Specify a set of fields to select from each event and include in the resulting event set.

It is possible that an aggregate function, such as table() or groupBy() may be more suitable for summarizing and selecting the fields that you want to be displayed.

A use-case for select() is when you want to export a few fields from a large number of events into a CSV file without aggregating the values. Because an implicit tail(200) function is appended in non-aggregating queries, only 200 events might be shown in those cases; however, when exporting the result, you get all matching events.

ParameterTypeRequiredDefaultDescription
fields[a]Array of stringsrequired  The names of the fields to keep.

[a] The argument name fields can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

select() Examples

Look at HTTP GET methods and create an unsorted table with the fields statuscode and responsetime:

logscale
method=GET
| select([statuscode, responsetime])

Get a table of @timestamp and @rawstring for all events in range. In the LogScale UI this will get limited to 200 entries, but exporting the result as e.g. CSV will export all matching events in the time window searched.

logscale
select([@timestamp, @rawstring])