Specify a set of fields to select from each event and include in the resulting event set.

It is possible that an aggregate function, such as table() or groupBy() may be more suitable for summarizing and selecting the fields that you want to be displayed.

A use-case for select() is when you want to export a few fields from a large number of events into a CSV file without aggregating the values. Because an implicit tail(200) function is appended in non-aggregating queries, only 200 events might be shown in those cases; however, when exporting the result, you get all matching events.

ParameterTypeRequiredDefaultDescription
fields[a]Array of stringsrequired  The names of the fields to keep.

[a] The argument name fields can be omitted.

Omitted Argument Names

The argument name for fields can be omitted; the following forms of this function are equivalent:

logscale
select("value")

and:

logscale
select(fields="value")

These examples show basic structure only; full examples are provided below.

select() Examples

Look at HTTP GET methods and create an unsorted table with the fields statuscode and responsetime:

logscale
method=GET
| select([statuscode, responsetime])

Get a table of @timestamp and @rawstring for all events in range. In the LogScale UI this will get limited to 200 entries, but exporting the result as e.g. CSV will export all matching events in the time window searched.

logscale
select([@timestamp, @rawstring])