format
format
Format search results into a single string. Used primarily with subsearches.
Description
The format command converts search results into a formatted string, typically used to pass results from a subsearch into the main search as a filter condition. This is an advanced command mainly used internally by subsearch operations.
Syntax
... | format [maxresults=<int>] [row_sep="<string>"] [col_sep="<string>"]Optional Arguments
maxresults
Syntax: maxresults=<int>
Description: Maximum number of results to format
row_sep
Syntax: row_sep="<string>"
Description: Separator between rows
Default: " OR "
col_sep
Syntax: col_sep="<string>"
Description: Separator between columns
Default: " AND "
Examples
Format for subsearch filter
[search action=suspicious | fields src_ip | format]Produces: src_ip="1.2.3.4" OR src_ip="5.6.7.8"
Custom separators
* | format maxresults=10 row_sep=" | " col_sep=", "Format user list
[search department="IT" | fields user | format]Produces: user="alice" OR user="bob" OR user="charlie"
Usage Notes
Subsearch utility: Primarily used internally by subsearch operations.
Automatic: Usually applied automatically when subsearch results are used as filters.
Manual use: Rarely needed explicitly in queries.
String output: Produces a formatted string representation of results.