Represent the data as a table.

Specify a list of fields to select. Columns in the table are sorted in the specified field order. This is an aggregate function and it will limit the number of events returned using the limit parameter. It is possible to specify how the table is sorted using the field parameter.

See the select() function for a similar tabular output, which does not limit the number of events returned and does not sort the result, and is thus better suited for exporting large amount of data to a file.

ParameterTypeRequiredDefault ValueDescription
fields[a]Array of stringsrequired  The names of the fields to select.
limitnumberoptional[b]200 The maximum number of events included in results.
  Maximum20,000The default maximum limit is not static and can be changed by setting the StateRowLimit dynamic configuration.
orderArray of stringsoptional[b]desc Order to sort in.
   Valid Values
   ascAscending (A-Z, 0-9) order
   descDescending (Z-A, 9-0) order
reversebooleanoptional[b]  Whether to sort in descending order. Deprecated: prefer order instead.
sortbyArray of stringsoptional[b]@timestamp Names of fields to sort by.
typeArray of stringsoptional[b]number Type of the fields to sort.
   Valid Values
   anyAny fields. From version 1.125, this value is deprecated. (deprecated in 1.125.0)
   hexHexaedecimal fields
   numberNumerical fields
   stringString fields

[a] The argument name fields can be omitted.

[b] Optional parameters use their default value unless explicitly set.

Hide omitted argument names for this function

Show omitted argument names for this function

table() Examples

Look at HTTP GET methods and create a table with the fields statuscode and responsetime

logscale
method=GET
| table([statuscode, responsetime])

Show name and responsetime of the 50 slowest requests

logscale
table([name, responsetime], sortby=responsetime, limit=50, order=asc)