fieldformat command enables you to use eval expressions to change the format of a field value when the results render.
Note: This does not apply when exporting data (to a csv file, for example) because export retains the original data format rather than the rendered format. There is no option to the Splunk Web export interface to render fields.
Expresses how to render a field at output time without changing the underlying value.
- Description: The name of a new or existing field, non-wildcarded, for the output of the eval expression.
- Syntax: <string>
- Description: A combination of values, variables, operators, and functions that represent the value of your destination field. For more information, see the eval command reference and the list of eval functions.
Example 1: Return metadata results for the sourcetypes in the main index.
| metadata type=sourcetypes | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | table sourcetype Count "First Event" "Last Event" "Last Update"
The fields are also renamed; but without fieldformat, the time fields display in Unix time:
Now use fieldformat to reformat the time fields firstTime, lastTime, and recentTime:
| metadata type=sourcetypes | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | table sourcetype Count "First Event" "Last Event" "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
Note that fieldformat is also used to reformat the Count field to display with commans. The results are more readable:
Example 2: Specify that the start_time should be rendered by taking the value of start_time (assuming it is an epoch number) and rendering it to display just the hours minutes and seconds corresponding to that epoch time.
... | fieldformat start_time = strftime(start_time, "%H:%M:%S")
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fieldformat command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18