Represent the data as a table.
Specify a list of fields to select. Columns in the table are sorted in the
specified field order. This is an aggregate function and it will limit the
number of events returned using the limit
parameter. It is possible to specify how the table is sorted using the
field
parameter.
See the select()
function for a similar tabular
output, which does not limit the number of events returned and does not
sort the result, and is thus better suited for exporting large amount of
data to a file.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
fields [a] | array of strings | required | The names of the fields to select. | |
limit | number | optional[b] | 200 | The maximum number of events included in results. |
Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | ||
order | array of strings | optional[b] | desc | Order to sort in. |
Valid Values | ||||
asc | Ascending (A-Z, 0-9) order | |||
desc | Descending (Z-A, 9-0) order | |||
reverse | boolean | optional[b] | Whether to sort in descending order. Deprecated: prefer order instead. | |
sortby | array of strings | optional[b] | @timestamp | Names of fields to sort by. |
type | array of strings | optional[b] | number | Type of the fields to sort. |
Valid Values | ||||
any | Any fields. From version 1.125, this value is deprecated. (deprecated in 1.125.0) | |||
hex | Hexadecimal fields | |||
number | Numerical fields | |||
string | String fields | |||
[b] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fields
can be omitted; the following forms of this function are equivalent:logscale Syntaxtable(["value"])
and:
logscale Syntaxtable(fields=["value"])
These examples show basic structure only.
table()
Examples
Look at HTTP GET methods and create a table with the fields statuscode and responsetime
method=GET
| table([statuscode, responsetime])
Show name and responsetime of the 50 slowest requests
table([name, responsetime], sortby=responsetime, limit=50, order=asc)