Display Results and Events

LogScale presents the data returned from a search in a list format. By default, this list includes the @timestamp and @rawstring columns, plus any columns selected in the Fields panel.

Display tabs

Depending on the contents and functions used in the query, different tabs for displaying output data appear based on the query, for example if the query includes Aggregate Query Functions. Available tabs are:

  • Results tab

    Sometimes also referred to as the Event list that displays the results of a query, presents the final results from the query once all of the elements of the source query including filters and aggregations (for example using groupBy()) have been completed.

    Different forms of the Results tab may be available in different contexts:

    • Results tab grouped by prefix

      When using a query prefix, for example with the correlate() function, the results will be shown grouped by the name of the prefix query. When grouping in this format, each result is set for a given correlate() query.

      For example:

    • Named Prefix Events tabs

      For version 1.197.0 and above

      When using correlate(), matching event sets for each named query are available as separate tabs, one per prefix used within the correlate() function. Each event tab will contain the events matching each named query in the correlate() definition, including the raw event data after matches and filtering, but before aggregation. When grouping in this format, each result is set for a given correlate() query.

      For example, the correlate() function in this query has two named queries, machineCheck and hardwareError which each have a tab of matching results:

  • Events tab

    For queries without a prefix, the Events tab includes the raw event data after matches and filtering, but before aggregation.

  • Table tab

    Appears for each table defined by defineTable(), when this function is used in the source query. The display of matching entries for the table is limited to the first 500 rows. For more information, see How to Use Ad-hoc Tables in Queries.

  • Query graph tab

    Option available from version 1.192

    Appears when the correlate() function is used in the source query, to provide a graphical representation of two correlated events. The graph helps users author complex queries using correlate(), as it displays the structure of the query including correlation query nodes and links that represent the relationship between event fields. For more information, see correlate().

Display options

You can change the way events are displayed from the toolbar above the Event list:

Screenshot showing the toolbar for setting how to display events

Figure 66. Results Tab and Display Modes


Display options are (left to right in the toolbar):

  • Filter match highlighting allows highlighting results based on the filters applied in queries. See Highlight Filter Match for more information.

  • Scroll to selected event makes it possible to scroll fields starting from a selected event.

  • Text wrapping is used to wrap lines or truncate fields after the first line.

  • Sort events changes the order of fields in the event. You can choose whether newest events appear at the bottom or top of the list.

  • Hide event distribution chart allows hiding the event histogram to get more space when looking at data.

  • Toggle fullscreen displays events in full-screen mode.