format_string

Cortex XDR XQL format_string() function returns a string from a format string that contains zero or more format specifiers, along with a variable length list of additional arguments that matches the format specifiers.

Synopsis

format_string("
<format string>
",
<field_1>
,
<field_2>
,...
<field_n>
)

Description

The
format_string()
function returns a string from a format string that contains zero or more format specifiers, along with a variable length list of additional arguments that matches the format specifiers. A format specifier is initiated by the % symbol, and must map to one or more of the remaining arguments. Usually, this is a one-to-one mapping, except when the * specifier is used. For example:
  • STRING
    dataset = xdr_data | alter stylished_action_category_appID = format_string("-%s-", action_category_of_app_id ) | fields stylished_action_category_appID | limit 100
  • Simple integer
    dataset = xdr_data | filter action_remote_ip_int != null | alter simple_int = format_string("%d", action_remote_ip_int) | fields simple_int | limit 100
  • Integer with left blank padding
    dataset = xdr_data | filter action_remote_ip_int != null | alter int_with_left_blank = format_string("|%100d|", action_remote_ip_int) | fields int_with_left_blank | limit 100
  • Integer with left zero padding
    dataset = xdr_data | filter action_remote_ip_int != null | alter int_with_left_zero_padding = format_string("+%0100d+", action_remote_ip_int) | fields int_with_left_zero_padding | limit 100

Recommended For You