fieldformat
fieldformat
The fieldformat command enables you to use eval expressions to change the format of a field value when the results render.
Note: This does not apply when exporting data (to a csv file, for example) because export retains the original data format rather than the rendered format. There is no option to the Splunk Web export interface to render fields.
Synopsis
Expresses how to render a field at output time without changing the underlying value.
Syntax
fieldformat <field>=<eval-expression>
Required arguments
- <field>
- Description: The name of a new or existing field, non-wildcarded, for the output of the eval expression.
- <eval-expression>
- Syntax: <string>
- Description: A combination of values, variables, operators, and functions that represent the value of your destination field. For more information, see the eval command reference and the list of eval functions.
Examples
Example 1: Specify that the start_time should be rendered by taking the value of start_time (assuming it is an epoch number) and rendering it to display just the hours minutes and seconds corresponding that epoch time.
... | fieldformat start_time = strftime(start_time, "%H:%M:%S")See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fieldformat command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.