Specify a set of fields to select from each event and include in the resulting event set.
It is possible that an aggregate function, such as
table() or groupBy()
may be more suitable for summarizing and selecting the fields
that you want to be displayed.
A use-case for select() is when you want to
export a few fields from a large number of events into a CSV
file without aggregating the values. Because an implicit
tail(200) function is appended in
non-aggregating queries, only 200 events might be shown in those
cases; however, when exporting the result, you get all matching
events.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldscan be omitted; the following forms of this function are equivalent:logscale Syntaxselect(["value"])and:
logscale Syntaxselect(fields=["value"])These examples show basic structure only.
select()Examples
Click next to an example below to get the full details.
Reduce Large Event Sets to Essential Fields
Reduce large datasets to essential fields using the
select() function
Query
method=GET
select([statuscode, responsetime])Introduction
The select() function reduces large event set to
essential fields. The select() statement creates a
table as default and copies data from one table to another.
In this example, an unsorted table is selected for the statuscode field and the responsetime field.
Step-by-Step
Starting with the source repository events.
- logscale
method=GETFilters for all HTTP request methods of the type
GET. - logscale
select([statuscode, responsetime])Creates an unsorted table showing the statuscode field and the responsetime field.
Event Result set.
Summary and Results
The query is used to filter specific fields from an event set and create
a table showing these fields (focused event set). In this example, the
table shows the HTTP response status and the time taken to respond to
the request which is useful for analyzing HTTP performance, monitoring
response codes, and identifying slow requests.. The
select function is useful when you want to export a
few fields from a large number of events into a .CSV file without
aggregating the values. For more information about export, see
Export Data.
Note that whereas the LogScale UI can only show up to 200 events, the exported .CSV file contains all results.
It is possible that an aggregate function, such as
table() or groupBy() may be
more suitable for summarizing and selecting the fields to be displayed.
Select Fields to Export
Select fields to export as .CSV file using the
select() function
Query
select([@timestamp, @rawstring])Introduction
The select() function reduces large event set to
essential fields. The select() statement creates a
table as default and copies data from one table to another.
In this example, an unsorted table is selected for the @timestamp field and the @rawstring field.
Step-by-Step
Starting with the source repository events.
- logscale
select([@timestamp, @rawstring])Creates an unsorted table showing the @timestamp field and the @rawstring field.
Event Result set.
Summary and Results
The query is used to filter specific fields from an event set and create
a table showing these fields (focused event set). In this example, the
table shows the timestamp of the events and the complete raw log entry,
which is useful for full log analysis, and data backup. The
select function is useful when you want to export a
few fields from a large number of events into a .CSV file without
aggregating the values. For more information about export, see
Export Data.
Note that whereas the LogScale UI can only show up to 200 events, an exported .CSV file contains all results.