The table() function displays query results
in a table. It specifies a list of fields to select.
The table() function is an aggregate function and does as follows:
- Sorts columns in the table based on specified field order.
-
Aggregates events based on the
limitparameter. It will limit the number of events returned using thelimitparameter. -
Sorts results according to the
sortbyparameter.
For large data exports, consider using the
select() function instead. The
select() function provides similar tabular
output but without row limits or sorting constraints.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
fields[a] | array of strings | required | The names of the fields to select. | |
limit | number | optional[b] | The argument given to this parameter determines the limit on the number of rows included in the result of the function. The default argument is default. The maximum is controlled by the StateRowLimit dynamic configuration, which is StateRowLimit by default. If the argument is max (limit=max), then the value of StateRowLimit is used. | |
| Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | ||
order | array of strings | optional[b] | desc | Order to sort in. |
| Valid Values | ||||
asc | Ascending (A-Z, 0-9) order | |||
desc | Descending (Z-A, 9-0) order | |||
reverse | boolean | optional[b] | Whether to sort in descending order. Deprecated: prefer order instead. | |
sortby | array of strings | optional[b] | @timestamp | Names of fields to sort by. |
type | array of strings | optional[b] | number | Type of the fields to sort. |
| Valid Values | ||||
any | Any fields. From version 1.125, this value is deprecated. (deprecated in 1.125.0) | |||
hex | Hexadecimal fields | |||
number | Numerical fields | |||
string | String fields | |||
[b] Optional parameters use their default value unless explicitly set. | ||||
table() Syntax Examples
Create a table of HTTP GET methods displaying the fields statuscode and responsetime:
logscale
method=GET
| table([statuscode, responsetime])Display the 50 slowest requests by name and responsetime:
logscale
table([name, responsetime], sortby=responsetime, limit=50, order=asc)