Download topic as PDF
fieldformat
Description
With the fieldformat command you can use eval expressions to change the format of a field value when the results render. You can change the format without changing the underlying value of the field. Commands later in the search pipeline cannot modify the formatted value.
The fieldformat command does not apply to commands that export data, such as the outputcsv and output lookup commands. The export retains the original data format and not the rendered format. If you want the format to apply to exported data, use the eval command instead of the fieldformat command.
Syntax
fieldformat <field>=<eval-expression>
Required arguments
- <field>
- Description: The name of a new or existing field, non-wildcarded, for the output of the eval expression.
- <eval-expression>
- Syntax: <string>
- Description: A combination of values, variables, operators, and functions that represent the value of your destination field. See Usage.
For more information, see the eval command.
Usage
Time format variables are frequently used with the fieldformat command. See Date and time format variables.
Functions
You can use a wide range of functions with the fieldformat command. For general information about using functions, see Evaluation functions.
The following table lists the supported functions by type of function. Use the links in the table to learn more about each function examples, and to see examples.
| Type of function | Supported functions and syntax | ||
|---|---|---|---|
| Comparison and Conditional functions | case(X,"Y",...)
|
if(X,Y,Z)
|
nullif(X,Y)
|
| Conversion functions | tonumber(NUMSTR,BASE) |
tostring(X,Y) | |
| Cryptographic functions | md5(X)
|
sha256(X) |
sha512(X) |
| Date and Time functions | now()
|
strftime(X,Y)
|
time() |
| Informational functions | isbool(X)
|
isnull(X)
|
isstr(X)
|
| Mathematical functions | abs(X)
|
floor(X)
|
pow(X,Y)
|
| Multivalue eval functions | commands(X)
|
mvfilter(X)
|
mvrange(X,Y,Z)
|
| Statistical eval functions | max(X,...) |
min(X,...) |
random() |
| Text functions | len(X)
|
rtrim(X,Y)
|
trim(X,Y)
|
| Trigonometry and Hyperbolic functions | acos(X)
|
atan2(X,Y)
|
sin(X)
|
Examples
Example 1:
Return metadata results for the sourcetypes in the main index.
| metadata type=sourcetypes | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | table sourcetype Count "First Event" "Last Event" "Last Update"
The fields are also renamed, but without the fieldformat command the time fields display in Unix time:
Now use the fieldformat command to reformat the time fields firstTime, lastTime, and recentTime:
| metadata type=sourcetypes | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | table sourcetype Count "First Event" "Last Event" "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
Note that the fieldformat command is also used to reformat the Count field to display the values with commas. The results are more readable:
Example 2:
Assume that the start_time field contains epoch numbers, format the start_time field to display only the hours, minutes, and seconds corresponding to the epoch time.
... | fieldformat start_time = strftime(start_time, "%H:%M:%S")
Example 3:
To format numerical values in a field with a currency symbol, you must specify the symbol as a literal and enclose it in quotation marks. Use a period character as a binary concatenation operator, followed by the tostring function, which enables you to display commas in the currency values.
...| fieldformat totalSales="$".tostring(totalSales,"commas")
See also
Date and time format variables
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fieldformat command.
|
PREVIOUS extract |
NEXT fields |
This documentation applies to the following versions of Splunk Cloud™: 6.6.3
Comments
If I do something like this:
... | eval profit="100" | fieldformat profit="$".tostring(profit, "commas")
I would like for the cell-justification in tables to treat "profit" as an integer and right-justify it. This would be a VERY handy way for people who are in Simple XML to control justification and still be "following the rules". As it is now, even though "profit" is still an integer, when it is displayed (like a string), it justified like a string. I am not saying that this is wrong, just that it would be better the other way and give us more flexibility.
Thank you Dallen 2 for your suggestion, i will pass this along to our development team.