The Format operator allows you to format and combine data from fields in message logs—including numbers, strings, and dates—into a single user-defined string. This allows data in message logs, such as dates or currency amounts, to be formatted as human readable, when otherwise it would be hard to decipher.
The Concat operator is a simpler version of the Format operator, and may be used instead for simpler use cases.
format(formatSpecifier,field1, field2, …,
) as [fieldname]
The Sumo Logic Format operator supports all Java String.format syntax, as defined in http://docs.oracle.com/javase/7/docs/api/java/util/Formatter.html#syntax
- The first argument to the Format operator must be a format specifier, which is a string.
- You must define a name for the new [fieldname] to use Format. There is no default.
- The operator allows 2 to 16 inputs. To use more than 16 inputs, you can combine operators.
- AND and OR are not supported
- If a field is null or incompatible, an error will be thrown.
- Use the Format operator after the aggregate.
Format two strings into one string.
In this query, we search for errors, then parse the field “fiveMinuteRate” as “rate”, then combine the text “Five Minute Rate is:” and the rate together as “formattedVal”.
| parse "fiveMinuteRate=*," as rate
| format("%s : %s","Five Minute Rate is" , rate) as formattedVal
which results in:
This query allows you to format number fields from a message log into a properly formatted, human readable currency amount.
format( "$%.2f",number) as currency
Use the following query to format fields in a message log into a readable date.
| parse “*-*-*” “as year, month, day
| format (“%d/%d/%d”, month, day, year) as date
Convert strings to uppercase.
Use this format specifier to convert strings to uppercase:
format("%S: %d", name, age) as personAge
For more options, see toLowerCase and toUpperCase.