format

Description

Converts the results from the previous part of a search query into a logical expression for further search.

Syntax

| format

Example Queries

Example 1

Displays all active_directory events with the user field, whose values match the pattern "Iv*" from the zabbix index.

source active_directory | search [ source zabbix | search user="Iv*" | fields user | format]

Example 2

Displays all users events with the id field equal to 3.

source users
| search
    [ | makeresults
    | eval id=round(pi())
    | fields id
    | format ]

Example 3

In this example, the distinguishedname field in the ad_computer index has the value "CN=John Smith,OU=Employees, DC=vv,DC=local". After applying transformations, a domainUser field is obtained with the value "vv.local". The query then retrieves all ad_users events with the domainUser field having the value "vv.local".

source ad_users
| search
    [ source ad_computer
    | rex field=distinguishedname "DC=(?<DC>[a-z]*)" max_match=0
    | eval domainUser=mvjoin(DC, ".")
    | stats count by domainUser
    | fields domainUser
    | format ]

Description​

Syntax​

Example Queries​

Example 1​

Example 2​

Example 3​