Format Command In Splunk
This command is used to format your sub search result. This command takes the results of a sub search and formats or combines the results into a single event and places that result into a new field called “search” as we have seen in case of “return” command. If you want to know more about return command please click here.
Syntax:
.... |format [mvsep="<mv separator>"] [maxresults=<int>]["<row prefix>"
"<column prefix>" "<column separator>" "<column end>" "<row separator>"
"<row end>"]
mvsep=”<mv separator>” – Multi value field separator [default is OR].
maxresults=<int> – Maximum results to return in the search field.
<row prefix> – Row prefix value or character [default is open parenthesis character “(” ].
<column prefix> – Column prefix value or character [default is open parenthesis character “(” ].
<column separator> – Column separator [default is AND]
<column end> – Column end value character [default is close parenthesis character “)” ]
<row separator> – Row separator value [default is OR ].
<row end> – Column end value or character [default is close parenthesis character “(” ]
NOTE: Here all are optional arguments.
Example 1:
index="sample_set" sourcetype=access_combined_wcookie action=view status=200 | dedup ip | table ip JSESSIONID | format
Result:
Explanation:
Here we took data from the “sample_set” index and “access_combined_wcookie” is the sourcetype. Then we had used the dedup command on the ip field and then using table command took the data of ip and JSESSIONID in tabular view. If you see the data until now then it will look like this.
It’s showing a total 34 results but after using the “format” command all results are invoked into one event ( row ) named as “search”, as you can see from the previous figure from the result.
All results are formatted as mentioned in the syntax by default. I.e row prefix as “(” and suffix as “)” (as shown in violet colored box in the result figure), column prefix as “(” and suffix as “)” (as shown in figure). “AND” used for column separators and “OR” used for row separators.
Example 2:
Now what if you want to format on your own?
index="sample_set" sourcetype=access_combined_wcookie action=view status=200 | dedup ip | table ip JSESSIONID | format maxresults=5 "[" "[" "&&" "]" "||" "]"
Result:
Explanation:
Here we took data from the “sample_set” index and “access_combined_wcookie” is the sourcetype. Then we had used the dedup command on the ip field and then using table command took the data of ip and JSESSIONID in tabular view. After that using “format” command we format the result according to our own need in the “search” field i.e. row prefix as “[” and suffix as “]” (as shown in violet colored box in the result figure), column prefix as “[” and suffix as “]” (as shown in figure). “&&” used for column separators and “||” used for row separators (as per the syntax). Also we have used maxresults=5 to return only 5 results( rows ).
Example 3:
index="sample_set" sourcetype=access_combined_wcookie action=view status=200 | dedup ip | table ip JSESSIONID | eval New_Field = ip.",".JSESSIONID | makemv delim="," New_Field | format maxresults=5 mvsep="MV_BREAK"
Result:
Explanation:
Here we took data from the “sample_set” index and “access_combined_wcookie” is the sourcetype. Then we had used the dedup command on the ip field and then using table command took the data of ip and JSESSIONID in tabular view. After that using eval command we created a field called “New_Field” with the values of ip and JSESSIONID delimited with “,”. Then using the “makemv” command we converted that into a multi-value field.
At last using the “format” command we took 5 results using “maxresult” function and here we have used another function known as “mvsep” which is used as a multi value separator which you can see from above figures.
I hope you have understood the concepts of “Format Command In Splunk”.
