Represent the data as a table.
Specify a list of fields to select. Columns in the table are sorted in the
specified field order. This is an aggregate function and it will limit the
number of events returned using the limit
parameter. It is possible to specify how the table is sorted using the
field
parameter.
See the select()
function for a similar tabular
output, which does not limit the number of events returned and does not
sort the result, and is thus better suited for exporting large amount of
data to a file.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
fields [a] | Array of strings | required | The names of the fields to select. | |
limit | number | optional[b] | 200 | Limit result size. |
order | Array of strings | optional[b] | desc | Order to sort in. |
Valid Values | ||||
asc | Ascending (A-Z, 0-9) order | |||
desc | Descending (Z-A, 9-0) order | |||
reverse | boolean | optional[b] | Whether to sort in descending order. Deprecated: prefer order instead. | |
sortby | Array of strings | optional[b] | @timestamp | Names of fields to sort by. |
type | Array of strings | optional[b] | number | Type of the fields to sort. |
Valid Values | ||||
any | Any fields. From version 1.125, this value is deprecated. (deprecated in 1.125.0) | |||
hex | Hexaedecimal fields | |||
number | Numerical fields | |||
string | String fields | |||
[b] Optional parameters use their default value unless explicitly set |
Omitted Argument NamesThe argument name for
fields
can be omitted; the following forms of this function are equivalent:logscaletable("value")
and:
logscaletable(fields="value")
These examples show basic structure only; full examples are provided below.
table()
Examples
Look at HTTP GET methods and create a table with the fields statuscode and responsetime
method=GET
| table([statuscode, responsetime])
Show name and responsetime of the 50 slowest requests
table([name, responsetime], sortby=responsetime, limit=50, order=asc)