format
format
Synopsis
Takes the results of a subsearch and formats them into a single result.
Syntax
format ["<string>" "<string>" "<string>" "<string>" "<string>" "<string>"]
Optional arguments
- <string>
- Syntax: "<string>"
- Description: These six optional string arguments correspond to: ["<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"]. By default, when you don't specify any strings, the format output defaults to:
"(" "(" "AND" ")" "OR" ")"
Description
Used implicitly by subsearches, to take the search results of a subsearch and return a single result that is a query built from the input search results.
Examples
Example 1: Get top 2 results and create a search from their host, source and sourcetype, resulting in a single search result with a _query field: _query=( ( "host::mylaptop" AND "source::syslog.log" AND "sourcetype::syslog" ) OR ( "host::bobslaptop" AND "source::bob-syslog.log" AND "sourcetype::syslog" ) )
... | head 2 | fields source, sourcetype, host | formatExample 2: Increase the maximum number of events from the default to 2000 for a subsearch to use in generating a search.
In limits.conf:
[format] maxresults = 2000
and in the subsearch:
... | head 2 | fields source, sourcetype, host | format maxresults=2000See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the format command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.
Can you include an example using the optional arguments?