format
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
format
Synopsis
Takes the results of a subsearch and formats them into a single result.
Syntax
format ["<string>" "<string>" "<string>" "<string>" "<string>" "<string>"]
Arguments
- <string>
- Syntax: "<string>"
- Description: These 6 optional string arguments correspond to: row prefix, column prefix, column separator, column end, row separator, and row end. By default, when you don't specify any strings, the format output defaults to:
"(" "(" "AND" ")" "OR" ")"
Description
Used implicitly by subsearches, to take the search results of a subsearch and return a single result that is a query built from the input search results.
Examples
Example 1: Get top 2 results and create a search from their host, source and sourcetype, resulting in a single search result with a _query field: _query=( ( "host::mylaptop" AND "source::syslog.log" AND "sourcetype::syslog" ) OR ( "host::bobslaptop" AND "source::bob-syslog.log" AND "sourcetype::syslog" ) )
... | head 2 | fields source, sourcetype, host | formatSee also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.