Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

fieldformat

Description

With the fieldformat command you can use eval expressions to change the format of a field value when the results render. You can change the format without changing the underlying value of the field. Commands later in the search pipeline cannot modify the formatted value.

The fieldformat command does not apply to commands that export data, such as the outputcsv and output lookup commands. The export retains the original data format and not the rendered format. If you want the format to apply to exported data, use the eval command instead of the fieldformat command.

Syntax

fieldformat <field>=<eval-expression>

Required arguments

<field>
Description: The name of a new or existing field, non-wildcarded, for the output of the eval expression.
<eval-expression>
Syntax: <string>
Description: A combination of values, variables, operators, and functions that represent the value of your destination field. For more information, see the eval command and the Evaluation functions.

Usage

Time format variables are frequently used with the fieldformat command. See Date and time format variables.

Examples

Example 1:

Return metadata results for the sourcetypes in the main index.

| metadata type=sourcetypes | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | table sourcetype Count "First Event" "Last Event" "Last Update"

The fields are also renamed, but without the fieldformat command the time fields display in Unix time:

Searchref fieldformat ex1.1.png


Now use the fieldformat command to reformat the time fields firstTime, lastTime, and recentTime:

| metadata type=sourcetypes | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | table sourcetype Count "First Event" "Last Event" "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

Note that the fieldformat command is also used to reformat the Count field to display the values with commas. The results are more readable:

Searchref fieldformat ex1.2.png

Example 2:

Assume that the start_time field contains epoch numbers, format the start_time field to display only the hours, minutes, and seconds corresponding to the epoch time.

... | fieldformat start_time = strftime(start_time, "%H:%M:%S")

Example 3:

To format numerical values in a field with a currency symbol, you must specify the symbol as a literal and enclose it in quotation marks. Use a period character as a binary concatenation operator, followed by the tostring function, which enables you to display commas in the currency values.

...| fieldformat totalSales="$".tostring(totalSales,"commas")

See also

eval, where

Date and time format variables

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fieldformat command.

PREVIOUS
extract
  NEXT
fields

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Comments

Thank you Dallen 2 for your suggestion, i will pass this along to our development team.

Lstewart splunk, Splunker
September 16, 2016

If I do something like this:
... | eval profit="100" | fieldformat profit="$".tostring(profit, "commas")
I would like for the cell-justification in tables to treat "profit" as an integer and right-justify it. This would be a VERY handy way for people who are in Simple XML to control justification and still be "following the rules". As it is now, even though "profit" is still an integer, when it is displayed (like a string), it justified like a string. I am not saying that this is wrong, just that it would be better the other way and give us more flexibility.

Dallen 2
September 14, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters