The fields used as input parameters to the formatting are named using the field parameter, which can be an array. This function is backed by Java’s Formatter class. For detailed documentation follow the link. At the moment fields can only be used as datetime values if they are in iso 8601 format of if they are Milliseconds since the beginning of the epoch starting at 1 January 1970 00:00:00 UTC.

Parameters

Name

Type

Required

Default

Description

format

string

Yes

The formatter string. See the Java documentation.

field

[string]

Yes

Fields to insert into the formatter string. This is the field names on events, not an actual value.

as

string

No

_format

The output name of the field with the formatted string.

timezone

string

No

When formatting dates and times it is possible to specify a timezone (e.g., Europe/Copenhagen, UTC, America/New_York, +01).

The implied parameter is format.

Examples

Format a number to have 2 decimals and a thousands separator (,) if larger than 1000:

humio
format("%,.2f", field=price, as=price) | table(price)

Concatenate 2 fields with a comma as separator:

humio
format(format="%s,%s", field=[a, b], as="combined") | table(combined)

Get the hour of day out of the events @timestamp

humio
format("%tm", field=@timestamp, as=hour) | table(hour)

Create a link with title based on the extracted content:

humio
$extractRepo() | top(repo) | format("[Link](https://example.com/%s)", field=repo, as=link)