Specify a set of fields to select from each event. You most likely want to use the table() function instead. Table is an aggregate function that can also sort events while limiting the number of events.

A use-case for select is when you want to export a few fields from a large number of events into e.g. a CSV file. Because an implicit tail(200) function is appended in non-aggregating queries, only 200 events might be shown in those cases; however, when exporting the result, you get all matching events.

fields[a]Array of stringsrequired  The names of the fields to keep.

[a] The argument name fields can be omitted.

Omitted Argument Names

The argument name for fields can be omitted; the following forms of this function are equivalent:




select() Examples

Look at HTTP GET methods and create a unsorted table with the fields statuscode and responsetime

| select([statuscode, responsetime])

Get a table of timestamp and rawstring for all events in range. In the humio UI this will get limited to 200 entries, but exporting the result as e.g. CSV will export all matching events in the time window searched.

select([@timestamp, @rawstring])