The table() function displays query results
in a table, allowing to specify the list of fields to include in
the table.
The table() function is an aggregate
function and does as follows:
- Sorts columns in the table based on specified field order.
-
Aggregates events based on the
limitparameter. It will limit the number of events returned using thelimitparameter. -
Sorts results according to the
sortbyparameter.
For large data exports, consider using the
select() function instead. The
select() function provides similar tabular
output but without row limits or sorting constraints.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
fields[a] | array of strings | required | The names of the fields to select. | |
limit | number | optional[b] | 200 | The argument given to this parameter determines the limit on the number of rows included in the result of the function. The maximum is controlled by the StateRowLimit dynamic configuration, which is StateRowLimit by default. If the argument is max (limit=max), then the value of StateRowLimit is used. |
order | array of strings | optional[b] | desc | Order to sort in. |
| Values | ||||
asc | Ascending (A-Z, 0-9) order | |||
desc | Descending (Z-A, 9-0) order | |||
reverse | boolean | optional[b] | Whether to sort in descending order. Deprecated: prefer order instead. | |
sortby | array of strings | optional[b] | @timestamp | Names of fields to sort by. |
type | array of strings | optional[b] | number | Type of the fields to sort. |
| Values | ||||
any | Any fields. (deprecated in 1.125) | |||
hex | Hexadecimal fields | |||
number | Numerical fields | |||
string | String fields | |||
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldscan be omitted; the following forms of this function are equivalent:logscale Syntaxtable(["value"])and:
logscale Syntaxtable(fields=["value"])These examples show basic structure only.
table() Syntax Examples
Create a table of HTTP GET methods displaying the fields statuscode and responsetime:
method=GET
| table([statuscode, responsetime])Display the 50 slowest requests by name and responsetime:
table([name, responsetime], sortby=responsetime, limit=50, order=asc)table()Examples
Click next to an example below to get the full details.
Calculate Query Costs by User and Repository in a Single Field
Calculate query costs by user across multiple repositories, showing the repository/user as a single field
Query
#type=humio #kind=logs class=c.h.j.RunningQueriesLoggerJob message="Highest Cost query"
| repoUser:= format("%s/%s", field=[dataspace, initiatingUser])
| top(repoUser, sum=deltaTotalCost, as=cost)
|table([cost, repoUser], sortby=cost)Introduction
In this example, the query filter events in the humio
repository that are tagged with
kind equal to
logs and then returns the events
where the class field has values
containing
c.h.j.RunningQueriesLoggerJob,
searching for the specific value Highest Cost
query. The query then combines the results in a new field
repoUser. The query then uses
top() and table() functions to
aggregate and display the results.
Example incoming data might look like this:
| #type | #kind | class | message | timestamp | dataspace | initiatingUser | totalLiveCost | totalStaticCost | deltaTotalCost | repo |
|---|---|---|---|---|---|---|---|---|---|---|
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:30:00Z | production | john.doe | 1500 | 800 | 2300 | security-logs |
| humio | logs c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:31:00Z | development | jane.smith | 2000 | 1200 | 3200 | app-logs | |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:32:00Z | staging | bob.wilson | 1000 | 500 | 1500 | infra-logs |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:33:00Z | production | john.doe | 1800 | 900 | 2700 | security-logs |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:34:00Z | development | jane.smith | 2500 | 1300 | 3800 | app-logs |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:35:00Z | staging | alice.cooper | 1200 | 600 | 1800 | infra-logs |
Step-by-Step
Starting with the source repository events.
- logscale
#type=humio #kind=logs class=c.h.j.RunningQueriesLoggerJob message="Highest Cost query"Filters for Humio internal logs containing
c.h.j. RunningQueriesLoggerJobin the class field and where the value in the message field is equal toHighest Cost query. - logscale
| repoUser:= format("%s/%s", field=[dataspace, initiatingUser])Combines the fields dataspace and initiatingUser with a
/separator, and then assigns the combined value to a new field named repoUser. Example of combined value:dataspace/username. - logscale
| top(repoUser, sum=deltaTotalCost, as=cost)Finds the most common values in the field repoUser, makes a sum of the field deltaTotalCost, and returns the results in a new field named cost.
- logscale
|table([cost, repoUser], sortby=cost)Displays the results in a table with fields
costandrepoUser, sorted by the columncost. Event Result set.
Summary and Results
The query is used to search across multiple repositories and calculate query costs per user, by combining costs and showing the repository/user as a single field.
Sample output from the incoming example data:
| cost | repoUser |
|---|---|
| 3200 | development/jane.smith |
| 2300 | production/john.doe |
| 1500 | staging/bob.wilson |
Convert Values Between Units
Convert file size and transfer time units using the
unit:convert() function
Query
unit:convert(field=file_size, from="B", to="MB")
| unit:convert(field=transfer_time, from="ms", to="s")
| table([file_size, transfer_time])Introduction
In this example, the unit:convert() function is
used to convert file sizes and transfer times units. The
unit:convert() function automatically handles the
mathematical conversion between units, making it easier to work with
different measurement scales in the event set.
Note that any unit is supported in LogScale.
Example incoming data might look like this:
| timestamp | file_name | file_size | transfer_time | status |
|---|---|---|---|---|
| 2025-05-15 05:30:00 | doc1.pdf | 1048576 | 3500 | complete |
| 2025-05-15 05:31:00 | img1.jpg | 2097152 | 4200 | complete |
| 2025-05-15 05:32:00 | video1.mp4 | 5242880 | 12000 | complete |
Step-by-Step
Starting with the source repository events.
- logscale
unit:convert(field=file_size, from="B", to="MB")Converts file sizes from Bytes (B) to Megabytes (MB).
- logscale
| unit:convert(field=transfer_time, from="ms", to="s")Converts transfer times from milliseconds (ms) to seconds (s)
- logscale
| table([file_size, transfer_time])Displays the result of the fields file_size and transfer_time in a table.
Event Result set.
Summary and Results
The query is used to convert file sizes and transfer times units. A table showing file sizes and transfer times is, for example, useful to spot unusually large file transfers, to identify slow transfers or bottlenecks (for debugging).
The unit:convert() function is useful to
standardize the units for better comparison and make data more readable.
Note that any unit is supported in LogScale. For more examples,
see unit:convert().
Sample output from the incoming example data:
| file_name | file_size | transfer_time |
|---|---|---|
| doc1.pdf | 1.0 | 3.5 |
| img1.jpg | 2.0 | 4.2 |
| video1.mp4 | 5.0 | 12.0 |