Skip to main content
Sumo Logic

format

The Format operator allows you to format and combine data from fields in message logs—including numbers, strings, and dates—into a single user-defined string. This allows data in message logs, such as dates or currency amounts, to be formatted as human readable, when otherwise it would be hard to decipher.

The Concat operator is a simpler version of the Format operator, and may be used instead for simpler use cases.

Syntax:

  • format(formatSpecifier,field1, field2, …, fieldn) as [fieldname]

The Sumo Logic Format operator supports all Java String.format syntax, as defined in http://docs.oracle.com/javase/7/docs/api/java/util/Formatter.html#syntax

Rules:

  • The first argument to the Format operator must be a format specifier, which is a string.
  • You must define a name for the new [fieldname] to use Format. There is no default.
  • The operator allows 2 to 16 inputs. To use more than 16 inputs, you can combine operators.
  • AND and OR are not supported
  • If a field is null or incompatible, an error will be thrown.
  • Use the Format operator after the aggregate.
  • You must convert your data type to numeric before converting to hexadecimal, or your data will be dropped.

Examples

Format two strings into one string.

In this query, we search for errors, then parse the field “fiveMinuteRate” as “rate”, then combine the text “Five Minute Rate is:” and the rate together as “formattedVal”.

error 
| parse "fiveMinuteRate=*," as rate 
| format("%s : %s","Five Minute Rate is" , rate) as formattedVal

which results in:

Format

Format numbers.

This query allows you to format number fields from a message log into a properly formatted, human readable currency amount.

format( "$%.2f",number) as currency

Formatting dates.

Use the following query to format fields in a message log into a readable date.

| parse “*-*-*” “as year, month, day

| format (“%d/%d/%d”, month, day, year) as date

Convert strings to uppercase.

Use this format specifier to convert strings to uppercase:

format("%S: %d", name, age) as personAge

Convert numeric data to hexadecimal.

For example, to convert a field, collectorId, to 16 character upper case hexadecimal:
| int(collectorId) as collectoridint
| format("%016X", collectoridint) as collectoridhex
| count by collectorId, collectoridint, collectoridhex

For more options, see toLowerCase and toUpperCase.