Represent the data as a table.
Specify a list of fields to select. Columns in the table are sorted in the
specified field order. This is an aggregate function and it will limit the
number of events returned using the limit
parameter. It is possible to specify how the table is sorted using the
field parameter.
See the select() function for a similar tabular
output, which does not limit the number of events returned and does not
sort the result, and is thus better suited for exporting large amount of
data to a file.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
fields | [string] | true | The names of the fields to select. [a] | |
limit | number | false | Limit result size. If no limit is specified a default limit of 200 is used. | |
order | [string] | false | Order to sort in. Can be any prefix of ascending or descending. descending is default. | |
reverse | boolean | false | Whether to sort in descending order. Deprecated: prefer order instead. | |
sortby | [string] | false | @timestamp | Names of fields to sort by. |
type | [string] | false | any | Type of the fields to sort. |
| Valid Values | any | Any fields | ||
hex | Hexaedecimal fields | |||
number | Numerical fields | |||
string | String fields | |||
table() Examples
Look at HTTP GET methods and create a table with the fields statuscode and responsetime
method=GET
| table([statuscode, responsetime])Show name and responsetime of the 50 slowest requests
table([name, responsetime], sortby=responsetime, limit=50, order=asc)