Format a string using printf-style. The formatted string is put in a new field named by the as parameter (default is _format). The fields used as input parameters to the formatting are named using the field parameter, which can be an array. This function is backed by Java’s Formatter class. For detailed documentation follow the link. At the moment fields can only be used as datetime values if they are in iso 8601 format of if they are Milliseconds since the beginning of the epoch starting at 1 January 1970 00:00:00 UTC.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| format | string | Yes | The formatter string. See the Java documentation | |
| field | [string] | Yes | Fields to insert into the formatter string. This is the field names on events (not an actual value | |
| as | string | No | _format | The output name of the field with the formatted string) |
| timezone | string | No | When formatting dates and times it is possible to specify a timezone. Examples: Europe/Copenhagen, UTC, America/New_York, +01 |
format is the unnamed parameter.
format a number to have 2 decimals and a thousands separator (,) if larger than 1000
format("%,.2f", field=price, as=price) | table(price)
Concatenate 2 fields with a comma as separator
format(format="%s,%s", field=[a, b], as="combined") | table(combined)
Get the hour of day out of the events @timestamp
format("%tm", field=@timestamp, as=hour) | table(hour)