Specify a set of fields to select from each event and include in the resulting event set.
It is possible that an aggregate function, such as
table()
or groupBy()
may be more
suitable for summarizing and selecting the fields that you want to be
displayed.
A use-case for select()
is when you want to export a
few fields from a large number of events into a CSV file without
aggregating the values. Because an implicit tail(200)
function is appended in non-aggregating queries, only 200 events might be
shown in those cases; however, when exporting the result, you get all
matching events.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fields
can be omitted; the following forms of this function are equivalent:logscale Syntaxselect(["value"])
and:
logscale Syntaxselect(fields=["value"])
These examples show basic structure only.
select()
Examples
Look at HTTP GET
methods and create an unsorted
table with the fields statuscode
and responsetime:
method=GET
| select([statuscode, responsetime])
Get a table of @timestamp and @rawstring for all events in range. In the LogScale UI this will get limited to 200 entries, but exporting the result as, for example, CSV will export all matching events in the time window searched.
select([@timestamp, @rawstring])