The table() function displays query results in a table, allowing to specify the list of fields to include in the table.

The table() function is an aggregate function and does as follows:

  • Sorts columns in the table based on specified field order.
  • Aggregates events based on the limit parameter. It will limit the number of events returned using the limit parameter.
  • Sorts results according to the sortby parameter.

For large data exports, consider using the select() function instead. The select() function provides similar tabular output but without row limits or sorting constraints.

ParameterTypeRequiredDefault ValueDescription
fields[a]array of stringsrequired   The names of the fields to select.
limitnumberoptional[b] 200 The argument given to this parameter determines the limit on the number of rows included in the result of the function. The maximum is controlled by the StateRowLimit dynamic configuration, which is StateRowLimit by default. If the argument is max (limit=max), then the value of StateRowLimit is used.
   Values
  Default200 (removed in 1.183)
   100,000 (added in 1.184)
  Maximum50,000The maximum limit is not static and can be changed by setting the StateRowLimit dynamic configuration. (removed in 1.180)
   100,000 (available in 1.181 only)
   200,000 (added in 1.182)
   maxAn alias to use the maximum limit set by StateRowLimit (added in 1.178)
  Maximum50,000The maximum limit is not static and can be changed by setting the StateRowLimit dynamic configuration.
orderarray of stringsoptional[b] desc Order to sort in.
   Values
   ascAscending (A-Z, 0-9) order
   descDescending (Z-A, 9-0) order
reversebooleanoptional[b]   Whether to sort in descending order. Deprecated: prefer order instead.
sortbyarray of stringsoptional[b] @timestamp Names of fields to sort by.
typearray of stringsoptional[b] number Type of the fields to sort.
   Values
   anyAny fields. (deprecated in 1.125)
   hexHexadecimal fields
   numberNumerical fields
   stringString fields

[a] The parameter name fields can be omitted.

[b] Optional parameters use their default value unless explicitly set.

Hide omitted argument names for this function

Show omitted argument names for this function

table() Syntax Examples

Create a table of HTTP GET methods displaying the fields statuscode and responsetime:

logscale
method=GET
| table([statuscode, responsetime])

Display the 50 slowest requests by name and responsetime:

logscale
table([name, responsetime], sortby=responsetime, limit=50, order=asc)