format
Description
Converts the results from the previous part of a search query into a logical expression for further search.
Syntax
| format
Example Queries
Example 1
Displays all active_directory events with the user field, whose values match the pattern Iv* from the zabbix index.
source active_directory | search [ source zabbix | search user="Iv*" | fields user | format]
Example 2
Displays all users events with the id field equal to 3.
source users
| search
    [ | makeresults
    | eval id=round(pi())
    | fields id
    | format ]
Example 3
In this example, the distinguishedname field in the ad_computer index has the value CN=John Smith,OU=Employees, DC=vv,DC=local. After applying transformations, a domainUser field is obtained with the value vv.local. The query then retrieves all ad_users events with the domainUser field having the value vv.local.
source ad_users
| search
    [ source ad_computer
    | rex field=distinguishedname "DC=(?<DC>[a-z]*)" max_match=0
    | eval domainUser=mvjoin(DC, ".")
    | stats count by domainUser
    | fields domainUser
    | format ]