The Table widget displays data in rows and columns.
The result of any Humio query can be displayed in a table. It is best used with output that has a limited and predefined number of fields, unlike for instance raw events which can produce a huge number of columns and slow down the UI.
The table widget is best used with aggregate functions like groupBy() or table(). The table() can help sort the columns since fields and columns will be displayed in the order that they are provided to the function.
Assume we have a service producing logs like the ones below:
2018-10-10T01:10:11.322Z [ERROR] Invalid User ID. errorID=2, userId=10 2018-10-10T01:10:12.172Z [WARN] Low Disk Space. 2018-10-10T01:10:14.122Z [ERROR] Invalid User ID. errorID=2, userId=11 2018-10-10T01:10:15.312Z [ERROR] Connection Dropped. errorID=112 server=18.104.22.168 2018-10-10T01:10:16.912Z [INFO] User Login. userId=11
We want to figure out which errors occur most often and show them in a table on one of our dashboards.
We can do a query like:
loglevel = ERROR | groupBy(errorID, function=[count(as=Count), collect(message)]) | rename(errorID, as="Error ID") | table(["Error ID", message])
counting the number of errors bucketed by their
errorId. Since we also want to show a human readable message in the table and not just the ID, we include the function collect() which ensures that the value of the
message field makes it through the
groupBy phase (which otherwise only includes the series field (
errorId) and the result of the aggregate function (
Since we want our table to look nice on the dashboard, we rename the
errorID field to
Error ID as this will be the header in our table.
Finally, we use the table() function to ensure the order of the columns.