Formatting subquery results

About the format command

The format command returns a substring of boolean expressions for use as a filter in the search command. For example, if a subquery returns a table:

                |   field1    |     field2   |
                -----------------------------
event/row1      | val1_1      | val1_2       |
event/row2      | val2_1      | val2_2       |

Then the result of applying the format command to it will be like this:

(field1=val1_1  AND поле2=val1_2) OR (field1=val2_1 AND поле2=val2_2)

How to use formatting

Example search query:

source wineventlog-*
| search host.name.keyword="JM-HEW-019"
| table event.action, user.name, host.name

Search query result:

subsearch

Now we use the format command:

source wineventlog-*
| search host.name.keyword="JM-HEW-019"
| table event.action, user.name, host.name
| format

subsearch

The format command converts the results of the previous command. Typically, the format command is used to prepare data for further analysis, display, or transfer to another part of the request.

About the format command​

How to use formatting​

About the format command

How to use formatting