Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

fieldformat

The fieldformat command enables you to use eval expressions to change the format of a field value when the results render.

Note: This does not apply when exporting data (to a csv file, for example) because export retains the original data format rather than the rendered format. There is no option to the Splunk Web export interface to render fields.

Synopsis

Expresses how to render a field at output time without changing the underlying value.

Syntax

fieldformat <field>=<eval-expression>

Required arguments

<field>
Description: The name of a new or existing field, non-wildcarded, for the output of the eval expression.
<eval-expression>
Syntax: <string>
Description: A combination of values, variables, operators, and functions that represent the value of your destination field. For more information, see the eval command reference and the list of eval functions.

Examples

Example 1: Return metadata results for the sourcetypes in the main index.

| metadata type=sourcetypes | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | table sourcetype Count "First Event" "Last Event" "Last Update"

The fields are also renamed; but without fieldformat, the time fields display in Unix time:

Searchref fieldformat ex1.1.png

Now use fieldformat to reformat the time fields firstTime, lastTime, and recentTime:

| metadata type=sourcetypes | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | table sourcetype Count "First Event" "Last Event" "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

Note that fieldformat is also used to reformat the Count field to display with commans. The results are more readable:

Searchref fieldformat ex1.2.png


Example 2: Specify that the start_time should be rendered by taking the value of start_time (assuming it is an epoch number) and rendering it to display just the hours minutes and seconds corresponding to that epoch time.

... | fieldformat start_time = strftime(start_time, "%H:%M:%S")

See also

eval, where

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fieldformat command.

PREVIOUS
extract
  NEXT
fields

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters