Specify a set of fields to select from each event and include in the resulting event set.
It is possible that an aggregate function, such as
table()
or groupBy()
may be more suitable for summarizing and selecting the fields
that you want to be displayed.
A use-case for select()
is when you want to
export a few fields from a large number of events into a CSV
file without aggregating the values. Because an implicit
tail(200)
function is appended in
non-aggregating queries, only 200 events might be shown in those
cases; however, when exporting the result, you get all matching
events.
select()
Examples
Look at HTTP GET
methods and create
an unsorted table with the fields
statuscode and
responsetime:
method=GET
| select([statuscode, responsetime])
Get a table of @timestamp and @rawstring for all events in range. In the LogScale UI this will get limited to 200 entries, but exporting the result as, for example, CSV will export all matching events in the time window searched.
select([@timestamp, @rawstring])