Synopsis

Displays a specified column in the complex search summary table in a specified format. Can be used only with Display, Display only, and Group by commands.

Syntax

in [format_type] format)(["Input_Unit"],)(["Output_Unit"])

Required Arguments

format_type

Syntax: number, simple, time, date, volume, regexp, expression or query

Description: The format in which to display the values of a specific column in the complex search summary table. For a time format_type, if no unit appears after  time format, XpoLog assumes that the column value is in milliseconds and displays it in the maximal possible unit (for example, if the value is 2000, the output is 2 seconds; if the value is 120000, the output is 2 minutes, etc.).

Optional Arguments

"Input_Unit"

Syntax: Volume Units - B, KB, MB, GB; Time Units: microsec, ms, sec, min, hour, day

Description: The input unit of the format type.

"Output_Unit"

Syntax: Volume Units - B, KB, MB, GB; Time Units: microsec, ms, sec, min, hour, day

Description: The unit in which to convert the format type.

Note: If only one unit appears in the syntax, XpoLog assumes that it is the output unit, and that the input value is in milliseconds (for time) or bytes (for volume). If no unit appears in the syntax, XpoLog outputs the log value in milliseconds (for time) or bytes (for volume).

Description

Displays the column values in the specified format, assuming the default input and output units, if they are not specified, and converting to a specific output unit from a specific input unit, if specified. 

Text can be formatted into the following format types:


Examples – Volume Format: bytes sent column contains numeric values representing volume. 

 Example 1:

* in log.access | avg bytes sent | display avg in volume format 

XpoLog formats avg of bytes sent in volume format, automatically assuming that the log value is in bytes.

Example 2:

* in log.access | avg bytes sent | display avg in volume format(“MB”) 

XpoLog formats avg of bytes sent in volume format, automatically assuming that the log value is in bytes, and converts and outputs the value in MB.

Example 3:

* in log.access | avg bytes sent | display avg in volume format(“KB”,”MB”)

XpoLog formats avg of bytes sent in volume format, assuming that the log value is in KB, and converts and outputs the value in MB.

Examples – Time Format: time taken column contains numeric value representing time.

Example 1:

* in log.access | avg time taken | display avg in time format 

XpoLog formats avg of time taken in time format, automatically assuming that the log value is in milliseconds.

Example 2:

* in log.access | avg time taken | display avg in time format(“SEC”) à format to seconds

XpoLog formats avg of time taken in time format, automatically assuming that the log value is in milliseconds, and converts and outputs the value in seconds.

Example 3:

* in log.access | avg time taken | display avg in time format(“SEC”,”MIN”) à format from seconds to minutes

XpoLog formats avg of time taken in time format, assuming that the log value is in seconds, and converts and outputs the value to minutes. 

Regular Expressions:

  1. XpoLog groups by URL field which has multiple parts divided by slashes / and then uses a regular expression to format the result to present only part of the URL based on the regular expression criteria, I.E. present only the last part after the last slash / in the URL:

    URL Example:
    [URL] /home/web-main/css/texts.css

    XpoLog Query:
    in log.access log | count | group by url as formatted-url | order by count desc | display formatted-url in regexp format (".*/([^/]+)")

    Result:





  2. XpoLog uses a regular expression to format the Description field which contains multiple lines with different values based on the regular expression criteria, I.E. extract from the entire Description field only the value which comes after 'Account Name:' and group by it only (as if it was a pre-configured field in the log):

    Description Example:
     ...[Description] An account was logged off.
    Subject:
    Security ID: S-1-5-21-3480273402-748593870-3636473903-1144
    Account Name: xplg
    Account Domain: XPOLOG
    Logon ID: 0xa078ea24
    Logon Type: 3
    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

    XpoLog Query:
    (*) in log.application | count | group by Description as UserName in regexp format ("Account Name:\s+(\w+)")


    Result:

 

Query Format:

  1. XpoLog groups by STATUS which has multiple values, and then based on query criteria it breaks the result to different pieces:
    Status values may vary from 200, 302, 404, 500, etc. but in order to break it into two groups 200 - defined as valid and not 200 as not valid the query format handles it:

    XpoLog Query:
    in log.access | count | group by status in query format ("status=200","VALID","status != 200","NOT VALID")


    Result: